open-appsec is an open-source fully automated Web Application & API Security solution. It is powered by a machine learning engine which continuously analyzes users' HTTP/S requests as they visit the website or API.

The analysis includes the application structure and how users interact with the content in order to identify patterns and automatically stop and block malicious requests and bad actors.

open-appsec provides pre-emptive threat protection against OWASP Top-10- and zero-day attacks. Thanks to machine learning, there is no threat signature upkeep and exception handling, like common in many WAF solutions.

It can be deployed as add-on to Kubernetes Ingress Controller, NGINX and Kong API Gateway (Envoy support soon as well) on many platforms.

The project GitHub is available here.

Main features of open-appsec

• Machine Learning-based Application Firewall - stop application layer attacks including OWASP Top 10 with very minimal tuning and no false positives. Pre-emptive (no software updates) protection for zero-days such as Log4Shell and Spring4Shell.

• API Security

  • stop malicious API access and abuse

  • and enforce API schema (Premium Edition)

• Bot Prevention - Identify and stop automated attacks before they negatively impact the bottom line or customer experience (Premium Edition)

• Intrusion Prevention -

  • Full IPS Engine with support for custom Snort 3.0 signatures.

  • Protections for over 2,800 WEB CVEs, based on Check Point award winning NSS-Certified IPS (Premium Edition)

• File Security - Prevent malicious files from being uploaded into web apps and APIs servers. The engine scans the HTTP traffic analyses any files uploaded and consults a huge cloud repository as to the file's reputation (Premium Edition)

• Rate Limiting - Safeguard your websites and API by setting a cap on how many requests. can be made within a certain period, based on identifiers such as IP address (Community Editions) or keys within JWT, cookies or headers (Premium Edition) [Coming soon]

• HTTPS Traffic inspection - SSL certificate and private keys can be stored locally or in public cloud secrets storage (AWS/Azure)

• Integration into modern environments and workloads (public cloud & Kubernetes) and CI/CD workflows, supporting NGINX Ingress Controller, NGINX and Kong Gateway on Kubernetes, Linux Servers and Containers (Docker).

• Ease of ongoing management and maintenance – Enterprise Grade SaaS Web UI, GraphQL API and Infrastructure-as-code using Terraform