Background
Open-source has enabled the tech industry to creatively use, build, connect and innovate. Can you imagine a modern tech stack without open-source projects like Linux, Kubernetes, Kafka, Python, NodeJS, ElasticSearch, NGINX, Redis, MySQL, Mongo and numerous others?
In November 2002 Ivan Ristić, an English engineer, released a module for monitoring application traffic for Apache HTTP Server, known as ModSecurity or ModSec. A few years later, the module was released under an open-source license, and together with OWASP Core Rule Set (CRS) a set of signatures for detecting web exploits (started by Ofer Shezaf and maintained today by OWASP volunteers) became the cornerstone of the entire WAF industry.
In 2022, many companies including Imperva, AWS, Microsoft, CloudFlare, Akamai, NGINX and others are providing WAF products based on open-source ModSec concepts, signature-based technology and code.
Signature-based solutions are well proven, but they are reactive by nature, meaning that often signatures aren't available until after vulnerabilities have been known for some time and exploits are put into circulation. These attributes mean they do not provide good enough response to modern, fast-spreading attacks. From an operational perspective they require constant tuning and exception handling to avoid false positives.
open-appsec
open-appsec is a new open-source initiative that builds on machine learning to provide enterprise web application and API security with the visibility, protection and manageability that is required by modern workloads. For DevOps/DevSecOps and AppSec teams, open-appsec:
protects web applications & APIs preemptively against OWASP-Top-10- and zero-day attacks using machine learning with no threat signature upkeep
blocks attacks such as Log4Shell, Spring4Shell and Text4Shell with default settings and no updates required, due to its pre-emptive nature
delivers precise threat prevention through continuous learning, finding attacks while eliminating the manual tuning & exception creation inherent to traditional WAFs
can be deployed as add-on to Kubernetes Ingress, NGINX, Envoy and API Gateways and provides CI/CD-friendly deployment and automation - from installation to upgrades to configuration - using declarative infra-as-code or APIs
Source Code is now available!
We are very pleased to announce that open-appsec code is now available in GitHub. Thanks to all of you who expressed interested in this!
Security products and especially open-source ones must be very well tested. Preparation of the open-appsec code for publication included multiple human reviews by our experts, as well as static analysis and rigorous human based security review performed by an independent third party (LEXFO) that rated the security as “Excellent”.
LEXFO noted the quality of code as easy to read and understand and that it can be compiled with standard compilation tools, without any trouble, which made it easier to understand the behavior of the program and enabled us to use code analysis tools. You can read the full report here.
open-appsec project also has an Open Source Security Foundation (OpenSSF) Best Practices Badge indicating that the projects meets standards of Security, Analysis, Quality, Reporting and Change Control.
Licensing
open-appsec code is published under Apache License 2.0, including a Basic Machine Learning model which is recommended for testing and monitor-only (detect) environments.
For best accuracy in production environments, we recommend using the Advanced Machine Learning Model which is available for download from https://my.openappsec.io (User Menu->Download advanced ML model). This model updates from time to time and you will get an email when these updates happen. The advanced ML model is open source and available under Machine Learning Model license (text in the tar).
Feedback and Contribution
We are still in beta and are eager to hear your feedback about the product and the code. Please use the community page at https://openappsec.io/community
The open-appsec contribution policy is available on GitHub.
We hope that by adopting a high standard of testing and visibility intro security issues we can help setting a high standard for the security community, especially around open-source.
We extend our sincere appreciation again to those of you who took time early on to review this project and improve it. This is what makes the open-source community so powerful.