Merge pull request #55 from f5devcentral/alfredo

Fix and Inventory

docs/class4/module2/lab3/lab3.rst

@@ -10,11 +10,9 @@ Endpoint Discovery
 
 * Goto Web App & API Protection > Overview > Security > Dashboard
 * Click on your Application Load Balancer
-* Click on ``API Endpoints``
+* Click on ``API Endpoints`` to see the endpoints in the the "Table" view.
 
-You can see the ``Graph`` page with the Octopus :) It represents what is known and what is seen.
-
-.. image:: ../pictures/octopus.png
+.. image:: ../pictures/api-endpoints-table.png
    :align: left
    :scale: 50%
 
@@ -27,11 +25,15 @@ On the top left corner, there are 3 important elements:
 
   * In our lab, there are 3 endpoints know (adjectives, animals, locations)
 
-* **Discovered** : What the F5 XC platform is seeing at the moment (Known and Unknown endpoints)
+* **Discovered** : What the F5 XC platform is sees from traffic (Known and Unknown endpoints)
 * **Shadow** : What is ``Discovered`` but **NOT PART** of the ``Inventory``
 
 You can filter on ``Shadow`` only for instance. You can see the ``/colors`` as a Shadow API.
 
+.. image:: ../pictures/shadow.png
+   :align: left
+   :scale: 50%
+
 Go deeper into the discovery
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -42,7 +44,7 @@ Go deeper into the discovery
 
   * **Rate Limiting** : if you want to Rate Limit this endpoint because SecOps don't have the full power and don't want to break the app.
 
-* Click on the ``Discovered`` tab and navigate into the sub-menus. You will see all the details discovered by the platform. We will go in details in some of them in few minutes.
+* Click on the ``Discovered`` tab and navigate into the sub-menus. You will see all the details discovered by the platform.
 
 .. image:: ../pictures/discovered.png
    :align: left
@@ -52,23 +54,28 @@ Go deeper into the discovery
 PII Discovery
 -------------
 
-* Switch to the ``Table`` view, instead of the ``Graph`` view
-* You can see more information in this screen, such as PII
-* Click on an endpoint with PII deteted, such as French SSN
+* Click on the ``/animals`` API endpoint. A pop-up will appear on the right side of the screen.
 
   .. image:: ../pictures/pii-1.png
      :align: left
      :scale: 50%
 
-* Click on ``Discovered`` tab and check the PII detected (request and response)
+* Click on the ``Discovered`` tab to show discovered sensitive data for requests and responses.
 
   .. image:: ../pictures/pii-2.png
      :align: left
      :scale: 50%
 
-.. warning:: I anticipate a question : Can we hide those PII in the response. Currently, only Dataguard can do it, but not with Custom PII. This feature is in the roadmap. OWASP Top 10 does not require to ``hide`` sensitive datas.
+.. warning:: Dataguard can obfuscate sensitive PII data in the response but currently not for custom created PII configurations. This feature is in the roadmap. OWASP Top 10 does not require to ``hide`` sensitive data.
 
 
+Click on the ``Graph`` tab to show the API endpoints in a different view.
+
+.. image:: ../pictures/octopus.png
+   :align: left
+   :scale: 50%
+
+
 Authentication Discovery
 ------------------------
 
@@ -79,7 +86,7 @@ Authentication Discovery
      :align: left
      :scale: 50%
 
-* You can notice the information collected from the OpenAPI Spec, and also the information discovered. If both don't match, a Security Posture is raised.
+* Notice that the auth information collected from the OpenAPI Spec file differs from the discovered auth information. If both don't match, a "Security Posture" is raised.
 
   .. image:: ../pictures/basic-auth.png
      :align: left
@@ -96,6 +103,6 @@ AI/ML Security Posture
    :align: left
    :scale: 50%
 
-* You can click on the ``Evidence`` link to get more details about the logs who generated this security posture.
+* Click on the ``Evidence`` link to get more details about the logs who generated this security posture.
 
-.. note:: Congratulation, your application is now protected by a modern engine enforcing (validating) what is provided by the developpers, but also providing visibility for unkown traffic
+.. note:: Congratulation, your application is now protected by a modern engine enforcing (validating) what is provided by the developpers, but also providing visibility for unkown traffic.

docs/class4/module2/lab4/lab4.rst

@@ -6,3 +6,76 @@ API Inventory Management is a feature designed to enhance your API ecosystem by
 It allows for easy managing of discovered APIs, marking of non-API discoveries, removal of outdated endpoints, and seamless updates to API schemas. 
 This tool keeps your API inventory organized, current, and secure, catering to your dynamic requirements.
 
+Add Shadow API into the Inventory
+---------------------------------
+
+In the previous lab, we discoverd /api/colors as a ``shadow API``. DevOps already opened a ServiceNow ticket with SecOps to provide with the new OpenAPI Spec file including /colors.
+But SecOps are in late in their ticketing queue, and they haven't yet seen this ticket. But they must take a decision about this endpoint.
+
+SecOps can block the request with an API Protection rule. We have seen in ``Static API Protection`` lab how to create it. FYI, there is a shortcut directly into the API EndPoint screen.
+
+**Don't block it now, it is a legitimate endpoint.**
+
+.. image:: ../pictures/protection-rule-colors.png
+   :align: left
+   :scale: 50%
+
+
+
+We will not block it, SecOps had the information from a side channel this endpoint is part of the application updated yesterday night.
+
+We need to add this endpoint into the inventory (the OpenAPI Spec), but we will not update the Spec File as the source if truth are the DevOps. Instead, we will add the endpoint into the ``Inclusion List``.
+
+.. note:: 
+
+  The make it simple, the inventory = OpenAPI File + Inclusion List
+
+Add Colors shadow API into the Inventory (inclusion list)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* Click on the dot (...) at the right of the /api/colors endpoint
+
+* Click on ``Move to Inventory``
+
+  .. image:: ../pictures/move-to-inventory.png
+     :align: left
+     :scale: 50%
+
+* A warning message will confirm the add
+
+  .. image:: ../pictures/warning-inventory.png
+     :align: left
+     :scale: 50%
+
+* Click ``Move to Inventory``
+
+* Now, you can see ``/api/colors`` is not a Shadow API anymore, but part of Inventory
+
+  .. image:: ../pictures/moved-inventory.png
+     :align: left
+     :scale: 50%
+
+How to find all endpoints added into the Inventory (inclusion list) ?
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+As we said, endpoints are not added into the OAS spec file because this file is maintenained by AppDev/DevOps. Instead, we create an ``Inventory Inclusion List``
+
+* Go to API Management > Edit your API Definition
+
+* You can see an API Inventory Inclusion List
+
+  .. image:: ../pictures/oas-inclusion-list.png
+     :align: left
+     :scale: 50%
+
+* Click on ``Edit Configuration`` to see the content
+
+  .. image:: ../pictures/inclusion-list.png
+     :align: left
+     :scale: 50%
+
+.. note:: 
+
+    When AppDev/DevOps will push a new version of the OpenAPI Spec file to F5XC, a new version of the file will be available for the SecOps. SecOps will update the definition with this new file (let's say v2)
+    If this version includes ``/api/colors``, the entry into the Inventory Inclusion List will not be taken in account. OAS spec file takes precedence on Inventory Inclusion List.
+