From cc8e46e6bce6ed3ec24e7d7a09d1d5240c743036 Mon Sep 17 00:00:00 2001 From: Matt Date: Wed, 2 Oct 2024 16:52:50 +0200 Subject: [PATCH] change-lab-order --- docs/class4/module2/.DS_Store | Bin 8196 -> 8196 bytes docs/class4/module2/lab1.5/lab1.5.rst | 28 ----- docs/class4/module2/lab2.5/lab2.5.rst | 3 - docs/class4/module2/lab2/lab2.rst | 115 ++++---------------- docs/class4/module2/lab3/lab3.rst | 144 ++++++++++++-------------- docs/class4/module2/lab4/lab4.rst | 79 +------------- docs/class4/module2/lab5/lab5.rst | 111 ++++++++++++++++++++ docs/class4/module2/lab6/lab6.rst | 78 ++++++++++++++ 8 files changed, 279 insertions(+), 279 deletions(-) delete mode 100644 docs/class4/module2/lab1.5/lab1.5.rst delete mode 100644 docs/class4/module2/lab2.5/lab2.5.rst create mode 100644 docs/class4/module2/lab5/lab5.rst create mode 100644 docs/class4/module2/lab6/lab6.rst diff --git a/docs/class4/module2/.DS_Store b/docs/class4/module2/.DS_Store index c99f0d69ac7f8280e2ccd4c7bed723ab5a72ce84..9f91c3c0a72ddcf2db4a05ec9a0323e7a6859711 100644 GIT binary patch delta 303 zcmZp1XmQxUA}D8Kxrt&lr~9RWU`M4x7=pzHp+W= zdU^Z!ZY~vBh|{(`sy7(#GCo7I$q&^g#_yBFKW=81_{K7MzM#xzK2Z+J&3gv`@QX4C delta 301 zcmZp1XmQxUA}D8^RFIQdTw-8wi;;<$g_Vt+gOiJ!n^z(%JS-wIYI1|f%+0$6%Ne;D zpg`F{YqFd0jRa>VABYGOBUC0DrUWV;3#2(13K%jOk{L=EN*Rh6QW=VKipvU;a`KZH z7?@UIw^`o9)5FW#XLEzdLUdc5CYOs API Management > Code Base Ingration -* Add a new code base integration profile - - * Name: ``github-sentence`` - * Code base: ``Github Integration`` - * Github Name: ``f5xclab`` - * GitHub Personal Access Token: paste and blindfold below Token - - .. code-block:: bash - - sdlkjflksdjglkdfshglkjdflgjldksfgjlksd - - -.. image:: ../pictures/code-based-repo.png - :align: left - -* Save diff --git a/docs/class4/module2/lab2.5/lab2.5.rst b/docs/class4/module2/lab2.5/lab2.5.rst deleted file mode 100644 index 8964a9f..0000000 --- a/docs/class4/module2/lab2.5/lab2.5.rst +++ /dev/null @@ -1,3 +0,0 @@ -Enable API on-premises discovery (under construction) -====================================================== - diff --git a/docs/class4/module2/lab2/lab2.rst b/docs/class4/module2/lab2/lab2.rst index e3b8d25..caba69c 100644 --- a/docs/class4/module2/lab2/lab2.rst +++ b/docs/class4/module2/lab2/lab2.rst @@ -1,105 +1,28 @@ -Enable API traffic discovery -============================ +Enable API code scanning discovery (under construction) +======================================================= -In the previous section, we enabled ``API Validation`` in order to enforce protection on ``what we know`` from the OpenAPI Spec file. -But we kept the ``Fall Through Mode`` to ``Allow`` so that we do not break the application or impact business down when DevOps push a new version of the API, but SecOps are not ready or up to date. +F5 Solutions can protect API during the full API Develoment Lifecycle. It means F5 can detect and learn API endpoints when developers push the code into the repository. +This is call **API Code Scanning Discovery** -The ``API Discovery`` will provide visility for SecOps in order to see this ``Drift``. This Drift is the difference between ``what we know`` and ``what we see / what is consumed`` +The sentence application source code is available into our public Github repository : https://github.com/MattDierick/sentence-source-code -.. image:: ../pictures/slide-api-discovery.png - :align: center - :scale: 40% +Enable Code Base Integration +---------------------------- -But OWASP Top10 requires also to provide visibility on PII (Personal Identifiable Information) in order to avoid Data Leakage. To do so, we will enable ``Sensitive Data Disvovery`` +* Goto Web App & API Protection > API Management > Code Base Ingration +* Add a new code base integration profile -Enable API Endpoint Discovery ------------------------------ + * Name: ``github-sentence`` + * Code base: ``Github Integration`` + * Github Name: ``f5xclab`` + * GitHub Personal Access Token: paste and blindfold below Token -* Edit your Load Balancer again, go to API Protection and enable ``API Discovery`` (keep the default settings) + .. code-block:: bash + + sdlkjflksdjglkdfshglkjdflgjldksfgjlksd -.. image:: ../pictures/enable-api-discovery.png - :align: left - :scale: 40% - -Enable Sensitive Data Discovery -------------------------------- - -OWASP Top10 API requires to detect and discover sensitive datas in Requests and Responses. F5 Distributed Cloud supports this and provides a predefined list (+400) of known PII (Personal Identifiable Information), such as: - -* email -* credit card number -* US Social Security Number -* IP address - -.. note:: By default, a list is already assigned to the Load Balancer - - .. image:: ../pictures/default-pii.png - :align: left - :scale: 50% - - -But if you want to detect your own PII, such as: - -* Country Social Security Number -* Mobile Phone Number -* Etc ... - -You must create your own patterns. - -Create custom Sensitive Data Discovery -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* In Sensitive Data Discovery, select ``Custom`` -* Add a new item - - * Give a name: custom-frenchies - * Select the Compliance Frameworks required for this API Application. We select ``PCI-DSS`` ``GDPR`` - -.. note:: By selecting PCI-DSS and GDPR, all data patterns classified as PCI-DSS and GDPR will be added. -* But now, we want to add custom patterns to detect frenchy sensitive datas -* Configure ``Defined Custom Sensitive Data Types``, and add 2 items - - * Name: ``france-ssn`` - - * Data Type Rules: - - * Value Pattern - * Regex Value : ``[12][0-9]{2}(0[1-9]|1[0-2])(2[AB]|[0-9]{2})[0-9]{3}[0-9]{3}([0-9]{2})`` - - * Mark as Sensitive Data - * Mark as PII - * Relevant Compliance: ``GDPR`` - - .. image:: ../pictures/pii-ssn.png - :align: left - :scale: 50% - - - * Name: ``france-mobile-phone`` - - * Data Type Rules: - - * Value Pattern - * Regex Value : ``^(?:(?:\+|00)33|0)\s*[1-9](?:[\s.-]*\d{2}){4}$`` - - * Mark as Sensitive Data - * Mark as PII - * Relevant Compliance: ``GDPR`` - -* Apply and Save your LB config - - -Run the traffic generator script --------------------------------- - -It is time to run a traffic generator script to populate the logs and the AI/ML engines. - -* SSH or WEBSSH to the Jumphost -* Run this script into /home/ubuntu/api-protection-lab folder - -.. code-block:: none - - cd /home/ubuntu/api-protection-lab - bash api-all.sh sentence-re-$$makeId$$.workshop.emea.f5se.com +.. image:: ../pictures/code-based-repo.png + :align: left +* Save diff --git a/docs/class4/module2/lab3/lab3.rst b/docs/class4/module2/lab3/lab3.rst index c89a442..e3b8d25 100644 --- a/docs/class4/module2/lab3/lab3.rst +++ b/docs/class4/module2/lab3/lab3.rst @@ -1,111 +1,105 @@ -API Discovery outcomes -====================== +Enable API traffic discovery +============================ -.. note:: The "traffic discovery" scheduler runs on a random interval within a two hours time window and therefore it can take up to 2 hours (maximum) to see all results in the Dashboard for the "API Discovery outcomes" lab section. You can also continue with the next lab "Advanced Protection - "JWT validation and access control" (module 3) and continue here later. +In the previous section, we enabled ``API Validation`` in order to enforce protection on ``what we know`` from the OpenAPI Spec file. +But we kept the ``Fall Through Mode`` to ``Allow`` so that we do not break the application or impact business down when DevOps push a new version of the API, but SecOps are not ready or up to date. -Endpoint Discovery ------------------- +The ``API Discovery`` will provide visility for SecOps in order to see this ``Drift``. This Drift is the difference between ``what we know`` and ``what we see / what is consumed`` -* Goto Web App & API Protection > Overview > Security > Dashboard -* Click on your Application Load Balancer -* Click on ``API Endpoints`` to see the endpoints in the the "Table" view. +.. image:: ../pictures/slide-api-discovery.png + :align: center + :scale: 40% -.. image:: ../pictures/api-endpoints-table.png - :align: left - :scale: 50% - -Understand the API Discovery elements -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -On the top left corner, there are 3 important elements: - -* **Inventory** : Endpoints known from the OpenAPI Spec file - - * In our lab, there are 3 endpoints know (adjectives, animals, locations) +But OWASP Top10 requires also to provide visibility on PII (Personal Identifiable Information) in order to avoid Data Leakage. To do so, we will enable ``Sensitive Data Disvovery`` -* **Discovered** : Endpoints that the XC platform has discovered/learned from live traffic (known and unknown endpoints) -* **Shadow** : Endpoints that have been ``Discovered`` but are **NOT PART** of the ``Inventory`` +Enable API Endpoint Discovery +----------------------------- -You can filter on ``Shadow`` only to show the ``/colors`` endpoint as a Shadow API. +* Edit your Load Balancer again, go to API Protection and enable ``API Discovery`` (keep the default settings) -.. image:: ../pictures/shadow.png +.. image:: ../pictures/enable-api-discovery.png :align: left - :scale: 50% + :scale: 40% -Go deeper into the discovery -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Enable Sensitive Data Discovery +------------------------------- -* Click on the ``/colors`` shadow API endpoint. A pop-up will appear on the right side of the screen. -* You can see on the top right corner, 2 actions +OWASP Top10 API requires to detect and discover sensitive datas in Requests and Responses. F5 Distributed Cloud supports this and provides a predefined list (+400) of known PII (Personal Identifiable Information), such as: - * **API Protection rule** : if you want to block this endpoint. Let's say SecOps have this power to block unknown endpoints. +* email +* credit card number +* US Social Security Number +* IP address - * **Rate Limiting** : if you want to Rate Limit this endpoint because SecOps don't have the full power and don't want to break the app. +.. note:: By default, a list is already assigned to the Load Balancer -* Click on the ``Discovered`` tab and navigate into the sub-menus. You will see all the details discovered by the platform. + .. image:: ../pictures/default-pii.png + :align: left + :scale: 50% -.. image:: ../pictures/discovered.png - :align: left - :scale: 50% +But if you want to detect your own PII, such as: -PII Discovery -------------- +* Country Social Security Number +* Mobile Phone Number +* Etc ... -* Click on the ``/animals`` API endpoint. A pop-up will appear on the right side of the screen. +You must create your own patterns. - .. image:: ../pictures/pii-1.png - :align: left - :scale: 50% +Create custom Sensitive Data Discovery +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* Click on the ``Discovered`` tab to show discovered sensitive data for requests and responses. +* In Sensitive Data Discovery, select ``Custom`` +* Add a new item - .. image:: ../pictures/pii-2.png - :align: left - :scale: 50% + * Give a name: custom-frenchies + * Select the Compliance Frameworks required for this API Application. We select ``PCI-DSS`` ``GDPR`` -.. warning:: Dataguard can obfuscate sensitive PII data in the response but currently not for custom created PII configurations. This feature is in the roadmap. OWASP Top 10 does not require to ``hide`` sensitive data. +.. note:: By selecting PCI-DSS and GDPR, all data patterns classified as PCI-DSS and GDPR will be added. +* But now, we want to add custom patterns to detect frenchy sensitive datas +* Configure ``Defined Custom Sensitive Data Types``, and add 2 items -Click on the ``Graph`` tab to show the API endpoints in a different view. + * Name: ``france-ssn`` + + * Data Type Rules: + + * Value Pattern + * Regex Value : ``[12][0-9]{2}(0[1-9]|1[0-2])(2[AB]|[0-9]{2})[0-9]{3}[0-9]{3}([0-9]{2})`` -.. image:: ../pictures/octopus.png - :align: left - :scale: 50% + * Mark as Sensitive Data + * Mark as PII + * Relevant Compliance: ``GDPR`` - -Authentication Discovery ------------------------- + .. image:: ../pictures/pii-ssn.png + :align: left + :scale: 50% -* Click on an endpoint with an ``Authenticated`` state, like **/api/locations** - .. image:: ../pictures/authenticated-endpoint.png - :align: left - :scale: 50% + * Name: ``france-mobile-phone`` + + * Data Type Rules: + + * Value Pattern + * Regex Value : ``^(?:(?:\+|00)33|0)\s*[1-9](?:[\s.-]*\d{2}){4}$`` -* Click on ``Discovered`` tab and check the Authentication details + * Mark as Sensitive Data + * Mark as PII + * Relevant Compliance: ``GDPR`` - .. image:: ../pictures/auth-discovery-new.png - :align: left - :scale: 50% +* Apply and Save your LB config -* Notice that the auth information collected from the OpenAPI Spec file differs from the discovered auth information. If both don't match, a "Security Posture" is raised. - .. image:: ../pictures/basic-auth.png - :align: left - :scale: 50% +Run the traffic generator script +-------------------------------- -AI/ML Security Posture ----------------------- +It is time to run a traffic generator script to populate the logs and the AI/ML engines. -* Click on an endpoint with the highest ``Risk Score`` -* And click on the ``Security Posture`` tab -* Review the recommandations done by the AI/ML engine +* SSH or WEBSSH to the Jumphost +* Run this script into /home/ubuntu/api-protection-lab folder -.. image:: ../pictures/security-posture.png - :align: left - :scale: 50% +.. code-block:: none -* Click on the ``Evidence`` link to get more details about the logs who generated this security posture. + cd /home/ubuntu/api-protection-lab + bash api-all.sh sentence-re-$$makeId$$.workshop.emea.f5se.com -.. note:: Congratulation, your application is now protected by a modern engine enforcing (validating) what is provided by the developers, but also providing visibility for unkown traffic. \ No newline at end of file diff --git a/docs/class4/module2/lab4/lab4.rst b/docs/class4/module2/lab4/lab4.rst index 02ae172..8964a9f 100644 --- a/docs/class4/module2/lab4/lab4.rst +++ b/docs/class4/module2/lab4/lab4.rst @@ -1,78 +1,3 @@ -API Inventory Management -======================== - -API Inventory Management is a feature designed to enhance your API ecosystem by simplifying the management of your API inventory. - -It allows easy management of discovered APIs, marking of non-API discoveries, removal of outdated endpoints, and seamless updates for API schemas. -This tool keeps your API inventory organized, current, and secure, catering to your dynamic requirements. - -Add Shadow API into the Inventory ---------------------------------- - -In the previous lab, we discoverd /api/colors as a ``shadow API``. DevOps already opened a ServiceNow ticket with SecOps to provide the new OpenAPI Spec file including /colors. -But SecOps are late in their ticketing queue, and they haven't seen this ticket yet but they must take a decision about this endpoint. - -SecOps can block the request with an API Protection rule. We covered how to create it in the ``Static API Protection`` lab. FYI, there is a shortcut directly into the API EndPoint screen as shown in the screenshot below. -**Don't block it now, it is a legitimate endpoint.** - -.. image:: ../pictures/protection-rule-colors.png - :align: left - :scale: 50% - - - -We will not block it, SecOps had the information from a side channel this endpoint is part of the application update from yesterday night. - -We need to add this endpoint into the inventory (the OpenAPI Spec), but we will not update the Spec File as the source of truth are the DevOps. Instead, we will add the endpoint into the ``Inclusion List``. - -.. note:: Inventory = OpenAPI File + Inclusion List - -| - -Add the /api/colors shadow API endpoint to the Inventory (inclusion list) -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -* Click on the three dots (...) at the right of the **/api/colors** endpoint to open the actions menu - -* Click on ``Move to Inventory`` - - .. image:: ../pictures/move-to-inventory.png - :align: left - :scale: 50% - -* A warning message will confirm the add - - .. image:: ../pictures/warning-inventory.png - :align: left - :scale: 50% - -* Click ``Move to Inventory`` - -* Now, you can see ``/api/colors`` is not a Shadow API anymore. It is part of Inventory. - - .. image:: ../pictures/moved-inventory.png - :align: left - :scale: 50% - -How to find all endpoints added into the Inventory (Inclusion List) ? -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -As mentioned before, API endpoints are not added into the OAS Spec file because this file is maintenained by AppDev/DevOps. Instead, we create an ``Inventory Inclusion List`` - -* Go to API Management > Edit your API Definition - -* You can see an API Inventory Inclusion List - - .. image:: ../pictures/oas-inclusion-list.png - :align: left - :scale: 50% - -* Click on ``Edit Configuration`` to see the content - - .. image:: ../pictures/inclusion-list.png - :align: left - :scale: 50% - -.. note:: When AppDev/DevOps will push a new version of the OpenAPI Spec file to F5 XC, a new version of the file will be available for the SecOps. SecOps will update the definition with this new file (let's say v2) - If this version includes ``/api/colors``, the entry into the Inventory Inclusion List will not be taken into account. The OAS Spec file specified on F5 XC takes precedence over Inventory Inclusion List. +Enable API on-premises discovery (under construction) +====================================================== diff --git a/docs/class4/module2/lab5/lab5.rst b/docs/class4/module2/lab5/lab5.rst new file mode 100644 index 0000000..c89a442 --- /dev/null +++ b/docs/class4/module2/lab5/lab5.rst @@ -0,0 +1,111 @@ +API Discovery outcomes +====================== + +.. note:: The "traffic discovery" scheduler runs on a random interval within a two hours time window and therefore it can take up to 2 hours (maximum) to see all results in the Dashboard for the "API Discovery outcomes" lab section. You can also continue with the next lab "Advanced Protection - "JWT validation and access control" (module 3) and continue here later. + +Endpoint Discovery +------------------ + +* Goto Web App & API Protection > Overview > Security > Dashboard +* Click on your Application Load Balancer +* Click on ``API Endpoints`` to see the endpoints in the the "Table" view. + +.. image:: ../pictures/api-endpoints-table.png + :align: left + :scale: 50% + +Understand the API Discovery elements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +On the top left corner, there are 3 important elements: + +* **Inventory** : Endpoints known from the OpenAPI Spec file + + * In our lab, there are 3 endpoints know (adjectives, animals, locations) + +* **Discovered** : Endpoints that the XC platform has discovered/learned from live traffic (known and unknown endpoints) +* **Shadow** : Endpoints that have been ``Discovered`` but are **NOT PART** of the ``Inventory`` + +You can filter on ``Shadow`` only to show the ``/colors`` endpoint as a Shadow API. + +.. image:: ../pictures/shadow.png + :align: left + :scale: 50% + +Go deeper into the discovery +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Click on the ``/colors`` shadow API endpoint. A pop-up will appear on the right side of the screen. +* You can see on the top right corner, 2 actions + + * **API Protection rule** : if you want to block this endpoint. Let's say SecOps have this power to block unknown endpoints. + + * **Rate Limiting** : if you want to Rate Limit this endpoint because SecOps don't have the full power and don't want to break the app. + +* Click on the ``Discovered`` tab and navigate into the sub-menus. You will see all the details discovered by the platform. + +.. image:: ../pictures/discovered.png + :align: left + :scale: 50% + + +PII Discovery +------------- + +* Click on the ``/animals`` API endpoint. A pop-up will appear on the right side of the screen. + + .. image:: ../pictures/pii-1.png + :align: left + :scale: 50% + +* Click on the ``Discovered`` tab to show discovered sensitive data for requests and responses. + + .. image:: ../pictures/pii-2.png + :align: left + :scale: 50% + +.. warning:: Dataguard can obfuscate sensitive PII data in the response but currently not for custom created PII configurations. This feature is in the roadmap. OWASP Top 10 does not require to ``hide`` sensitive data. + + +Click on the ``Graph`` tab to show the API endpoints in a different view. + +.. image:: ../pictures/octopus.png + :align: left + :scale: 50% + + +Authentication Discovery +------------------------ + +* Click on an endpoint with an ``Authenticated`` state, like **/api/locations** + + .. image:: ../pictures/authenticated-endpoint.png + :align: left + :scale: 50% + +* Click on ``Discovered`` tab and check the Authentication details + + .. image:: ../pictures/auth-discovery-new.png + :align: left + :scale: 50% + +* Notice that the auth information collected from the OpenAPI Spec file differs from the discovered auth information. If both don't match, a "Security Posture" is raised. + + .. image:: ../pictures/basic-auth.png + :align: left + :scale: 50% + +AI/ML Security Posture +---------------------- + +* Click on an endpoint with the highest ``Risk Score`` +* And click on the ``Security Posture`` tab +* Review the recommandations done by the AI/ML engine + +.. image:: ../pictures/security-posture.png + :align: left + :scale: 50% + +* Click on the ``Evidence`` link to get more details about the logs who generated this security posture. + +.. note:: Congratulation, your application is now protected by a modern engine enforcing (validating) what is provided by the developers, but also providing visibility for unkown traffic. \ No newline at end of file diff --git a/docs/class4/module2/lab6/lab6.rst b/docs/class4/module2/lab6/lab6.rst new file mode 100644 index 0000000..02ae172 --- /dev/null +++ b/docs/class4/module2/lab6/lab6.rst @@ -0,0 +1,78 @@ +API Inventory Management +======================== + +API Inventory Management is a feature designed to enhance your API ecosystem by simplifying the management of your API inventory. + +It allows easy management of discovered APIs, marking of non-API discoveries, removal of outdated endpoints, and seamless updates for API schemas. +This tool keeps your API inventory organized, current, and secure, catering to your dynamic requirements. + +Add Shadow API into the Inventory +--------------------------------- + +In the previous lab, we discoverd /api/colors as a ``shadow API``. DevOps already opened a ServiceNow ticket with SecOps to provide the new OpenAPI Spec file including /colors. +But SecOps are late in their ticketing queue, and they haven't seen this ticket yet but they must take a decision about this endpoint. + +SecOps can block the request with an API Protection rule. We covered how to create it in the ``Static API Protection`` lab. FYI, there is a shortcut directly into the API EndPoint screen as shown in the screenshot below. +**Don't block it now, it is a legitimate endpoint.** + +.. image:: ../pictures/protection-rule-colors.png + :align: left + :scale: 50% + + + +We will not block it, SecOps had the information from a side channel this endpoint is part of the application update from yesterday night. + +We need to add this endpoint into the inventory (the OpenAPI Spec), but we will not update the Spec File as the source of truth are the DevOps. Instead, we will add the endpoint into the ``Inclusion List``. + +.. note:: Inventory = OpenAPI File + Inclusion List + +| + +Add the /api/colors shadow API endpoint to the Inventory (inclusion list) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Click on the three dots (...) at the right of the **/api/colors** endpoint to open the actions menu + +* Click on ``Move to Inventory`` + + .. image:: ../pictures/move-to-inventory.png + :align: left + :scale: 50% + +* A warning message will confirm the add + + .. image:: ../pictures/warning-inventory.png + :align: left + :scale: 50% + +* Click ``Move to Inventory`` + +* Now, you can see ``/api/colors`` is not a Shadow API anymore. It is part of Inventory. + + .. image:: ../pictures/moved-inventory.png + :align: left + :scale: 50% + +How to find all endpoints added into the Inventory (Inclusion List) ? +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +As mentioned before, API endpoints are not added into the OAS Spec file because this file is maintenained by AppDev/DevOps. Instead, we create an ``Inventory Inclusion List`` + +* Go to API Management > Edit your API Definition + +* You can see an API Inventory Inclusion List + + .. image:: ../pictures/oas-inclusion-list.png + :align: left + :scale: 50% + +* Click on ``Edit Configuration`` to see the content + + .. image:: ../pictures/inclusion-list.png + :align: left + :scale: 50% + +.. note:: When AppDev/DevOps will push a new version of the OpenAPI Spec file to F5 XC, a new version of the file will be available for the SecOps. SecOps will update the definition with this new file (let's say v2) + If this version includes ``/api/colors``, the entry into the Inventory Inclusion List will not be taken into account. The OAS Spec file specified on F5 XC takes precedence over Inventory Inclusion List. +