The document discusses the challenges of securing applications in a multi-cloud environment, highlighting the prevalence of software vulnerabilities and common attack vectors. It emphasizes the need for integrating security controls into the development pipeline to protect modern applications effectively. F5's NGINX App Protect solution is presented as a high-performance web application firewall that enhances security while maintaining optimal application performance.

1. NGINX App Protect
MATTHIEU DIERICK
SOLUTION ARCHITECT - SECURITY

2. | ©2020 F52
Transformation is Shifting the
Paradigm
APIs
APIs are being exploited
and abused.
Multi-Cloud
Transformation creates
operational and security
challenges.
Sensitive Data
Half of applications
remain vulnerable.

3. | ©2020 F53
Apps
The Gateway to Data
Average
Enterprise
983
Apps in
play

4. | ©2020 F54
0
2000
4000
6000
8000
10000
12000
14000
16000
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
YoY Increase in CVEs
Note: Excludes any rejections or disputes.
New vulnerabilities are
discovered in all
manner of software all
the time
They are exploited by both
malicious bots and human attackers
Do you know how many affect your
application stack(s)?
Can you keep up with the pace of
published vulnerabilities?
Do you want to?

5. | ©2020 F55
Software vulnerabilities & common attack vectors
SOFTWARE VULNERABILITIES
IN APPLICATION STACKS (CVEs)
Software vulnerabilities are found in components
of virtually all software stacks
• Operating systems (Windows, Linux, containers)
• Application servers
• Support libraries
• Programming languages
• 3rd party libraries (NPM, CPAN, Ruby Gems)
Threats such as Injection and XSS are well known,
but difficult to mitigate, thus remarkably common
• Injection
• Cross Site Scripting
• Cross-site request forgery
• Insecure deserialization
FREQUENTLY OCCURRING
WEAKNESSES IN APPLICATION
CODE (OWASP Top 10)

6. | ©2020 F56
1
Security
10
DevOpsDevelopers
100
REALITY: THE AGILE IMBALANCE
The Pipeline is
Built for Speed,
Not Security
“Waterfall” security policies
often don’t translate well to
Agile and cloud environments
Security control objectives
can’t be adequately applied
and enforced

7. | ©2020 F57
How do you protect apps?
Active attacks
Vulnerabilities
Risk and address
compliance

8. | ©2020 F58

9. | ©2020 F59
F5 Application Security Pillars
APP ACCESS
Modern authentication
for all apps
INFRASTRUCTURE
Network level
protection
APP LAYER
Security at the app
NGINX BIG-IP SilverlineF5 Cloud Services
SELF-MANAGED FULLY MANAGEDAS-A-SERVICE
Shape

10. | ©2020 F510
F5 Application Security Pillars
APP ACCESS
Modern authentication
all apps
INFRASTRUCTURE APP LAYER
Security at the app
CONFIDENTIAL
Network level
protection
TARGETED ATTACKS &
ADVANCED THREAT ACTORS
SOFTWARE VULNERABILITIES
& COMMON WEB EXPLOITS
FRAUD, ABUSE, &
BUSINESS LOGIC ATTACKS

11. | ©2020 F511
Strong App
Security
Built for
Modern Apps
CI/CD
Friendly
NGINX App Protect

12. | ©2020 F512
Strong App Security
App security and controls built using
F5 advanced WAF technology.
Blocks attacks and helps prevent
downtime.
OWASP Top 10
Regulatory Compliance
Blacklisting Prevent sensitive
data loss
F5-based Layer 7
Attack Protection
API Security

13. | ©2020 F513
Built for Modern Apps
High performance security with
performance and scale
Seamless integration into the #1 web application platform
High performance
Deployment options Minimizes tool
sprawl
Lightweight
footprint
Seamless NGINX
Integration
20X+ faster than
alternative OSS

14. | ©2020 F514
Deployment
options

15. | ©2020 F515
NGINX App Protect Performance
0
0.5
1
1.5
2
2.5
Throughput (MB/sec)
No Protection NGINX App Protect ModSec
0
2000
4000
6000
8000
10000
12000
14000
Requests/sec
No Protection NGINX App Protect ModSec
0
100
200
300
400
500
600
700
800
Latency (ms)
No Protection NGINX App Protect ModSec
Comprehensive security policy has no impact on latency, and offers better throughput and
requests/second when compared to ModSec
• ModSec Configuration: OWASP Top 10 (enable all CRS 3v rules)
• NGINX App Protect Configuration: OWASP Top 10 (Enable signatures), Evasion technique, Data Guard, Disallowed file types, HTTP
protocol compliance

16. | ©2020 F516
CI/CD Friendly
Enable security to keep pace with
DevOps and Support “shift left”
initiatives
Declarative policies
Speed Time to
Market
Reduced cost
Enable AppDev
Feedback loops
Automate security
in CI/CD cycle

17. | ©2020 F517
Enabling Security as Code
Integration into application security right
from the start
Automates security gates to keep the
DevOps workflow from slowing down
Enables DevOps to consume SecOps
managed policies
DEV SEC OPS

18. | ©2020 F518
Declarative Policy Helps CI/CD Motion
INFRASTRUCTURE AND SECURITY AS CODE
Source Code Repository CI/CD Pipeline Tool IT Automation
Application code/config for App X
security policy/config for App X
Pipeline for build/test/deploy of App X
Ansible playbook for deployment
of App X with its app services
Owned by SecOps Operated by DevOps
{"policy": {
"name":"AppPolicy01",
"description":"AppV1.1 - DEMO ",
"template":{ "name":"POLICY_TEMPLATE_RAPID_DEPLOYMENT" },
"enforcementMode":"blocking",
"server-technologies":[
{"serverTechnologyName":"MySQL“ } ],
"signature-settings":{"signatureStaging": false},
}

19. | ©2020 F519
Integration in CI/CD
pipeline

20. | ©2020 F520
G
DevOps deploy new apps
SecOps prepare and validate Security Policies templates
• Based on security level
• Based on application template (requested by devops)
Possibility to use variables in CICD tools to deploy the right policy : policy_$framework_$level
DevOps specify the security level expected and the framework à pipeline deploys the right policy
Create baseline templates

21. | ©2020 F521
G
1. Separate replicats in order to do cannary testing and test new policy versioning with a subset of users
2. Leverage SAST and DAST usages
1. Provide SAST to DevOps for fixes
2. Provide DAST to SecOps for policy tuning
3. When tests validated, migrate to the new replica.
Canary testing

22. | ©2020 F522
WAF POLICY
VERSION 1.0
App
Version 1
SecOps
Policy
repo
Linux + Apache + MySQL + PHP +JSON
SecOps creates the baseline policy v1.0

23. | ©2020 F523
Dev
WAF POLICY
VERSION 1.0
App
Version 1
Test Prod
Dave
Policy Version 1.0
DevOps deploys their app with a Policy baseline

24. | ©2020 F524
CD
[ Developer ]
Version
control
CI server
Repo
(Docker HUB)
CD server
Build
DEV
env
security
services
Deploy dev
container
Functional
testing
WAF
BLOCKED
security testing

25. | ©2020 F525
Dev
WAF POLICY
VERSION 1.1
App
Version 1
Test Prod
Dave
SecOps
Policy
repo
DevOps deploy Policy Version 1.1
SecOps provide new version in the repo

26. | ©2020 F526
Dev
WAF POLICY
VERSION 1.1
App
Version 1
Test Prod
Dave
WAF POLICY
VERSION 1.1
App
Version 1
Dave
WAF POLICY
VERSION 1.1
App
Version 1
Dave
App is
deployed and
WAF protects
the app
Deployment of a policy to DevOps

27. | ©2020 F527
F5 End to End App
Security

28. | ©2020 F528
Modern App protection with
F5 WAF solutions
D
D
D
E
E
E
TLS termination
Bot protection
DDoS protection
AuthN – JWT validation
Threat Intelligence

29. | ©2020 F529
Take away

30. | ©2020 F530
Tackle your application security challenges
Embed Security Policy Your
Pipeline
Integrate security controls directly into
your pipeline with security as code.
Secure Modern Apps
Strong security controls for
microservices, containers, APIs, and
other modern topologies.
Improve App Performance
The high performance WAF drives down
operational costs and improve user the
user experience without compromising
security.
Key Use Cases

31. | ©2020 F531
F5 NGINX App Protect
Built for
Modern Apps
CI/CD
Friendly
Strong App
Security

32. | ©2020 F532
Demo