The document discusses the challenges and solutions in managing application security, particularly focusing on web application firewalls (WAFs) and the F5 NGINX Management Suite. It highlights the increasing complexity of application security due to multi-cloud deployments and the critical role of WAFs in protecting applications from various threats. The NGINX Management Suite offers features for centralized monitoring, configuration management, and policy integration to enhance security at scale while supporting DevSecOps practices.

1. Easily View, Manage and Scale Your
App Security with F5 NGINX
Thelen Blum Fabrizio Fiorucci
Sr. Product Marketing Manager, F5 NGINX EMEA SolutionsArchitect, F5

2. ©2022 F5
2
Agenda
Current App Adoption and App Security Challenges
Key WAF Capabilities, Benefits and Difficulties
F5 NGINX Management Suite: Security Monitoring module
F5 NGINX Management Suite Instance Manager –
Configuration Management feature
Shifting Left with NGINX App Protect WAF
Demo

3. ©2022 F5
3
APP PORTFOLIOS GROW AND MODNERNATION CONTINUES WITH MULTI-CLOUDDEPLOYMENTS
How ManyApps do Most Organizations Have Today?
Source: F5 State of Application Strategy Report in 2022
- up 31% from 5 years ago
77% of those surveyed run apps in
multiple clouds with 95%
modernizing older applications.

4. ©2022 F5
4
Securing Applications Has Become More Difficult
DIGITAL TRANSFORMATION WITH WEB APPLICATION GROWTH INCREASES SECURITY CHALLENGES
Source: ESG Report: Trends in Modern App Protection, May 2022 https://www.f5.com/solutions/application-security-trends

5. ©2022 F5
5
WAFs Ranked Top Tool to Protect Web Apps
WAFs REMAIN TOOL OF CHOICE BY IT DECISION MAKERS FOR WEB APP SECURITY
Source: ESG Report: Trends in Modern App Protection, May 2022 https://www.f5.com/solutions/application-security-trends

6. ©2022 F5
6
WAF Capabilities for Easy App Security at Scale
RobustApp Security starts with theseWAF capabilities:
• HTTP protocol and traffic validation – ensures HTTP protocol compliance and CVE protection, and REST API
security
• Data Protection – masks sensitive data such as PII and PCI DSS to prevent data leakage and maintain
compliance
• Automated attack blocking — uses automated signatures and threat campaigns that are continuously updated to
proactively protect apps from malicious traffic, attackers and zero-day threats
• Easy policy integration into CI/CD pipelines – declarative security policies can be incorporated early into the app
development process for consistent app security at scale for DevSecOps
• Centralized Visualization - insights into top attacks and violations across all applications with the ability for
detailed analysis to update policies as needed
• Configuration Management at Scale — a central interface that allows security teams to manage their entire WAF
fleet from a single console, and push different configurations to one, several or all WAFs as needed and at scale
WAFs PROVIDE THE FIRST LAYER OF DEFENSE AGAINST APP LAYER 7 ATTACKS

7. ©2022 F5
7
Top WAF Benefits – App Protection from Diverse Threats
SOFTWAREVULNERABILITIES
IN APPLICATION STACKS (CVEs)
Software vulnerabilities are found in components
of virtually all software stacks
• Operating systems (Windows,Linux, containers)
• Applicationservers
• Supportlibraries
• Programming languages
• 3rd party libraries (NPM, CPAN, Ruby Gems)
Threats such as Injection and XSS are well known,
but difficult to mitigate, thus remarkably common
• Injection(SQLi)
• Cross Site Scripting (XSS)
• Cross-site requestforgery
• Insecure deserialization
• Cookie poisoning
FREQUENTLY OCCURRING
WEAKNESSESIN APPLICATION
CODE (OWASPTop 10)

8. ©2022 F5
8
Why Managing WAFs at Scale is Difficult
Challenges Include:
• Lack of adequate visibility into application-layer attack vectors and vulnerabilities, especially given
the considerable number of them
• Balancing WAF configurations between overly permissive or overly protective; it’s time-consuming to
fix the resulting false positives or negatives, especially manually and at scale
• Ensuring consistent application policy management at high volumes, which is required to
successfully identify suspicious code and injection attempts
• Potential longtail costs – some extremely damaging – of failure to maintain even a single WAF in
your fleet, including monetary loss, damage to reputation and brand, loss of loyal customers, and
penalties for regulatory noncompliance
• Needing to support and update WAF configurations over time

9. ©2022 F5
9
CONFIDENTIAL
NGINX App Protect WAF Secures Your Apps Against the Most
Sophisticated Attacks
A LIGHTWEIGHT, HIGH PERFORMANCE, MODERN APP SOFTWARE SECURITY SOLUTION

10. ©2022 F5
10
NGINX App Protect WAF Deployment Options – Platform Agnostic

11. ©2022 F5
1
1
NGINX Management Suite: Security Monitoring
CENTRALIZED VISUALIZATION FOR YOUR ENTIRE NGINX APP PROTECT WAF FLEET
Key Benefits include:
• Out of the box tool supported by NGINX for
SecOps and WAF teams
• Centralized visibility of NGINX App Protect
WAF per app or across apps for policy
tuning insights
• Curated insights on top violations and
threats with the ability to custom filter event
logs for more detailed analysis
• Insights on potential Bot related threats
• Lookup details on why requests
are triggering a WAF via blocking request
identifiers
The Security Monitoring main dashboard provides security teams overview visibility of all web attacks, bot
attacks, threat intelligence, attack requests, and top attack geolocations, plus tabs for further detailed threat
analysis and quick remediation of issues.

12. ©2022 F5 1
2
NGINX Management Suite: Instance Manager - Configuration Management
SECURITY POLICY MANAGEMENT FOR YOUR ENTIRE NGINX APP PROTECT WAF FLEET
Key Benefits include:
• Single solution via API or GUI allowing
SecOps, Platform Ops or DevOps to
edit and publish NGINX App Protect
WAF configuration files
• Deploy multiple WAF security policy
updates to one, several or all WAF
instances at scale
• Policy compilation done on
management plane, improving data
plane performance
• More responsive protection to current
threats
NGINX Instance Manager enables security teams to create, modify, and publish policies to one, several,
or an entire fleet of NGINX App Protect WAF instances. This image shows policies being selected for
publication to a WAF instance group.

13. ©2022 F5
1
3
Easy WAF Fleet Security Management Across Teams
DEVOPS
SECOPS PLATFORM OPS
• Centralized visibility into app
security and compliance
• Apply uniform policies
across the organization
• Support a shift left strategy
for DevSecOps
• Ability to provide app
security support to multiple
users
• Centralized visibility across
the entire WAF fleet
• Scalable DevOps across the
entire enterprise
• Automate security into CI/CD
pipelines supporting DevSecOps
• Easy and quick app security
deployment
• Building more reliable and risk
adverse apps delivering a better
customer experience
EACH WAF SECURITY TEAM BENEFITS WHILE ENABLING THE OTHER TO SCALE

14. ©2022 F5
1
4
NGINX Management Suite:
End-to-end NGINX App Protect WAF Monitoring & Configuration Management at Scale
NMS Security Monitoring module provides
dashboards to view, analyze security, and
identify areas for policy tuning for all your WAF
instances.
NMS Instance Manager enables configuration
management for your entire NGINX App Protect
WAF fleet
• Define policies
• Add attack signatures and threat campaign
packages
• Pre-compiled policies placed into bundles
before pushing the configuration
• Publish common configurations to NGINX
App Protect instances or instance groups

15. ©2022 F5
15
NGINX App Protect WAF Enables Security-as-Code
DEVOPS
SECOPS PLATFORM OPS
• Integration into application security right
from the start
• Automates security to keep the DevOps
workflow from slowing down
• Enables DevOps to consume SecOps
managed security policies to create a
culture of DevSecOps

16. ©2022 F5
16
CONFIDENTIAL
Shifting Left for ModernApps with NGINX App Protect WAF
AUTOMATE SECURITYAS CODE WITH NGINX APP PROTECT WAF
SourceCode Repository CI/CD Pipeline Tool IT Automation
Applicationcode/config forApp X
security policy/config forApp X
Pipeline for build/test/deployof App X
Ansible playbook for deployment
of App X with its app services
Owned by SecOps Operated by DevOps
{
"entityChanges": {
"type": "explicit"
},
"entity": {
"name": "bak"
},
"entityKind":
"tm:asm:policies:filetypes:filetypestate",
"action": "delete",
"description": "Delete Disallowed File Type"
}
o Declarative security policy(JSON file) allows DevOps to
use CI/CD tools natively
o The same policy can be pushed to the application from a
developertool
o Allows SecOps to own the file and DevOps owns
everything else including security as a part of testing

17. ©2022 F5
17
DEMO

18. ©2022 F5
1
8
Achieve EasyApp Security for Your Entire NGINX App Protect WAF Fleet
using NGINX Management Suite
NGINX App Protect WAF
Fleet Management
• Centrally view and
manage WAF
configuration files at scale
• Easily deploy policies for
multiple apps & APIs
WAF Configuration
Management at Scale
• Easily create, edit and publish
policy updates to your entire
WAF fleet from a single pane
of glass
• GUI or API for SecOps
• Compilation done on
management plane for faster
policy deployment
Visibility Control
Scalability
WAF Out-of-the-Box
Monitoring
• Quick security visualization
adopted for SecOps users
• Identify top attacks and
threats for better response
time
• Dashboards with curated
insights for possible policy
tuning

19. ©2022 F5
19
Q & A

20. ©2022 F5
20
Test Drive NGINX Management Suite TODAY!
Register for a 30-day FREE Trial on nginx.com.
https://www.nginx.com/free-trial-request-nginx-management-suite