This document summarizes a presentation given at DevOpsDays Jakarta 2020 about modern application architecture and microservices. It discusses how application landscapes are transforming to use more cloud, DevOps practices, and container-based workloads. It also covers challenges around security with modern applications and microservices. Specific topics discussed include API security, attacks on applications and infrastructure, and the F5 application security framework. The presentation advocates for an API gateway and management to help secure microservices applications and provides examples of benefits. It also discusses site reliability engineering practices, automation approaches like the application factory, and integrating security into the software development lifecycle.

1. DevOpsDays Jakarta 2020
Modern App Architecture: Microservices, API Friendly
by Andre Iswanto
BRI Corporate University, March 12th 2020

5. | ©2019 F5 NETWORKS5 CONFIDENTIAL
Modern App Architecture:
Microservices, API Friendly
Andre Iswanto

6. | ©2019 F5 NETWORKS6 CONFIDENTIAL
Three outcomes
enterprises
expect from digital
transformation
Customer
experience
Business
agility
Digital
ROI

7. | ©2019 F57
Applications drive business
MOBILE
GLOBAL
LOGISTICS
ERP
TODAY

8. | ©2019 F5 NETWORKS8
The Application Landscape Is Transforming
1 F5 State of Application Services Report 2018 2 IDC FutureScape 2019 3 Cisco Global Cloud Index: 2016-2021
Cloud is now DevOps is rising Technology is changing
65%
Organizations expanding
DevOps methods into larger
business by 20212
87%
Customers adopting multi-
cloud strategies and
approaches1
85%
New app workload instances
that are container-based—
95% by 20213

9. Microservices Architecture from Gartner
N/S
E/W

10. | ©2019 F510
Security

11. | ©2019 F511
D.T. challenges
ORGANIZATIONS MUST RETHINK SECURITY
Applications
Processes and skills
Technology stacks and tools
Security
How do you deploy and manage a
global application security policy?
SOURCE: F5 STATE OF APPLICATION SERVICES 2019 REPORT
Applications and identities
were the initial targets in
86% of breaches.
86%

12. | ©2019 F512
APPLICATION ATTACKS
L7 DoS
API attacks
SQL/PHP Injection
Client-side attacks
APP INFRASTRUCTURE ATTACKS
DDoS
Encrypted threats
Man-in-the-middle
DNS spoofing
SOPHISTICATED ATTACKS
APT
Multi-cloud threats
Malicious bots
Threat campaigns
and malware
ACCESS LEVEL ATTACKS
Session hijacking
Credential theft
Brute force
Phishing
Application threats

13. | ©2019 F513
OWASP API Security
1. HTTPS
2. Access Control
3. JWT
4. API Keys
5. Restrict HTTP Methods
6. Input Validation
7. Validate Content Type
8. Management endpoints
9. Error handling
10. Audit logs
11. Security headers
12. Cross-Origin Resource Sharing (CORS)
13. Sensitive information in HTTP requests
14. HTTP Return Code
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/REST_Security_Cheat_Sheet.md

14. Confidential /
Sophisticated Attack on Client Side
Magecart-style Attacks Steal PCI and PII
Malicious or
compromised
JavaScript on the
webpage
(Event Listeners)
The JS instructs
the browser to
make outbound
XHR calls to
exfiltrate
sensitive data
SE 14

15. | ©2019 F515
Autonomous Fraud

16. | ©2019 F516
F5 Application Security framework
INTELLIGENT SECURITY
THREAT SERVICES
Risk-based analytics and security
stop today's sophisticated attacks.
APPLICATION
INFRASTRUCTURE SECURITY
Security infused into business and
application development practices
TRUSTED
APPLICATION ACCESS
Modern authentication with
every app and service
APPLICATION
LAYER SECURITY
Common security policies
across all multi-cloud apps

17. | ©2019 F5 NETWORKS17
API Gateway

18. | ©2019 F518
BENEFITS
• Create and publish multiple APIs, definitions, and configs
quickly and easily
• Protect apps from DDoS and other attacks while
ensuring performance with proactive security features
• Get deep visibility into app and API health with per-
instance performance monitoring and proactive alerting
• Deploy your way in the environment of your choice and
leverage your existing technology investments
API Management
REDUCED COMPLEXITY, INCREASED PERFORMANCE
| ©2019 F518
DEFINITION
AND PUBLICATION
SECURITY
TRAFFIC
MGMT.
(API GW)
ONGOING MONITORING
AND MAINTENANCE
ANALYTICS TO
ASSESS API
VALUE
ONBOARDING
(DEV PORTAL)
API MANAGEMENT

19. Billing Service
Edge API Gateway
Billing Service
Billing Service
Other API
/api/other/topup
/api/other/user
Payment API
/api/payment/inquiry
/api/payment/payment
Paylater API
/api/paylater/payment
/api/paylater/settlement
Payment Service
Payment Service
Payment Service
Service
registry
Service
registry
API Security
API
API
Protection
Authentication
• TLS Termination
• API OWASP
• Bot protection
• DDoS protection
• Authentication & Authorization
with Oauth 2.0
Attackers
Legitimate
users
{“filter”:”|cat
/etc/password“,”order”:”
asc”,”limit”:50}
{“filter”:”user=marcel“,
”order”:”asc”,”limit”:5
0}
API Security & Management

20. | ©2019 F520
Orchestration and Automation

21. | ©2019 F521
The Application Factory
THE GROWTH ENGINE OF THE APPLICATION ECONOMY
| ©2019 F521

22. | ©2019 F5 NETWORKS22
http://www.itsmacademy.com/content/webinar/SRE%20-%20An%20Enterprise%20Adoption%20Story.pdf

23. | ©2020 F523 CONFIDENTIAL
SRE’s 5 Pillars of Success
https://en.wikipedia.org/wiki/Site_Reliability_Engineering

24. | ©2019 F5 NETWORKS24
Code to Customer
Device
fingerprint
User
identity &
behavior
Future
services
CustomerCode
API
gateway
CDNIngress
Controller
App / web
server
Load
balancer
DNSApp
Security
DDoSFuture
services
Containers
Purpose-built
hardware
Public
cloud
Virtual
machines
Software
as a Service
Commodity
hardware
ANY INFRASTRUCTURE
Mobile POSLaptop IoT
ANY DEVICE
PLATFORM CONTROL PLANES
BIG-IP NGINX FUTURE
VISIBILTY,
INSIGHTS &
ORCHESTRATION
TELEMETRY TELEMETRY

25. | ©2019 F525
Automation lifecycle
DEPLOY APP
SERVICES
BOOTSTRAP ONBOARD
MONITORING/
TELEMETRY CHANGE

26. | ©2019 F526
F5 Automation Toolchain
CLOUD
TEMPLATES
DECLARATIVE
ONBOARDING
EXTENSION
APP SERVICES 3
EXTENSION
TELEMETRY
STREAMING
EXTENSION
Start BIG-IP
instances in public
and private clouds
Initial configuration of
BIG-IP instances
Deploy classic and
advanced application
services on BIG-IP
using declarative
REST APIs
Stream telemetry,
events, and logs from
BIG-IP to various
analytics and logging
solutions
L4-L7L1-L3
BOOTSTRAP ONBOARD DEPLOY APP SERVICES MONITORING/TELEMETRY

27. | ©2019 F5 NETWORKS27
Secure SDLC

28. | ©2019 F5 NETWORKS28
Summary

29. Microservices-oriented application
….
Node 1 Node N

30. CI/CD (Continuous Integration Continuous Delivery)
Commit
Changes
Build
Image
Deploy
Development
Deploy Application Service
Platform (F5 & NGINX)
Apps Vulnerabilities
Scan
Penetration
Testing
Generate
Reports
Approval
Workflow
Deploy
Production
AS3
Big Data
Logging, Application Performance Monitoring & Analytics
TS TS
HTTPS
HTTPS
HTTPS
DC1
DC2
Controller &
Dashboard
AS3

31. | ©2019 F5 NETWORKS31

32. | ©2019 F5 NETWORKS32
DevOpsDays Jakarta 2020
Venue Sponsor

33. | ©2019 F5 NETWORKS33
DevOpsDays Jakarta 2020
Platinum Sponsors

34. | ©2019 F5 NETWORKS34
DevOpsDays Jakarta 2020
Gold Sponsors

35. | ©2019 F5 NETWORKS35
DevOpsDays Jakarta 2020
Silver Sponsors

36. | ©2019 F5 NETWORKS36
DevOpsDays Jakarta 2020
University Partners

37. | ©2019 F5 NETWORKS37
DevOpsDays Jakarta 2020
Community Partners

38. | ©2019 F5 NETWORKS38
DevOpsDays Jakarta 2020
Media Partners

39. | ©2019 F5 NETWORKS39
Stay Connected
@IDDevOps @IDDevOps @IDDevOps
DevOps Indonesia
DevOps Indonesia DevOps Indonesia

40. | ©2019 F5 NETWORKS40
THANK YOU !
Alone We are smart, together We are brilliant