Learn how to automate application security into your CI/CD pipeline with NGINX App Protect WAF and DoS and protect your apps from attacks.

1. Shift Left for More Secure Apps
with F5 NGINX
Thelen Blum
Sr. Product Marketing Manager, F5 NGINX
September 21, 2022
Fabrizio Fiorucci
EMEA Solutions Architect, F5

2. ©2022 F5 2
Agenda
How is business digital transformation shifting the
security paradigm?
Shift Left – What is it? Why adopt a DevSecOps
culture?
DevSecOps - challenges, benefits and a path forward
How NGINX App Protect can help organizations
Shift Left
Demo
Best Practices what to consider when moving
towards a Shift Left culture on the road to
DevSecOps

3. ©2022 F5 3
Business Digital Transformation Continues to Ramp in 2022
ALMOST TWO-THIRDS OF ORGANIZATIONS ARE WORKING ON AI-RELATED PROJECTS

4. ©2022 F5 4
APP PORTFOLIO GROWS AND MODNERNATION CONTINUES WITH MULTI-CLOUD DEPLOYMENTS
How Many Apps do Most Organizations Have Today?
Source: F5 State of Application Strategy Report 2022
- up 31% from 5 years ago
77% of those surveyed run apps in
multiple clouds with 95%
modernizing older applications.

5. ©2022 F5 5
CONTAINERS FOUND TO LACK SECURITY DUE TO CODE AND CONFIGURATION VULENRABILITIES
Web Applications Remain a Top Attack Vector
Source: Forrester, The State of Application Security, 2021

6. ©2022 F5 6
Software Vulnerabilities & Common Attack Vectors
SOFTWARE VULNERABILITIES
IN APPLICATION STACKS (CVEs)
Software vulnerabilities are found in components
of virtually all software stacks
• Operating systems (Windows, Linux, containers)
• Application servers
• Support libraries
• Programming languages
• 3rd party libraries (NPM, CPAN, Ruby Gems)
Threats such as Injection and XSS are well known,
but difficult to mitigate, thus remarkably common
• Injection (SQLi)
• Cross Site Scripting (XSS)
• Cross-site request forgery
• Insecure deserialization
FREQUENTLY OCCURRING
WEAKNESSES IN APPLICATION
CODE (OWASP Top 10)

7. ©2022 F5 7
Shif Left - refers to shifting “security” left and embedding security by design throughout the entire software development
lifecycle. Some organizations also refer to shift left or shifting left as a “Security First” strategy or automating security-as-code
into each stage of the continuous integration and continuous deployment (CI/CD) pipeline. This represents a change within in
an organization from a DevOps to a DevSecOps culture.
Shift Left - What is it?
Continuous Integration / Continuous Deployment Pipeline

8. ©2022 F5 8
MOST SIGNIFICANT COST SAVINGS IN THE 2021 IBM COST OF A DATA BREACH REPORT
Security Automation and AI Reduced Breach Costs by 80%
Source: Ponemon and IBM Security Cost of a Data Breach Report 2021

9. ©2022 F5 9
HOW SECURE IS THE APPLICATION SOFTWARE IN YOUR CI/CD PIPELINE?
Shifting Left Could Help You Prevent Significant Breaches
• 2021 Git Server of the PHP Programming Languages Supply Chain Attack
• Hackers pushed unauthorized updates to create a secret backdoor into
its source code enabling attacker to take full control over any website.
• PHP runs on an estimated 79% of websites. In this case, this attack was
averted due to a discovery by community members.
• 2020 SolarWinds Software Supply Chain Cyberattack – 30,000+ customers affected
including the US Federal Government, Microsoft, Intel and FireEye
• State Sponsored hackers added malicious code, “Starburst”, into the company’s
IT performance monitoring system, Orion, sent to customers as a software update
• The malicious code created a back door to customers IT resources for spying –
one of the most significant cyber attacks in history
• 2021 Codecov Supply Chain Hack – 29,000 customers affected including
Twilio, HashiCorp, Rapid7 and Confluent
• Attackers exploited an error in Codecov’s Docker image creation process
and modified “Bash Uploader” script to create a backdoor to exfiltrate data
from a CI build
• Second most significant attack after SolarWinds

10. ©2022 F5 1
0
Security Automation can Reduce a Breach Lifecycle by 77 Days

11. ©2022 F5 1
1
Why are organizations moving to automating security early in
the SDLC and adopting a DevSecOps culture?
Benefits include the ability to incorporate security early, accelerate software development, provide
agility and velocity, and save time and money in addition to the following:
• Finding vulnerabilities early and fixing them
• Building a more secure and reliable application (software-as-code / infrastructure-as-code)
• Remove human error, deliver predictability
• Enhanced compliance
• Minimizing Risk and Reducing the Cost of a Breach
• Taking advantage of cloud infrastructure and OpEx benefits
• Providing a better customer experience (CX)
• Faster time-to-market
Security should be thought of as having its own operational lifecycle that extends beyond the SDLC.

12. ©2022 F5 1
2
Top Three Org ChallengesAdopting DevSecOps
1
2
17.0%
19.5%
27.5%
28.0%
32.5%
44.5%
45.5%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
Budget constraints
Lack ownership of security by DevOps teams
Fear security testing will slow down DevOps processes
Lack of mature processes
Knowledge/Job skills/training
Lack collaboration between DevOps and security teams
Overall organizational cultural resistance
© IDC
What are your top 3 organizational challenges with regards to DevSecOps adoption [Select up to 3]?
 ToC
n = 200
Source: US Survey of DevSecOps Adopters, Dec 2020

13. ©2022 F5 1
3
DevOps
SecOps AppDev
• Understaffed and struggle to keep
up with rapidly changing threats
• Business leaders consider
compliance versus security the goal
• Tool sprawl and inconsistent security
policies spanning multiple
architectures and clouds creates risk
• Security slows down the
application lifecycle and is
perceived as a bottleneck
• CI/CD pipelines that automate app
development/deployment lack
security
• Business imperatives and
incentives such as time to market
compel DevOps to bypass
SecOps. DevOps KPIs do not
include security-related metrics
• Developer training on security is
lacking
• Developers are focused on
modern app development and are
not able to stay abreast of the
security landscape
• Cloud and open-source software
introduce unknown risks to the
business
Team Pain Points to Consider whenAdopting DevSecOps

14. ©2022 F5 1
4
Bridging the gap from DevOps to DevSecOps
One team, one objective
Fluid integration
Different teams, different interests
Friction
Goal: Infuse good security practices into development
DevOps
SecOps
Dev
Sec
Ops
Security Automation

15. ©2022 F5 1
5
1
Security
10
DevOps
Developers
100
REALITY: THE AGILE IMBALANCE
The CI/CD
Pipeline is Built
for Speed, Not
Security
“Waterfall” security policies
often don’t translate well to
Agile and cloud environments.
Security control objectives
can’t be adequately applied
and enforced.

16. ©2022 F5
1
6
Enabling Security-as-Code
DEV SEC OPS
Integration into application security right
from the start
Automates security gates to keep the
DevOps workflow from slowing down
Enables DevOps to consume SecOps
managed policies to create a culture of
DevSecOps

17. ©2022 F5
1
7
Tools to Automate Security within your CI/CD Pipeline

18. ©2022 F5
1
8
Why a WAF is Critical for App Security and
Protecting your Apps from Attacks
Active attacks
Vulnerabilities
Risk and address
compliance

19. ©2022 F5
1
9
Strong App and
API Security
Built for
Modern Apps
CI/CD
Friendly
NGINX App Protect WAF and DoS

20. ©2022 F5
2
0
NGINX App Protect WAF and DoS Deployment Options
3

21. ©2022 F5
2
1 CONFIDENTIAL
NGINX App Protect WAF Secures Your Apps Against the Most
SophisticatedAttacks
A LIGHTWEIGHT, HIGH PERFORMANCE, MODERN APP SOFTWARE SECURITY SOLUTION

22. ©2022 F5
2
2 CONFIDENTIAL
NGINX App Protect DoS Secures Your Apps from Layer 7
DoS Attacks
A DYNAMIC, DoS SECURITY SOLUTION WITH ADAPTIVE LEARNING AND AUTOMATED PROTECTION

23. ©2022 F5
2
3 CONFIDENTIAL
Shifting Left for Modern Apps with NGINX App Protect
AUTOMATE SECURITY AS CODE WITH NGINX APP PROTECT WAF AND DOS
Source Code Repository CI/CD Pipeline Tool IT Automation
Application code/config for App X
security policy/config for App X
Pipeline for build/test/deploy of App X
Ansible playbook for deployment
of App X with its app services
Owned by SecOps Operated by DevOps
{
"entityChanges": {
"type": "explicit"
},
"entity": {
"name": "bak"
},
"entityKind":
"tm:asm:policies:filetypes:filetypestate",
"action": "delete",
"description": "Delete Disallowed File Type"
}
o Declarative security policy (JSON file) allows DevOps to
use CI/CD tools natively
o The same policy can be pushed to the application from a
developer tool
o Allows SecOps to own the file and DevOps owns
everything else including security as a part of testing

24. ©2022 F5
2
4 CONFIDENTIAL
Shifting Left with NGINX App Protect – Demo
• SecOps define NGINX App Protect WAF security policies
• WAF policies, certificates and configuration snippets are stored on the source of truth (GitHub)
• DevOps use CI/CD pipelines to publish applications through NGINX with WAF security enabled
• NGINX Instance Manager applies policies as part of the CI/CD pipeline
GitOps
Automation
Via CI/CD

25. ©2022 F5 2
5
DEMO

26. ©2022 F5
2
6
Shifting Left with NGINX App Protect - Review
Staged Config creation
CI/CD
pipeline
Catalog objects
retrieval
Configuration published
to Instance Group
Configuration
committed

27. ©2022 F5
2
7 CONFIDENTIAL
Shifting Left with NGINX App Protect WAF and DoS
Built for
Modern Apps
CI/CD
Friendly
Strong App &
API Security

28. ©2022 F5 2
8
• Nurture a culture where there is an understanding that security is everyone’s responsibility.
• Think of security as an operational lifecycle, not just hardware or software based, it’s a
combination of methodology, training and policy.
• Select cloud agnostic tools – these are important to providing you with flexibility for using
different cloud platforms and security tools for business reasons, costs internal needs and / or
customer requirements. (Universal tools example: WAFs, APIs, Terraform, Puppet, Chef,
Jenkins, etc.)
• Create a liaison between DevOps, Security and AppDev teams to understand the difference
between policy vs. what is practical.
Best Practices – What to Consider when moving towards a Shift
Left Culture on the Road to DevSecOps

29. ©2022 F5 2
9
Q & A

30. ©2022 F5 3
0
Test Drive NGINX App Protect TODAY
https://www.nginx.com/free-trial-request/
https://www.nginx.com/success-stories/modern-hire-and-
nginx-deliver-modern-app-security-in-the-cloud/