Application Security with NGINX | APAC

1. NGINX App Sec August 2020 Chris Witeck – Director of Product Management Rajiv Kapoor – Sr Product Marketing Manager Daniel Edgar – Sr Technical Product Manager

2. | ©2020 F52 SECURING CRITICAL BUSINESS APPLICATIONS WITH NGINX Agenda Challenges with Securing Modern Apps NGINX Portfolio Overview NGINX Plus Application Security NGINX App Protect Demo NGINX Controller Application Security NGINX Offer Summary

5. | ©2020 F55 Application DevelopmentThe Market • Proliferation of architectures • The same vulnerabilities (e.g. injection, cross-site scripting) continue to exist after 20 years of application security best practices • Organizations lack consistent policy to manage the growing complexity and risk of managing/tuning application security • cost of security breaches -- downtime/lost revenue • Application development has transformed to agile while security largely remains a manual effort • Developers and DevOps outnumber security professionals by as much as 100:1 • Time to market pressure, friction between AppDev/DevOps and SecOps, and perception of security as a bottleneck results in poor testing, process, oversight Pain points

6. | ©2020 F56 DevOpsSecOps AppDev • Understaffed and struggle to keep up with rapidly changing threats • Business leaders consider Compliance Vs Security the goal • Inconsistent security policies spanning multiple architectures, clouds and tool sprawl creates risk • Security slows down the application lifecycle and is perceived as a bottleneck • CI/CD pipelines that automate app development/deployment lack security • Business imperatives and incentives such as time to market compel DevOps to bypass SecOps. DevOps KPIs do not include security-related metrics • Developer training on security is lacking • Developers are focused on modern app development and are not able to stay abreast of the security landscape • Cloud and open-source software introduce unknown risks to the business Pain points

7. | ©2020 F57 DEVOPS / APPLICATIONS NETOPS / OPERATIONS Application Business Logic End User Most applications require numerous application services between the code and the customer APPLICATION DELIVERY ExamplesAPI gateway Ingress controller App / web server Load balancer

8. | ©2020 F58 DEVOPS / APPLICATIONS NETOPS / OPERATIONS What challenges emerge when security enters the picture? DEVSECOPS Application business logic End-user APPLICATION SECURITY APPLICATION DELIVERY

9. | ©2020 F59 Application business logic End-user The Modern Application Security Challenge: Operational silos, complexity, and ultimately friction API gateway Web app firewall Ingress controller App / web server Denial of service Anti-fraud & anti-bot Load balancer Secure access Traditional 3-Tier Microservices App architectures & infrastructure environments APPLICATION SECURITY Examples APPLICATION DELIVERY Examples DEVOPS / APPLICATIONS DEVSECOPS NETOPS / OPERATIONS

10. | ©2020 F510 App services must include both app delivery and app security, which reinforce each other through visibility and controls APPLICATION SECURITY APPLICATION DELIVERY Visibility Controls Application Business Logic End User DEVOPS / APPLICATIONS NETOPS / OPERATIONS DEVSECOPS Visibility across app services More easily embed security along the data path Apply policies and controls consistently

11. | ©2020 F511 Layered on top should include a mature control plane to orchestrate & automate app services APPLICATION SECURITY APPLICATION DELIVERY Application Business Logic End User APPLICATION INSIGHTS, AUTOMATION & ORCHESTRATION Simplify operational complexity Provide business insights and value Secure modern applications

13. | ©2020 F513 Addressing application security challenges Embed Security Policy Your Pipeline Secure Modern Apps Improve App Performance “Docker instances that have an unprotected port are used to instantiate a container running Ubuntu Linux, install a download utility, and then execute a 600-line program written in the Go programming language. The script attempts to turn off security, stop any competing cryptominers, and download the malicious cryptominer known as "Kinsing." – Dark Reading, April 2020 “many security and compliance monitoring tools have not kept up with this pace of change, as they simply weren’t built to test code at the speed DevOps requires. This has only solidified the view that security is the biggest block to rapid application development…” – What is DevSecOps? CSO Online Jan 2018 “Tools that don’t integrate into the Software Development Lifecycle disrupt DevSecOps initiatives and development processes, rather than supporting them.” – The challenges of shifting to DevSecOps- ITProPortal, Sept 2018

14. | ©2020 F514 Addressing application security challenges Embed Security Policy Your Pipeline Integrate security controls directly into your pipeline with security as code. Secure Modern Apps Strong security controls for microservices, containers, APIs, and other modern topologies. Improve App Performance The high performance WAF drives down operational costs and improve user the user experience without compromising security. security policies and protection optimized for DevOps workflow secure apps for any environment with consistency and centralized visibility security services and tools adaptable per app & technology NGINX Investments “Focus on Guardrails vs Gates” “Build Once, Run Anywhere” “Adaptive & Scalable App Services"

16. NGINX Plus Application Security

17. Platform control planes Legacy NGINX Controller ● F5 BIG-IQ ● Third-party ecosystems ● Build Your Own Eliminate tool sprawl | Lightweight and highly portable | Abstract underlying infrastructure NGINX Plus NGINX App Protect

18. Strong App Security Built for Modern App Architectures CI/CD Friendly NGINX App Protect

19. | ©2020 F520 NGINX App Protect Deployment Options Edge Ingress Controller pod pod pod pod pod Per-Pod proxy Per-Service proxy Multiple locations to deploy Application Services: 1. Edge: External load balancers and proxies 2. Ingress Controller: Entry-point into Kubernetes 3. Per-Service Proxy: Interior service proxy tier 4. Per-Pod Proxy: Proxy embedded in pod 1 23 4

22. | ©2020 F5 NETWORKS23 CONFIDENTIAL NGINX Controller Innovations Seamless NGINX Plus Management App-Centric User Interface Visibility & Reporting Modular, Cross- Team Workflows APP Fastest, most lightweight and deployable across more platforms anyone Configuration and visibility aligned to how teams develop applications Detailed visibility into NGINX Plus deployment, and app centric analytics Consolidates team workflows and use cases Automation- Driven Configuration API Automates services deployment across pipelines reducing overhead & complexity

25. NGINX Controller App Sec Module (Summer/Fall 2020) AppSec Offer Summary NGINX App Protect for NGINX Plus (available now) ModSecurity for NGINX Plus (available now) ModSecurity OSS (available now) à Compliance Requirements – Higher Performance – Easier Tuning à Individual App/ Infrastructure Emphasis Enterprise Emphasis w/ App Centric Controls and DevOps Ease of Use Free

26. NGINX App Protect 1. Request a free trial of NGINX App Protect: https://www.nginx.com/free-trial-request/ 2. Learn more : https://www.nginx.com/products/nginx- app-protect/ NGINX Controller 1. Request a free trial of NGINX Controller: https://www.nginx.com/free-trial-request-nginx- controller/ 2. Learn more: https://www.nginx.com/products/nginx- Want to Learn More?

Application Security with NGINX | APAC

Du liest eine Vorschau.

Hier ansehen

Application Security with NGINX | APAC

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Application Security with NGINX | APAC (20)

Weitere von NGINX, Inc. (20)

Aktuellste (20)