Digital Differentiation With Secure Apps

Applications are the lifeblood of businesses today, fueling a surge in global enterprise software spending estimated to top US $600 billion in 2021, according to Statista.com.1 But with the ever-increasing deployment and usage of apps worldwide come requirements for powerful app security.

The need for more protection is heightened because organizations are increasingly deploying apps in a distributed model across cloud providers, edge locations, and public and private environments. This is particularly true for those using modern apps built with microservices and multiple distributed clusters.

At the same time, cybercriminals have found more ways than ever to expose, alter, disable, steal, or gain unauthorized access to apps and IT infrastructure, in part due to the overall growing complexity of app environments. Attacks are coming from vectors across all interaction points of the application surface, requiring a sophisticated and broad-based defense. Bad actors continue to be opportunistic in finding ways to exploit vulnerabilities (Log4j2 being a recent example).In today’s security landscape, “every organization should expect frequent attacks of some sort, but neither organizations nor attackers are uniform groups,” states F5 Labs’ Application Protection Report3 for 2022. “Organizations run different applications on different networks, store different types of data, have different customers, different controls, different regulatory regimes, and different risk appetites. Application architectures are increasingly distributed and decentralized for performance and resilience, which in turn introduces multiple intersecting responsibilities with respect to protecting data.

”As app environments evolve and expand, it further illustrates the importance of an overarching app security strategy—one that implements a multi-layered approach and a more coordinated security effort across all teams that play a part in the app lifecycle.

To help provide in-depth defense and a coordinated security architecture for an organization’s web apps and APIs, we’re introducing F5 Distributed Cloud Web Application and API Protection (WAAP).

SaaS-based F5 Distributed Cloud WAAP secures web apps and APIs deployed in multi-cloud and distributed environments, simplifying app security while increasing overall efficacy. It brings together four key components critical to securing the digital experience for today’s modern enterprises:

• Web Application Firewall (WAF): F5 Distributed Cloud WAF leverages powerful Advanced WAFtechnology, combining signature- and behavior-based protection for web applications. It acts as an intermediate proxy to inspect application requests and responses to block and mitigate a broad spectrum of risks stemming from the OWASP Top 10, threat campaigns, malicious users, and more.
• API Security: F5 Distributed Cloud API Security safeguards application programming interfaces (APIs) from threat actors attempting to exploit them to facilitate a breach or services outage. With automatic API discovery that can identify and map API endpoints to any app—as well as provide support for a positive security model through API swagger import—organizations can easily observe, refine, and enforce proper API behavior.
• Bot Defense: F5 Distributed Cloud Bot Defense manages and deflects malicious automation to prevent sophisticated, human-emulating attacks. It brings together unified telemetry, network intelligence, and AI/ML with human analysis to identify and defend against automated threats such as credential stuffing and account takeover, scraping, card cracking, and more.
• DDoS Mitigation: With F5 Distributed Cloud DDoS Mitigation, organizations get multi-layered protection against attacks across layers 3–7, including network-level shielding from volumetric distributed denial-of-service (DDoS), DoS signatures, service policies including rate limiting, IP reputation, and advanced scrubbing with deep packet inspection. This offers protection from spoofed and malformed traffic, request floods, and other forms of abuse that attempt to overload web properties and apps.

Business Outcomes Your Organization Can Expect

F5 Distributed Cloud WAAP helps organizations break down silos to bridge old and new operating models, and legacy and modern apps, on a business and technical level. It simplifies security policy and enforcement across clouds, data centers, and edge locations to reduce complexity and ensure more consistent policy.

These critical business outcomes are enabled by:

• Security efficacy + agility: Bringing together F5’s top-tier security controls providing comprehensive, highly effective app security delivered as SaaS with unified management.
• Flexible, deploy-anywhere options: Securing apps on the F5 Global Network or deployed natively across multiple clouds (public/private), data centers, and edge environments—wherever customer apps are located.
• A common platform for app security, app networking, and edge computing: Unifying app security and delivery with WAAP, multi-cloud networking, and app platform services all via a single SaaS platform with a global network.

Overview

For more than 100 years Audi has enthusiastically embraced the cutting edge. The German automotive giant’s long standing slogan “Vorsprung durch Technik” (roughly, Leading through Technology) is more than just a phrase: It’s been the guiding light for a company that has always put innovation at the heart of its business.

“If we want to stay successful, we need a constant focus on how technology can enable an exceptional customer experience,” explains Sebastian Kister, Team Lead for the Kubernetes Competence Centre at Audi. “That is exactly why, in recent years, we’ve set out to reinvent the way we create, deploy, run, and optimize our applications.”

Challenge

Audi’s Kubernetes Competence Centre conceived Kubika O as a cloud independent Kubernetes platform operating as a seamless application environment. The big challenge ahead of launch was deciding how to secure everything. Audi needed a proven WAF solution with certified Red Hat OpenShift interoperability, plus robust, 24/7 technical support.

Solution

After an initial vendor investigation process, there was only one security solution that ticked all the boxes.

Powered ByNGINX App Protect is an application security solution that combines the efficiency of F5 Advanced Web Application Firewall (Advanced WAF) technology with the agility and performance of NGINX. Delivering a ‘build once, adhere everywhere’ functionality for security policies, NGINX App Protect ensures that DevOps and SecOps can operate effectively and in harmony. When paired with NGINX Ingress Controller, the solution seamlessly secures Kubernetes apps without compromising speed or agility.

Once the solution was agreed on, the NGINX account team worked closely and intensively with all relevant stakeholders to determine the project’s exact specifications, including the delivery of a successful proof of concept. Trusted NGINX partner ConSol was then enlisted to support the implementation process, and the deal was closed in less than two months.

“I don’t buy anything based on PowerPoint presentations,” says Kister. “I wanted to see a working solution aligned with our use cases that could be quickly implemented and maintained by the vendor and its partners.”

With NGINX App Protect in place, Audi was finally able to start harnessing Kubika O’s full potential.

Results

• Agile and Robust Security
• Cloud Agnosticism
• Cultural Change

“Today, application owners don’t have to worry about the infrastructure at all,” Kister enthuses. “They still need to do their app operation security assessments, but when it comes to infrastructure issues like real time scanning and vulnerability scanning, that is all baked into the platform. This means that 80% of the security assessment is already done. Without NGINX, we wouldn’t be able to provide this assurance without relying on the functionality of the cloud providers, which would negate our cloud agnostic stance.”

Kubika O currently facilitates several key apps central to VW Group’s operations, with use cases including data collection, analytics, and automation. The platform’s built in flexibility also means it is ready to quickly adapt to emerging business needs and challenges.

For Kister, however, one of the most rewarding outcomes of Kubika O’s impact to date is the way it has driven genuine transformation and behavioral change across the VW Group.

“We are a small team, but we are making a huge impact,” he says. “Every customer we work with doesn’t just get a service – they learn from us. They see how we operate, and we contribute to cultural change across the company, project by project. Ultimately, every enhancement to our driving experience is software and data driven. That is why Kubika O is, and will remain, an essential part of our future.”