NGINX App Protect: Advanced F5 Application Security for NGINX Plus
Companies going through digital transformation have clear business imperatives. They include improving the customer experience with modern business applications, adopting agile practices to outpace competitors in the market, and leveraging market advantages to drive new revenue streams. Supporting these efforts are new application architectures that increase development efficiency and incorporate containers, microservices, and APIs.
For modern applications, agility and time to market are key. Security is often a secondary consideration, or is neglected entirely. Why? Security controls for traditional applications don’t always map well to business requirements. For example, the kind of sophisticated web application firewalls (WAFs) that are traditionally configured and operated by SecOps teams are not generally well suited for agile applications deployed by the DevOps teams supporting specific lines of business. The result can be inadequate or misconfigured security, delays in go-to-market timing, and a poor user experience.
Introducing NGINX App Protect
NGINX App Protect is a new application security solution that combines the efficacy of advanced F5 WAF technology with the agility and performance of NGINX Plus. The solution runs natively on NGINX Plus and addresses some of the most difficult challenges facing modern DevOps environments:
- Integrating security controls directly into the development automation pipeline
- Applying and managing security for modern and distributed application environments such as containers and microservices
- Providing the right level of security controls without impacting release and go-to-market velocity
- Complying with security and regulatory requirements
“We’re very excited to make available yet another product offering that demonstrates why NGINX and F5 are better together, only nine months after our vanguard milestone release of NGINX Controller 3.0 in January,” says Gus Robertson, Senior Vice President and General Manager of NGINX. “We intend to continue our accelerated pace of innovation, delivering more and more value to our customers as they continue their digital transformation journeys.”
Strong F5 Application Security
NGINX App Protect’s security controls are ported directly from F5’s advanced WAF technology, providing a significant upgrade from community‑supported solutions like ModSecurity. Its comprehensive set of WAF attack signatures has been extensively field‑tested and proven to generate virtually no false positives, so you can confidently deploy them in “blocking mode” even in production environments. NGINX App Protect protects against the OWASP web application security risks, enforces protocol compliance, defends against common evasion techniques, provides denylisting, checks cookies, protects APIs, and prevents sensitive data leakage with F5’s DataGuard.
Built for Modern Applications
Strong security controls don’t help if they can’t be implemented in the application’s operating environment. NGINX App Protect is built to support modern application deployment topologies. Common deployment modes for NGINX Plus include:
- Load balancer
- API gateway
- Ingress controller for Kubernetes pods
- Per‑pod proxy for microservices
Unfortunately, you often have to sacrifice performance for security, and vice versa. ModSecurity controls, for example, involve evaluation of regular expressions, so each additional control you enable directly degrades performance – leading many administrators to implement a very small number of controls. In contrast, NGINX App Protect controls are compiled into bytecode, so traffic is processed lightning fast regardless of how many attack signatures you enforce. The net result is up to 20x the throughput and requests per second compared to a ModSecurity implementation with the Core Rules Set v3 enabled.
Keep DevOps Focused on Innovation
The relationship between SecOps and DevOps can often get uncongenial, especially if security requirements get in the way of release velocity. Static application security testing (SAST) and software composition analysis (SCA) are great tools for catching security defects early in development, but many vulnerabilities are not discovered until after applications are pushed through the release gates. Sending apps back to development increases costs and hurts productivity – catching defects while the app is still in the development pipeline is substantially more efficient, whether that involves adjusting the security policy or fixing the code.
NGINX App Protect is DevOps‑friendly and integrates into common development pipelines. Using NGINX App Protect’s declarative configuration capabilities, security can become part of DevOps CI/CD automation, getting tested just like any other part of an application’s functional specification. In essence, the security policy and configuration are consumed as “code” pulled from a source code repository. The SecOps team creates and maintains security policy to ensure the controls required to protect the business are in place. Not only does this help to maintain release velocity, it also helps to bridge gaps between DevOps and SecOps teams.
Learn more about NGINX
The NGINX Application Platform is a suite of products that together form the core of what organizations need to create applications with performance, reliability, security, and scale.