| ©2019 F5 NETWORKS1

Security in een DevOps wereld

Dennis de Leest

Sr. Solution Engineer

| ©2019 F5 NETWORKS2 CONFIDENTIAL

ECOSYSTEM INTEGRATIONS

API

gateway

CDNIngress

controller

App / Web

server

CustomerLoad

balancer

DNSApp

security

DDoSCode

ContainersPurpose-built

hardwarePublic cloud

Virtual machines

Softwareas a Service

Commodityhardware

EcosystemsNGINX Controller BIG-IQ

Code to Customer

PLATFORM CONTROL PLANES

BIG-IP NGINX

| ©2019 F5 NETWORKS3

DevOps DriversTHE MAIN DRIVERS THAT MAKE DEVOPS A MUST HAVE

Agile Methodologies

Scrum in Dev

Kanban in Ops

Microservice Patterns

Smaller and more

frequent moving parts

Cloud Migrations

API automation a given

GUI is a no-go

Infrastructure changes were a bottleneck

Infrastructure automation through APIs !!!

| ©2019 F5 NETWORKS4

Tooling in the Automation Toolchain DEVOPS TOOLING LANDSCAPE – A NUTSHELL OVERVIEW

CICD Orchestrators Deployment Libs Others

| ©2019 F5 NETWORKS5

DeployOnboardBootstrap

APP SERVICES 3

EXTENSION

TELEMETRY

STREAMING

EXTENSION

Deploy Classic and

Advanced Application

Services on BIG-IP

using Declarative

REST APIs

Stream

Telemetry, Events

& Logs from BIG-IP

to various Analytics

and Logging solutions

L4-L7L1-L3

Automation Lifecycle – F5 Automation toolchain

Monitor

F5 BIG-IP IMAGE

GENERATOR

Enables creation,

customization and

deployment of a

BIG-IP disk image for

a given private/public

cloud.

Canonical examples

using native templates

for quickly deploying

BIG-IP services on

public cloud providers

(AWS, Azure, Google)

CLOUD SOLUTION

TEMPLATES

DECLARATIVE

ONBOARDING

EXTENSION

Initial Config

of BIG-IP Instances

Cloud-Init

Handles early initialization of a cloud

instance with user-data provided at

instance launch time.

F5 Super-NetOps

Training

Free training for

Network Operations

professionals

| ©2019 F5 NETWORKS6

DevOps => DevSecOps

Security configuration

➢ Complex and bespoke

➢ Tedious manual process done by experts

➢ Increased rate of application deliverables

=> bottleneck

➢ Risk of dropping descent security due to

time pressure/constraints to PROD!

NEXT STEP - EMBRACE SECURITY AUTOMATION CAPABILITIES

| ©2019 F5 NETWORKS7

DevOps is mainstream

| ©2019 F5 NETWORKS8

DevSecOps Principles

Open Security Information Sharing & Feedback Loops

Culture: Security is everybody’s responsibility

Continuous Automated Testing

Collaboration vs Blocking

Shift Left: Build security into software not bolt on.

Guard Rails Make the secure path the easy path

| ©2019 F5 NETWORKS9

Pre- Commit Commit Acceptance Production Deploy Operations

Continuous Integration Continuous Deployment

• Threat Modeling as code

• IDE integrated SAST

• Software Composition/Dependency Analysis

• Static Code Analysis

• DAST/Security Scanning

• IaC for supporting infrastructure

• Security Smoke Test

• Secrets Management

• Runtime security

• IAM

• Monitoring/SIEM

• Continuous Scanning

Build Test DeployCode Run/MonitorPlan

DevSecOps Flow

| ©2019 F5 NETWORKS10

F5’s Strategy to address DevSecOps use cases

| ©2019 F5 NETWORKS11

F5 Automation Toolchain

Cloud Templates

Deploy F5 configured,

operational F5 BIG-IP VEs

into public and private

clouds.

Declarative

Onboarding

Provision initial

configuration of virtual BIG-

IP devices through a

declarative API.

Application Services

3 Extension

Configure F5 modules

using declarative APIs.

Runs on TMOS, as a

container, or in BIG-IQ 6.1+

Telemetry Streaming

Stream BIG-IP telemetry for

analytics and automation.

Telemetry Streaming is an

iControl LX extension and will

send client/server stats from

the BIG-IP via HTTP(S),

Statsd or Kafka formats.

Change

Use telemetry data to track

health, security and

performance of applications

Use thresholds and triggers

to scale app services

Bootstrap Device Onboard Deploy App Services Monitor Change

re ted by drien o et ro t e o n ro e t

| ©2019 F5 NETWORKS12

Declarative WAF API Example

Support Base Templates

predefined or external reference

Adaptation layer: Base Template Adaption

Option to customize the initial policy

{"policy": {

"name":"AppPolicy01",

"description":"AppV1.1 - DEMO FOR DECLARATIVE AND WEBHOOKS CAPABILITIES",

"template":{ "name":"POLICY_TEMPLATE_RAPID_DEPLOYMENT" },

"enforcementMode":"blocking",

"server-technologies":[

{

"serverTechnologyName":"MySQL"

} ],

"signature-settings":{

"signatureStaging": false

},

"modifications": [{

"entityChanges": {

"type": "explicit"

},

"entity": {

"name": "log"

},

"entityKind": "tm:asm:policies:filetypes:filetypestate",

"action": "delete",

"description": "Delete Disallowed File Type"

} ] }

Modification layer: Policy builder suggestions

Part of the modification layer and can be shared between policies

| ©2019 F5 NETWORKS13

Solutions

No Feedback Loop

No notification for configuration changes, security events and

resources health to modern DevOps tools

Update Different Dev Ops Tools

Tools such as Chat Ops, CI Server, Ticketing Management are notified

by Adv WAF via Webhooks. Delivering notification and collaboration

between teams.

Challenges

Visibility and DevOps Notification

| ©2019 F5 NETWORKS14

Slack/Teams ChatOps Example

| ©2019 F5 NETWORKS15

Policy Testing

No Automated Sanity Tests

No option to generate quick sanity test that report on Adv. WAF

deployment state as part of the pipeline

F5 Testing Tool for Policy Validation

Lightweight testing tool provides immediate testing result of the basic

protection level and adapted to automated testing pipeline

{

"summary": {"fail": 1, "success": 127 },

"details": {"100000012": {

"attack_type": "Path Traversal", "CVE": "", "results": {

"url": {

"reason": "There are disabled evasions",

"expected_result": {"type": "evasion", "value": "Directory traversals"},

"success": false

},

"100000036": {

"attack_type": "Server Side Code Injection",

"CVE": "", "results": {"url": {

"reason": "", "expected_result": {"type": "signature", "value": "200001404"},

"success": true

} } } } } } }

Test Summary Report Example

Attack Test Type

Signature

Evasion

HTTP RFC

Test Success State

True – Test Passed

False – Test Failed

SolutionsChallenges

| ©2019 F5 NETWORKS16

Policy Workflow

Notify DevOps about new policy

ready for automation testing

Create declarative policy file

with desired security (base

template + modification)

upload the policy file into

source control

Define security

requirements while app

onboarding

Automation security pipeline run

for functional and vulnerability

testing

Automation security pipeline

run again until all tests are

passed

DevSecOps or CI server export

policy builder suggestions to source

control

security events sent to

DevSecOps ChatOps

channel

DevSecOps refer that new

suggestions in the policy file

16

| ©2019 F5 NETWORKS17

Free up your time ! Start nowLets do a demo !

17

| ©2019 F5 NETWORKS18