If you're an application developer or SRE, there are many tools you can use to automate app protection into your CI/CD pipelines. To protect against other vulnerabilities, cloud-native F5 Essential App Protect Service adds another layer of security to proactively shield your web-facing apps.
For years, pioneers in the field of AppSec have called for security controls within the software development lifecycle (SDLC) to be improved instead of solely relying on production-level assessments. Their point is tough to argue: production is too late in the process for this to be effective. Now it seems their dreams may be coming true. Gone are the days where it’s acceptable for the security person to slam a 40-page pen test report on your desk saying, “Aha! I got you now!”
The reality, for better or worse, is that today we’re faced with an explosion of new applications, a shortage of security talent, and a universal agreement that security must not hold up feature releases or time to market. As a result, security is increasingly the responsibility of those who develop, test, and deploy apps. So, how do you meet this challenge? Automate, of course!
Here are a few easy ways to automate app protection into your pipelines if you’re an app developer or SRE:
APP PROTECTION AUTOMATION MADE SIMPLE
|Pre-commit security hook
| • git-hound
• git secrets
|IDE security plugins
| • DevSkim
• OWASP Find Security Bugs
|Static code analysis
| • Brakeman (Ruby)
• ESLint (js)
| • cfn_nag (AWS CFTs)
• foodcritic (chef)
| • Github security alerts,
• OWASP Dependency Check
|Container security (build)
| • Actuary
• CIS Benchmarks
|Automated security acceptance
| • Gauntlt
|Production smoke testing
| • ZAP Baseline
That’s far from being an exhaustive list—there are many other free tools you can use within your CI/CD pipelines, but it’s a good start depending on the type of code you’re writing. This doesn’t mean you’re exempt from fixing the results from penetration testing. However, the automation tools you integrate can help cut down on the vulnerabilities discovered in those post-release assessments and not hinder your deployments. Research consistently shows that vulnerabilities discovered late in the development process drive up cost and risk, so stay ahead of the curve.
WHAT ABOUT ALL THOSE OTHER THREATS?
There are, of course, security threats that are beyond your control. There will be vulnerabilities that no tools within your automation chain are going to catch or fix. Continuously updating your paved road (gold image) to the latest secure version may be an admirable goal, but in reality, it requires time and effort to test each configuration—and that takes more resources than what we listed above.
Adding an extra level of protection in the mix is a no-brainer, and even more so if you don’t have expertise to run the tools listed above. F5 Essential App Protect cloud-native SaaS proactively shields your web-facing apps. It serves as a catchall for application attacks such as Cross-Site Scripting (XSS) or injection that exploit production vulnerabilities. It also protects against known malicious IP addresses and active attack campaigns identified by the F5 Labs threat intelligence team.
Essential App Protect is architected for multi-cloud environments, with its global data plane enabling co-location of app protection services right next to your cloud-based apps. This means nearly no latency overhead for end-users. And, of course, all of this and more can be configured through APIs and quickly integrated into your toolchain.
If you’re running a web-facing app and don’t have the time or resources to keep it constantly updated to protect against known vulnerabilities and emerging threat campaigns, it’s a good idea to have extra protection in place for likely attacks. Try Essential App Protect for free! It only takes a few minutes to get up and running.
Today, there’s no reason to choose between security and time to market. Have your cake and eat it too!