Executive Summary

If you're an application developer or SRE, there are many tools you can use to automate app protection into your CI/CD pipelines. To protect against other vulnerabilities, cloud-native F5 Essential App Protect Service adds another layer of security to proactively shield your web-facing apps.

Essential App Protect Service

Take the complexity out of safeguarding your applications with a cloud-native SaaS security service for web apps deployed in any cloud.


Essential App Protect

Try it free.

For years, pioneers in the field of AppSec have called for security controls within the software development lifecycle (SDLC) to be improved instead of solely relying on production-level assessments. Their point is tough to argue: production is too late in the process for this to be effective. Now it seems their dreams may be coming true. Gone are the days where it’s acceptable for the security person to slam a 40-page pen test report on your desk saying, “Aha! I got you now!”

The reality is that we’re faced with an explosion of new applications, a shortage of security talent, and a universal agreement that security must not hold up feature releases or time to market.

The reality, for better or worse, is that today we’re faced with an explosion of new applications, a shortage of security talent, and a universal agreement that security must not hold up feature releases or time to market. As a result, security is increasingly the responsibility of those who develop, test, and deploy apps. So, how do you meet this challenge? Automate, of course!

Here are a few easy ways to automate app protection into your pipelines if you’re an app developer or SRE:


  Pre-commit security hook   • git-hound
  • git secrets
  IDE security plugins   • DevSkim
  • OWASP Find Security Bugs
    (Java apps)
  Static code analysis   • Brakeman (Ruby)
  • ESLint (js)
  • NodeJsScan
  Infrastructure-as-code analysis         • cfn_nag (AWS CFTs)
  • ansible-lint
  • foodcritic (chef)
  Dependency management   • Github security alerts,
  • OWASP Dependency Check   
  Container security (build)   • Actuary
  • Anchore
  • Dagda
  • OpenSCAP
  • CIS Benchmarks
  Automated security acceptance   • Gauntlt
  • InSpec
  • CIS
  Production smoke testing   • ZAP Baseline
  • nmap
  • ssllabs-scan


That’s far from being an exhaustive list—there are many other free tools you can use within your CI/CD pipelines, but it’s a good start depending on the type of code you’re writing. This doesn’t mean you’re exempt from fixing the results from penetration testing. However, the automation tools you integrate can help cut down on the vulnerabilities discovered in those post-release assessments and not hinder your deployments. Research consistently shows that vulnerabilities discovered late in the development process drive up cost and risk, so stay ahead of the curve. 


There are, of course, security threats that are beyond your control. There will be vulnerabilities that no tools within your automation chain are going to catch or fix. Continuously updating your paved road (gold image) to the latest secure version may be an admirable goal, but in reality, it requires time and effort to test each configuration—and that takes more resources than what we listed above.

Adding an extra level of protection in the mix is a no-brainer, and even more so if you don’t have expertise to run the tools listed above. F5 Essential App Protect cloud-native SaaS proactively shields your web-facing apps. It serves as a catchall for application attacks such as Cross-Site Scripting (XSS) or injection that exploit production vulnerabilities. It also protects against known malicious IP addresses and active attack campaigns identified by the F5 Labs threat intelligence team.

Essential App Protect is architected for multi-cloud environments, with its global data plane enabling co-location of app protection services right next to your cloud-based apps. This means nearly no latency overhead for end-users. And, of course, all of this and more can be configured through APIs and quickly integrated into your toolchain.


If you’re running a web-facing app and don’t have the time or resources to keep it constantly updated to protect against known vulnerabilities and emerging threat campaigns, it’s a good idea to have extra protection in place for likely attacks. Try Essential App Protect for free! It only takes a few minutes to get up and running.

Today, there’s no reason to choose between security and time to market. Have your cake and eat it too!


Dev Central Article

Protect your Web Apps in Under 5 minutes

See the step-by-step instructions to set up F5 Essential App Protect Service through the API in under 5 minutes


Essential App Protect Overview

F5 Essential App Protect Service offers an intuitive web application security solution that easily bolts on to web apps via UI or API.



Take the complexity out of safeguarding your applications

F5 Essential App Protect Service—feature-rich, checkbox-simple SaaS security for web apps deployed in any cloud.


Essential App Protect How To

Sign-up for a 5-minute webinar to learn how to take the complexity out of safeguarding your apps with F5 Essential App Protect Service.