NGINX App Protect Brings Security to the API Ecosystem

Scott Laster Thumbnail
Scott Laster
Published March 17, 2021

In recent years, APIs have become the de facto approach to building the modern app economy. These software interfaces have become the predominant way to enable systems, applications, and devices to communicate and share a huge range of data and functionality. In essence, APIs have become the modern Silk Road for information and truly give the customer the power to unlock solutions that combine best-of-breed tools from various vendors.

Of the organizations polled in MuleSoft’s annual Connectivity Benchmark Report, 80% use public and/or private APIs. Reported benefits include increased productivity (54%), increased innovation (47%), and cost savings (34%), among others. According to the survey, APIs also generate significant revenue for companies that publish them – on average 31% of total revenue.

All is not rosy, however. Research from F5 Labs found that API security incidents in the first half of 2020 were on track to exceed the number of incidents from the previous two years combined. A significant challenge facing DevOps teams is that there are many areas of weakness regarding API security, from a complete lack of authentication in front of API endpoints, to broken authentication and broken authorization, to basic misconfiguration.

The question now is: how do you secure all of your API activity? In this blog we explain how a “security as code” approach centered around NGINX App Protect is key to protecting your APIs and fits seamlessly into your CI/CD pipeline alongside solutions from other security vendors you’ve come to rely upon.

APIs Serve Both Employees and Partners

As tracked by ProgrammableWeb, there are upwards of 20,000 private, partner, and public APIs in use, enabling the apps we rely on every day. The attraction of APIs – and by extension, of the container‑based microservices that APIs run in or connect with – is that they can open up your software capabilities and data to a wide range of users, including your employees and all your strategic and commercial partners. (Naturally, this approach is also attractive to DevOps teams, as they’re able to pick and choose the best vendors for their specific needs.)

For example, many enterprises leverage private and partner APIs to enable self‑service IT; making IT assets discoverable and reusable enables more members of the organization to do more without relying on DevOps at every turn. When done right, self‑service IT results in greater agility, faster speed to market, customer‑focused solutions involving a variety of vendors, efficiency, innovation, and higher margin revenue.

This dynamic also exists on the development and production side of the equation: containerized software and APIs enable the DevOps team to interact with a wide range of partners. These include identity and access management (IAM) partners like Okta, AuthO, and Microsoft, as well as lifecycle management partners like MuleSoft, Akana, and Kong.

Security as Code, Policy as Protection

In today’s fast‑paced, dynamic CI/CD environments, developers and DevOps teams need a holistic approach to protecting web apps and APIs, with application security tools that help them implement solutions and launch software quickly and securely. Teams need to secure their code while remaining tightly integrated with the access management and lifecycle management partners of their choosing.

As DevOps has transformed into DevSecOps over the past few years, there’s been a push towards implementing security itself as code. This is simply another way of saying enterprises are starting to recognize the need to build security into every aspect of new software, rather than viewing security as something that is bolted on after all the coding is done. This includes practices such as:

  • Automating security whenever possible, by embedding it directly into the CI/CD pipeline
  • Building security as a guardrail, not a gate (that is, providing guidance and tools instead of just granting or denying access)
  • Working with a range of partners to ensure security solutions are consistent, centralized, and available via self‑service – for any environment, including distributed, containerized environments

“Security as code” means you build security into every aspect of new software instead of just bolting it on at the end.

Advanced API Security for Modern Application Infrastructures

F5 is a major proponent of the security-as-code approach to making app security adaptable, scalable, and reliable, and NGINX App Protect plays an important role in making it possible. NGINX App Protect combines API security with foundational features from our market‑leading Advanced Web Application Firewall (Advanced WAF) and bot protection to help DevOps:

  • Integrate non‑disruptive security controls (as authorized by the security team) into the automation and CI/CD processes
  • Deploy and manage app security controls across distributed environments such as containers and microservices
  • Implement cost‑effective security controls without negatively impacting release velocity or application performance

With NGINX App Protect you deploy application security as a lightweight software package that is also agnostic of the underlying infrastructure. Accordingly, the software developer can utilize declarative policies (“security as code”) to secure everything coming into and out of an API gateway or other Ingress controller. Under this model, even if an API is not itself secure by default, security with NGINX App Protect can be applied at multiple points, whether at ingress, within a Kubernetes pod, or across services.

Working with the other industry leaders that are prioritized by our customers and embracing the vendors and products already in use by DevOps teams around the world, F5 and NGINX are committed to delivering cutting‑edge solutions for the entire application ecosystem.


As APIs become the new Silk Road for information sharing and make it possible to connect with your users like never before, NGINX App Protect is here to defend your apps and data from the full range of potential threats. NGINX App Protect is designed for the way in which you deliver apps, including the ability to closely integrate with your partner ecosystem. Working seamlessly across DevOps environments, this industry‑leading solution integrates non‑disruptive security controls throughout the DevOps automation and CI/CD processes to ensure that app security is not added on as an afterthought or wrapped around as a stopgap, but is baked in from the outset.

Ready to try NGINX App Protect for yourself? Start a free 30-day trial today, or contact us to discuss your use cases.

"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous links will redirect to similar NGINX content on"