API Security With NGINX Plus Using GitOps Workflow

143 Launches
Solution Overview

APIs are at the heart of today's digital platforms and experiences. APIs help your customers enable new business models and generate revenue streams. However, delivering APIs without adequate guardrails, management and performance has the potential to put businesses at risk. In this lab we will deploy, manage and secure Arcadia WebApp APIs with F5 solutions using modern development and DevOps tools.

Lab focuses on three main areas of solutions for APIs: API Management, API Gateway and API Security.

During this lab you will work with GitLab CE and utilize SCM and CI/CD pipelines to build test and deploy Arcadia App into a Kubernetes cluster fronted by NGINXPlus Ingress Controller. OWASP ZAP for APIs is used to test the Arcadia API. Other tools used in this lab include:

Goals & Objectives

The intended goal of this lab is to enable organizations to incorporate security best practices using declarative CI/CD approach during early stages of application development, and secure API workloads by using NGINX Plus Controller to manage the API lifecycle.

Lab consist of below modules:

  • Introduction: The goal of this module is to introduce lab users to the basics of API management, describe the structure of the NAP declarative policy and highlight the various tools that will be used throughout the lab.
  • Lab setup: The goal of this module is to familiarize lab users with the logical and physical topology of the lab. Lab users will also be able to refer the login credentials for various components of the lab.
  • CI/CD pipeline and DevOps tools: The goal of this lab is to review the architecture of the Arcadia application and understand the various APIs that it offers. Lab users will also understand the CI/CD flow for deploying the various lab components.
  • Build, test and deploy Arcadia Finance Web App via Gitlab CI/CD: Lab users will login to GitLab and initiating a automated CI/CD pipeline, using the WebUI interface of NGINX Plus controller to observe the API Management components that are created, and optionally access the Arcadia application.
  • Simulate API attacks using Jmeter and test positive API security: Lab users will be using Jmeter to test the rate limiting feature of the API Management module, test positive security module by sending preconfigured API calls via POSTMAN client and review the logs via Kibana Elk stack.
  • Update OpenAPI spec file on NGINX ingress controller/App Protect: Lab users will be updating the OpenAPI spec file used in the ingress controller and allow "money transfer" API endpoint, and verify the efficacy of App Protect by simulating application layer attacks.
  • Enable API Authentication for Transfer Money API: Lab users will be using POSTMAN collections to enable API Authentication on the API Gateway using NGINX Controller API, and verify that the functionality is working as expected.
  • (Optional) Review DAST report: Lab users can analyze the DAST tool used in the pipeline and review the output of the DAST job.

Hardware & Software

  • 1 x Windows Jump host (Win10)
  • 1 x CICD and Docker(NGINX API gw, Dev Portal)  (Ubuntu 18.04)
  • 3 x Kubernetes cluster Nodes (Ubuntu 18.04) VM's
  • 1 x Active Directory Server (Win Server 2012 R2)
  • 1 x NGINX Controller 3.12.1 (Ubuntu 18.04)
  • 1 x GitLab CE server (Ubuntu 18.04)
  • 1 x Vyos Router (Ubuntu 18.04)