Systems are at higher risk without a concerted, repeatable application security configuration process. In this lab, you will learn how to build a declarative AWAF policy and achieve OWASP Top Ten (2021) compliance with the BIG-IP OWASP Compliance Dashboard. A complete CI/CD pipeline is used to deploy our AWAF policy to the BIG-IP system using Application Services 3 Extension (AS3) and Ansible.

The purpose of this lab is to demo how NGINX Controller API Management Module and NGINX App Protect can secure the OAuth Authorization Code flow, which is core to Open Banking specifications. The NGINX App Protect will be deployed as an Ingress Controller for Kubernetes and will provide both negative and positive security by ingesting the OpenAPI declaration file. The NGINX API Gateway will be controlled by NGINX Controller, will publish the application API based on the same OpenAPI declaration file, will provide JWT authentication and authorization and enforce rate limiting. The deployment and configuration of these elements will be performed automatically through a CI/CD pipeline. ELK dashboards will be used for visualization purposes and, lastly, a DAST tool will also be run as part of the CI/CD pipeline. BIG-IP APM is deployed as both Authorization Server with OpenID Connect support and as OAuth Client, in separate instances.

Introducing security best practices during the early stages of software development and deployment can bring great benefits and helps improve the overall security posture of the application. Adopting agile methodologies can also improve the collaboration between teams and incorporate the DevSecOps practices within an organization, this can help an organization to achieve the GitOps principle and make their transition towards IaC. This lab focuses on the using NGINX Plus controllers and NAP policy lifecycle in an automated CI/CD pipeline. This pipeline uses automation tools such as Terraform and Ansible to manage the state of the devices.