API Security: Declarative AWAF Policy Lifecycle in a CI/CD Pipeline Lab

Solution Overview

As the modern-day industry is making shift towards agile methodologies to develop applications at speed, security often gets overlooked. Fixing security vulnerabilities at later stages of application lifecycle can be costly and time consuming. Introducing security best practices earlier in the application development lifecycle can create dramatic positive effects, to do this organizations should not only select the right tools but also make that cultural shift to bake security into rapid-release cycles that are typical of modern application development and deployment.

In this lab, we'll demonstrate the integration of declarative AWAF policy in CI/CD pipeline. The AWAF policy is being deployed via AS3 and is protecting an API workload deployed in Kubernetes by ingesting the OpenAPI 3.0 swagger file describing the API. The GitLab CI/CD pipeline uses modern automation tools like Terraform, Ansible and F5 AS3 to deploy and configure the application workloads.

The pipeline also tests the application API by running valid calls and then collect learning suggestions generated by the AWAF policy. Security admins can examine and select learning suggestions to be integrated in the declarative AWAF policy and redeploy the AWAF components.

F5 WAF tester tool will be used as a part of the pipeline to test the security posture of the application. Security professionals can take corrective actions based on the output of the F5 WAF tester job and redeploy the AWAF components.

Goals & Objectives

The lab consist of two modules describe as below.

Module 1

In this module, lab users will be utilizing visual studio code to modify the OpenAPI spec and push the code to the GitLab CE server, this action will trigger an automated pipeline that deploys and configures the Kubernetes workload via Terraform and provisions the virtual servers and AWAF policies on the F5 BIG-IP. After the pipeline is deployed user can access the application, review the learning suggestion generated by the policy.

Module 2

In this module, lab users will be modifying the AWAF policy by incorporating the learning suggestions generated by pipeline and commit the code to GitLab. This action will trigger an automated pipeline to redeploy on the BIG-IP services. The policies will also be tested using the F5 WAF tester tool, which tests the policies against OWASP top 10 attacks and well-known vulnerabilities.

Hardware & Software

  • 1 x Windows Jump host (Win10) with vscode installed 
  • 1 x CICD and Docker(NGINX API gw, Dev Portal)  (Ubuntu 18.04)
  • 3 x Kubernetes cluster Nodes (Ubuntu 18.04) VM's
  • 1 x Active Directory Server (Win Server 2012 R2)
  • 1 x NGINX Controller 3.6.0 (Ubuntu 18.04)
  • 1 x BIG-IP v 16.1.0
  • 1 x GitLab CE server (Ubuntu 18.04)
  • 1 x Vyos Router (Ubuntu 18.04)