As the modern-day industry is making shift towards agile methodologies to develop applications at speed, security often gets overlooked. Fixing security vulnerabilities at later stages of application lifecycle can be costly and time consuming. Introducing security best practices earlier in the application development lifecycle can create dramatic positive effects, to do this organizations should not only select the right tools but also make that cultural shift to bake security into rapid-release cycles that are typical of modern application development and deployment.
In this lab, we'll demonstrate the integration of declarative AWAF policy in CI/CD pipeline. The AWAF policy is being deployed via AS3 and is protecting an API workload deployed in Kubernetes by ingesting the OpenAPI 3.0 swagger file describing the API. The GitLab CI/CD pipeline uses modern automation tools like Terraform, Ansible and F5 AS3 to deploy and configure the application workloads.
The pipeline also tests the application API by running valid calls and then collect learning suggestions generated by the AWAF policy. Security admins can examine and select learning suggestions to be integrated in the declarative AWAF policy and redeploy the AWAF components.
F5 WAF tester tool will be used as a part of the pipeline to test the security posture of the application. Security professionals can take corrective actions based on the output of the F5 WAF tester job and redeploy the AWAF components.