Organizations continue to adopt container orchestration to drive efficiencies in their CI/CD pipelines. Given the current business climate with more employees working from home and consumers transacting more online, how can development and operations teams release at increasing velocity with protection baked in? Connecting operations and security teams have not always been a smooth process: developers and operations staff are charged with site reliability, availability, and uptime while security staff is held responsible for securing an organization’s always-moving perimeter and valuable web layer assets. But the lines have started to blur between DevOps teams and security: you can’t guarantee uptime without baking effective application security tooling into your processes and infrastructure configurations. A true next-generation, holistic web application and API protection platform does just that: operations teams can integrate security into their workflows and ensure new infrastructure and app code released to production is both effective and secure. Join application security experts Aneel Dadani and Orlando Barerra II from Signal Sciences to learn how your team can deploy at scale safely while gaining layer 7 visibility in production environments. Attendees will learn: How to inspect web traffic in containers, at the API gateway, or the ingress How DevOps teams can scale their application footprint to meet demand while securing your codebase in production How development teams can gain visibility into how their apps and APIs are being used in production and what vulnerabilities may exist that they overlooked Demo these application security concepts with Ansible, a simple yet powerful IT automation engine that companies use to accelerate DevOps initiatives, including baking application security into their infrastructure.

1. Connect Ops and Security with
Flexible Web App and API
Protection
Aneel Dadani
Orlando Barrera II

2. Agenda
• Introductions
• Security and Visibility
• API and Microservices Protection
• Reduce Friction between DevSecOps
• Demo

3. Introductions
Orlando Barrera II
Technical Account Manager
Signal Sciences
Aneel Dadani
Technical Account Manager
Signal Sciences

4. Large enterprises can leverage
applications and APIs running
on premise, in data centers or
cloud. But that scale widens
the attack surface.
THE CHALLENGE:
Protecting Apps
and APIs Across
Infrastructure

5. IMAGE GOES HERE
API and Microservices
• Where is your application running?
• What APIs do you have?
• Who is accessing your APIs?
• How are your APIs protected?
• What data is your API endpoint
processing?
• Do you have visibility into your
Microservice East to West traffic?
Ask yourself :

6. Effective Web
and API
Protection
The solution is simple:
developers and operations
staff need application security
that works in production
without maintenance yet
integrates with DevOps tools
and processes.

7. Signal Sciences Web Application and API Protection (WAAP) Platform
Next-Gen WAF
Complete protection for
your Apps and APIs
RASP
Easy to install Runtime
Application Self-Protection
Bot Protection
Prevent bad bots from
performing malicious
actions
Advanced Rate
Limiting
Control the amount of
requests from potential
threats
API Protection
Stop unauthorized access
to your APIs and
microservices
ATO Protection
Stop account takeover and
credential stuffing
DDoS
Block Denial-of-Service
attacks

8. Service LayerIntegrated Deployment
Strategic Coverage Across the Enterprise
Advanced Protection at Scale to Match the Velocity of DevOps
Internet

9. Key Means for
Proactive Web
App and API
Protection
DevOps teams need to
move fast to innovate.
But maintaining release
velocity doesn’t mean
sacrificing security.

10. Abstract Security, Provide Visibility

11. Hybrid SaaS Architecture:
Fast Local Decisions Plus
the Power of Cloud
• Optimized local detection via SmartParse,
eliminating false positive decisions
• Decisioning is enriched by Cloud Engine
intelligence – not signatures
• Fail-open design avoids app downtime shut-
downs and blocked access
A New Approach to Web App
and API Protection

12. Signal Sciences Architecture
Real-time web app protection that scales without impacting performance
Load Balancer
Web Servers
Application
Containers
PaaS
Service Mesh
API Gateway
Hosted Cloud WAF
Reverse Proxy

13. Slide Title Goes Here on One Deck
• First bulleted copy of point you want to make
• Second bulleted copy point
• Third bulleted copy point etc.

14. Web Request Volume Protected Per Month

15. Monolithic Containerization
By 2022, more than 75% of global organizations will be
running containerized applications in production.

16. Progression to the container world
Servers Monolithic Waterfall
VMs N-Tiered
Systems
Separation
Containers Microservices
DevOps
(DevSecOps)

17. Monolithic
/catalog
/cart
/reviews
/catalog
/cart
/reviews
• Services must be written in the same language
• Difficult to work on different services in parallel
(“integration hell”)
• Full app needs to be re-deployed with every update
• Scaling requires replicating entire app which can
lead to waste/unnecessary hosting costs
• Services can be in different languages
• Easier to work on services in parallel, add new
services
• Can deploy services individually, enables
continuous deployment.
• Can scale services individually
Microservices

18. Traditional WAF
• Rules-Based
• Limited Scalability
• Longer Deployment
Next-Gen WAF
• Out-of-the-Box Detection
• Highly Scalable
• Quicker Deployment
sudo apt-get install sigsci-agent

19. Traditional WAF Next-Gen WAF
Datacenter AWS GCP
Google Cloud Armor
• Different rulesets
• Different UI, feature sets
• Disjointed WAF policy
Datacenter AWS GCP
• Single ruleset
• Single UI, feature set
• Unified WAF Policy

20. Automated Web Layer Protection Without Rules Tuning
Fast, inline blocking decisions with SmartParse
• Enables our offering to fail open
• Battle tested: inspects and decisions on
250+ billion web requests weekly
• Virtually eliminates false positives
Net result: Web protection that works in production so security
teams can focus on high-value work, not WAF rules maintenance

21. Cloud Native Application Protection
• Inspects BOTH east-west and north-south
traffic routed via microservices
architectures without code changes
• Increased flexibility to deploy
Layer 7 protection in cloud-native
applications
• Increases Layer 7 visibility with
simplified deployment for
containerized microservices orchestrated
via Kubernetes

22. • Internal Microservices will be just
internal…
• Since internal Microservices are
internal they don’t need the same
level of security/authentication
• Communication between internal
Microservices should be legitimate
traffic
Assumptions of
Internal Microservices

23. Because apps are
highly distributed,
70-80% of traffic is
now east-west traffic
in data centers.
North-South and East-
West Traffic

25. Reduce Friction between DevSecOps

26. What it Might Look Like in Practice
Ingress / Software
Perimeter
RASP
Service Mesh
Traditional
Perimeter-based

27. Load Balancer
Deployment Options with Full Feature Parity
Enabling Applications Across Any Architecture
Web Servers Application Reverse Proxy
Containers:
Kubernetes, Docker PaaS
Service MeshCloud WAF:
No Agents to Deploy
API Gateway
As a sidecar
In container
Cloud
WAF

28. Runs across the Modern Infrastructure Mix
• Major cloud providers
• Containers
• Hardware
• Serverless options
• Platform services

29. Active Web App and API Protection Everywhere
See, Secure and Scale Across:
Any App
Cloud Containers, PaaS
& Serverless
Web Servers & Languages
Gateways & Proxies
Any Attack
OWASP Injection Attacks
PLUS:
Bad Bots
DDoS
Brute Force Attacks
Application Abuse & Misuse
Request Rate Limiting
Account Takeover
Virtual Patching
Any DevOps Toolchain
INCLUDING:
Generic Webhooks & Any Custom
Tools via Full RESTFul/JSON API

30. DevOps Tool Integrations Break Down Silos
Feedback Loops Make All Teams Security Stakeholders
Make security visible: Unified
management console provides actionable
data to quickly understand what’s
happening in production
Keep everyone informed: Push security
data to the tools security and DevOps
teams already use: Slack, PagerDuty, Jira,
Datadog, OpsGenie, etc.
Share consistent data: All teams make
decisions from same security data

31. Correlate and analyze web request data in other tools
API-first: any information
available in our management
console can be accessed via
our API
Import request data into a
data analysis tools like
Splunk, Kibana etc.
Easily correlate collected
web request security data
with external data sources
for further analysis
Example of Signal Sciences flagged IPs and raw request meta data pulled into Splunk

32. Provide Operations Teams Data to Ensure Uptime
Surface Metrics
that Matter
Client- and server-
side errors to
response errors,
broken links; highly
targeted APIs
Identify Critical
Issues Fast
Metrics can point to
server or application
configuration issues so
teams can triage faster
Share data via API
Pull these metrics into
the systems your
DevOps teams already
use to pinpoint
problematic issue fast
Example of visibility into operational data points like anomalies and application behavior that Signal Sciences surfaces to DevOps teams.

33. IMAGE GOES HERE
Trust Developers but Verify API Visibility
● Reduced Request volume
~10M RPS
● ~9% reduction in the
quarter
● Dev team modified the API
to improve performance
and reduce request volume

34. Signal Sciences
One Integrated Platform Delivers:
• Cloud-native protection at lowest TCO
• Protection in any infrastructure: cloud, on
premise, containers, and hybrid
environments
• DevOps and security tooling integrations
• Unified management of all your defenses
Architected for Flexible, Proactive Defense
• Agent-module pair and Cloud Decision Engine
enables easy deployment to
• stop web attacks
• Provides unified view across all your apps
wherever they run

35. Demo

36. Monolithic deployment

37. Docker deployment
Docker Container

38. Envoy Proxy

39. Q&A

40. Thank You!