NGINX WAF and Kubernetes WAF options (App Protect vs. open-appsec)

Click for: original source

Until 2022, NGINX supported the well-known ModSecurity open-source WAF solution and OWASP Core RuleSet Signatures. However, following Trustwaves End-of-Life notice about ModSecurity, and possibly related also to the acquisition of NGINX by F5, NGINX announced in May 2022 that it will end of life ModSecurity, leaving NGINX open-source with no open-source security solution. By Christopher Lutat.

In this article, authors will briefly compare the NGINX App Protect signature-based WAF solution and a new open-source initiative called “open-appsec,” which builds on machine learning. open-appsec provides preemptive web app and API threat protection against OWASP-Top-10 and zero-day attacks, and it can be deployed as an add-on to both NGINX and NGINX Ingress open-source and premium (Plus) versions.

NGINX App Protect WAF is based on the traditional F5 signature-based WAF solution, with good coverage for OWASP-Top-10 and other common attacks. The App Protect WAF comes with two policies - Default and Strict. The Default policy provides OWASP-Top-10 protection.

open-appsec is a new open-source initiative that builds on machine learning to provide enterprise web application and API security with the visibility, protection and manageability that is required by modern workloads that updates frequently and are based on are often based on many 3rd party components not in full control of the developers. For DevOps/DevSecOps and AppSec teams, open-appsec:

  • protects web applications and APIs preemptively against OWASP-Top-10 and zero-day attacks using machine learning with no threat signature upkeep required
  • blocks attacks such as Log4Shell, Spring4Shell and Text4Shell with default, settings and no updates required, due to its preemptive nature
  • delivers precise threat prevention through continuous learning, finding attacks while eliminating the manual tuning and exception creation inherent to traditional WAFs

Signature-based solutions are well-proven, but they are reactive by nature, meaning that often signatures aren’t available until after vulnerabilities have been known for some time and exploits are put into circulation. In many high profile High and Critical risk zero-day attacks that happened in the last year. Good read!

[Read More]

Tags infosec devops cloud nginx servers