Chapter 7. Security

Security is everyone’s job. To maintain a secure system, you need as many layers of controls as possible. Azure and NGINX offer a number of those layers for the data plane. These layers come as features of control and visibility. Managed Azure services integrate directly with Azure Monitor. Third-party data plane services, such as NGINX, can integrate with Azure Monitor, as well as through the use of an agent. Third-party services such as NGINX sometimes offer their own monitoring capabilities as well.

The previous chapter focused on monitoring; the amount of information you can gather from monitoring the data plane is vast. The data plane sees every request to and within your web application. With what you learned in the monitoring chapter, you now have visibility into those requests. With a public web application, you may see metric values that surprise you—perhaps your application is popular with bots, for instance. A look into the access logs, which show what requests are getting made, may have scared you. It’s common for bots and hackers to scan an endpoint for known vulnerabilities.

There’s a lot at stake for a web application. In the obvious cases, sensitive data must not be leaked or breached. It’s our understanding that the Capital One data breach was spawned from a Server-Side Request Forgery (SSRF) attack, a type of attack that is well-known and covered by the OWASP Core Rule Set. It was not that Capital One was not using a WAF; they were—ModSecurity, ...