The name might be hardish to say, but it’s easy to use.
For a decade now, We (that’s the corporate We) have been preaching the benefits of a Web Application Firewall (WAF) to the overall health and well-being of applications. It turns out that the benefits are not restricted to its technical acumen in fending off a variety of protocol and app layer attacks apps and APIs. Indeed, one of the unintended benefits is the confidence the proactive protection provides to those who employ the services of a WAF.
Consider one of my favorite data points from our State of Application Delivery 2017 report on the confidence respondents have regarding their ability to withstand an application layer attack based on whether or not they have a WAF deployed.
The difference in confidence levels is striking and it seems reasonable to deduce that the deployment of a WAF increases confidence in withstanding app layer attacks.
That said, we can’t ignore that WAF, like any app-centric service, is highly specific to the application. That ultimately means that policies must be tailored to match the application, as protection is often applied on the basis of unique URIs (and API calls) which can impede the speed with which folks desire to deploy anything app-related today. Complexity of security solutions remains a significant challenge for enterprise organizations, particularly in the face of a talent shortage in the realm of information security.
Too, it’s increasingly the case that apps are deployed off-premise, in a cloud environment, by those who have expertise in app environments, but not security. It’s an architectural networking nightmare to try to secure an off-premise, cloud-based app with an on-premise WAF.
And then there’s the reality that many donning the mantle of “DevOps” have taken on not only the responsibility of building the app, but deploying it (and the services it needs) as well. That makes the task of configuring a WAF to optimally defend against app layer attacks a daunting prospect. If you aren’t familiar with attacks that span the entire application stack (from layer 2 all the way up to layer 7), it’s difficult to ensure you’ve got the protections in place to defend against them.
But it’s a task that has measurable benefits according to our State of Application Security 2016 survey: “71 percent of security professionals who have integrated DevOps practices into their application development lifecycles say that they have improved security and that it enabled them to respond quickly to vulnerabilities.”
‘Agile Security’ is often viewed as one of those paradoxical combinations like ‘Jumbo Shrimp’. And yet that is increasingly the goal across organizations of all sizes, shapes, and industries. We all agree that better security is a top priority, and a WAF is certainly one of the tactical responses to achieving it, but we also want agile, faster deployment that can be realized by those who have to deploy the apps. It’s a challenge, to be sure, but it’s one that We are determined to address.
F5 Silverline WAF Express Service is built on BIG-IP ASM and deployed atop F5 Silverline, our cloud-based application services platform. That’s a big deal, because BIG-IP ASM is recognized as having an excellent effectiveness rate with very low false positive rates. Really, it is. And it’s cloud, which means it’s highly accessible no matter where apps are deployed, be they in the data center or in a variety of public clouds.
F5 Silverline WAF Express Service is designed to offer a simple, agile-friendly deployment experience without compromising on the protections necessary to defend applications in today’s increasingly attack-saturated digital world.
The idea is to enable anyone – expert or not – to quickly initiate and provision the services of a WAF without requiring training or in-depth security knowledge. We can do that because it’s a service (in the cloud) and we employ the expertise of the skilled security professionals in our Security Operations Center (SOC) to create and maintain policies that can be applied to any web application no matter where it’s deployed. It takes just three simple steps to self-service protect an app with Silverline WAF Express Service, and none of them require you to identify anything other than where the app is and what stack you’re using. Under the hood, expertly maintained policies provide the protection required to keep apps safe from a variety of attacks including OWASP attacks, parameter tampering, and bots.
But this self-service WAF in the cloud is not just about enabling the protection organizations need; it’s also designed to provide visibility into the security posture of the apps being protected. Reporting through the cloud-based portal offers valuable insights and options to incorporate external intelligence for securing apps against IP threats is available, as well as monitoring signature-based policies against known and emerging threats and quickly adding IP allowlisting to known false positives.
F5 Silverline WAF Express Service removes the complexity of WAF management, increases the speed to deploy with expertly maintained policies, and decreases operational expenses. Its position in the cloud is a perfect security complement to apps being deployed in public and private (on-premise) cloud environments - by the folks deploying them - without compromising security.