Qualica runs a diverse Software as a Service (SaaS) business, serving customers in the manufacturing, distribution, and service sectors. It wanted to introduce microservices for applications to speed up SaaS delivery and use a web application firewall (WAF) for vulnerability protection to avoid development resources being taken up by security requirements. These needs led the company to choose F5’s WAF solution and consulting services to make applications safer.
Construction equipment manufacturer Komatsu set up Qualica in 1982 as its software development subsidiary. It initially developed software for manufacturers, but started supplying systems for the distribution industry in 1987, then further expanded its scope after joining the TIS Group. Today Qualica supplies a broad range of SaaS including TastyQube (for the food-service sector), SpecialtyQube (retail), ATOMS QUBE (a cloud-ready production control system), and document solution CSS-Net. It also provides IT platform services such as Qcloud (Internet as a Service—IaaS) and Thin Office VDI (Data as a Service—DaaS).
Pressure to provide timely business logic adapted to market changes and new customer needs is strong, making faster delivery a major challenge for SaaS providers. “This is why we’re revamping the way we develop and deploy applications,” explains Tomoyasu Tsuboguchi, Deputy Head of Qualica’s IT Platform Service Center. The company is transitioning its applications to microservices—loosely coupled with API—and deploying agile software development. Microservices structure applications as a suite of services and link them by a simple and lightweight mechanism like RESTful Web API. Such groups of smaller, loosely coupled services are more adaptable to change than traditional monolithic applications.
Tsuboguchi notes a sharp increase in attacks targeting application vulnerabilities, but addressing the problem is time-consuming and puts a drag on development. “Ensuring safety is the responsibility of the service provider, but we also needed a way to reduce developers’ workloads to increase delivery speeds. Application developers can’t concentrate on business logic if they have to provide security too.”
In 2014, Qualica started looking into a WAF to protect applications. It selected F5 BIG-IP Application Security Manager (ASM) in April 2016 after comparing several vendors’ products. Tsuboguchi explains that the company liked BIG-IP ASM for its ability to accommodate multiple tenants, as well as its superior reliability and functionality.
Qualica considered transitioning applications to microservices when deploying BIG-IP ASM, and started building a system with four main stages. A firewall and load balancer was positioned at the stage closest to the Internet, using existing equipment to save on time and labor needed for replacement. A redundant API gateway at the second stage receives client requests and converts them to the microservice API needed to process them. BIG-IP ASM at the third stage analyzes the content of the communication with the microservice and detects and protects against any traffic that threatens security. The request is then passed on to the microservice on the application server (fourth stage).
The company made use of F5 Consulting Services when it deployed BIG-IP ASM. “There have been lots of cases where people weren’t able to benefit fully from a WAF because they didn’t get the settings right. We needed F5 consultants to guide us so that we could install and operate the WAF safely,” says Tsuboguchi.
Qualica’s selection of F5 solutions helps the company gain know-how for dealing with future threats, as well as tackle the issues it was already facing—and do so across all its services. In fact, the F5 solutions are effective enough to help it even pioneer new business.
Qualica began deployment of the BIG-IP ASM staging (policy test) feature for TastyQube in January 2017, which made it easier to understand how application vulnerabilities were targeted. “Although other products trace traffic, they aren’t focused on what we’re looking for, and that makes it difficult to extract useful information. BIG-IP ASM’s tracing focuses on app vulnerabilities, making it easier to devise and implement the right measures. We want to utilize this information when we deploy attack defense (another BIG-ASM feature) in March 2017,” explains Tsuboguchi.
“A big advantage of F5 products is that they allow multiple tenants to be serviced from a single BIG-IP system. We’re now using BIG-IP ASM for TastyQube only, but we intend to extend it to ATOMS QUBE, CSS-Net, and Specialty Qube, then ultimately to all our SaaS offerings,” says Tsuboguchi. Qualica will stress to clients the safety and attack-defense feature of all its SaaS, which it can deliver securely because the WAF protects them.
Qualica is gaining knowledge in WAF operation by using F5 Consulting Services. It is leveraging this know-how to provide IaaS and WAF services for hosting. “We’re going to use F5’s Consulting Services regularly for help in reviewing our operational policies,” says Tsuboguchi.