F5 Rated as a Top Performer in Security Efficacy and Operational Efficiency by SecureIQLab

As businesses continue moving operations to the cloud, deploying robust application security controls that meet the unique challenges of this environment and evolving threat landscape is more critical than ever. Lack of speed in addressing vulnerabilities and breaches is a prime example of one such challenge.

The 2024 F5 State of Application Strategy Report found that 50% of respondents surveyed felt, “[it] takes too long to push patching and updates through all the affected systems/software and [there is a] lack of tools or process to respond quickly to zero day attacks.” It’s no surprise then that 'speed' is the number one Security-as-a-Service benefit when it comes to ensuring app health.

SecureIQLab recently published its 2024 Cloud WAAP CyberRisk Validation Report and evaluated many vendors for web application firewall and API security, including F5 Distributed Cloud Web Application and API Protection (WAAP).

They specifically tested security efficacy, operational efficiency, false positive avoidance, and highlighted key differentiators for each technology vendor. SecureIQLab tested cloud WAAP solutions by exposing applications and APIs to 3500 attacks from industry frameworks like OWASP Top 10 and MITRE ATT&CK. They validated 80 features of these WAAP solutions including deployment, management, and scalability, setting a new standard in cybersecurity validation under AMTSO standards.

F5 Distributed Cloud Web Application and API Protection (WAAP) earns SecureIQLab's "Secure by Design" rating as one of the seven vendors to pass the WAAP vulnerability assessment with a perfect score. It rates high in both security efficacy and operational efficiency, achieving:

• Complete Security Score of 98.54% (ranked among the top two performers)
• Operational Efficiency Rating of 93% (ranking in the top three)
• 99.37 top score for WAF OWASP with zero false positives

More insight into testing criteria is presented around each of the major security areas evaluated:

API protection

APIs are susceptible to similar attacks as web applications because they share vulnerabilities such as injection flaws, authentication issues, and data exposure risks due to inadequate input validation and insufficient security measures. The API security test evaluated F5 Distributed Cloud API Security effectiveness in preventing unauthorized access to sensitive data across six API protocols using over 70 attacks from the 2023 OWASP API Security Top 10. Ratings, based on security efficacy percentages, ranged from 1 to 5, indicating varying levels of protection, with the results serving as a baseline for the WAAP industry's API security standards. The report highlights F5’s better than average OWASP API security protection.

Bot defense

F5’s domain experts and data scientists continuously research attacker tools, along with behavioral and environmental signals, and utilize advanced ML to rapidly detect attacker retooling and deploy updated models to mitigate attacks in real time. F5 Distributed Cloud Bot Defense was tested against five types of bot attacks, including two from OWASP, originating from Asian and North American locations, revealing that geolocation does not affect the product's security effectiveness, with bot attack scores ranging from 0% to 100%. F5 received a perfect score in bot protection and performed considerably better than the group average.

DDoS defense

Layer 7 Distributed Denial-of-Service (DDoS) and Layer 7 Denial-of-Service (DoS) attacks, using valid TCP connections, pose a challenge for detection; testing F5 Distributed Cloud DDoS Mitigation against two Layer 7 DDoS attacks and five Layer 7 DoS attacks yielded scores ranging from 57% to 100%.

Operational resilience

F5 Distributed Cloud WAAP also underwent operational resilience testing against 103 resiliency test cases employing 3 unique attack vectors, aiming to block unseen attacks; the Resiliency Score, representing the percentage of attacks blocked out of the total, ranged from 54.9% to 99.3%, indicating its capability to withstand and absorb various attack variations. F5 tied for the highest score by earning a 99.3% block rate and performed notably better than average.

Inherent security

SecureIQLab evaluated the security of the cloud WAAP product to ensure it doesn't increase the attack surface of protected environments and its privileges are not exploitable. F5 Distributed Cloud WAAP underwent testing against 11 vulnerability assessment techniques, with seven out of the 12 WAAP solutions (including F5) achieving a perfect score of 100% in the WAAP Vulnerability Assessment. For earning a 100% WAAP Vulnerability Assessment Score, SecureIQLab rates F5 as “Secure by Design.”

Operational efficiency

Operational efficiency is crucial for deploying and managing WAAP solutions effectively, ensuring minimal resource allocation and operational costs. SecureIQLab validated WAF and API security operational efficiency in various areas, employing a scoring system based on feature capabilities to provide comprehensive ratings for each category, guiding organizations in selecting solutions that optimize security without disrupting business workflows. SecureIQLab highlights how F5 demonstrates above-average operational efficiency in its API operations, achieving perfect scores in two out of seven categories.

Avoiding false positives

WAAP solutions must effectively distinguish between legitimate business transactions and malicious activity to avoid false positives, which can disrupt business operations. F5’s AI/ML-based malicious user detection provides dynamic risk assessment and scoring for potential threats based on behavioral and signature-based attributes. Through testing with over 6500 false positive cases simulating normal user behavior, F5 Distributed Cloud WAAP was evaluated for its ability to accurately differentiate benign traffic from threats, with higher False Positive Avoidance Scores indicating less impact on operational efficiency.