As businesses continue moving operations to the cloud, deploying robust application security controls that meet the unique challenges of this environment and evolving threat landscape is more critical than ever. Lack of speed in addressing vulnerabilities and breaches is a prime example of one such challenge.
The 2024 F5 State of Application Strategy Report found that 50% of respondents surveyed felt, “[it] takes too long to push patching and updates through all the affected systems/software and [there is a] lack of tools or process to respond quickly to zero day attacks.” It’s no surprise then that 'speed' is the number one Security-as-a-Service benefit when it comes to ensuring app health.
SecureIQLab recently published its 2024 Cloud WAAP CyberRisk Validation Report and evaluated many vendors for web application firewall and API security, including F5 Distributed Cloud Web Application and API Protection (WAAP).
SecureIQLab’s testing process
They specifically tested security efficacy, operational efficiency, false positive avoidance, and highlighted key differentiators for each technology vendor. SecureIQLab tested cloud WAAP solutions by exposing applications and APIs to 3500 attacks from industry frameworks like OWASP Top 10 and MITRE ATT&CK. They validated 80 features of these WAAP solutions including deployment, management, and scalability, setting a new standard in cybersecurity validation under AMTSO standards.
The result: F5 Distributed Cloud WAAP passes with a perfect score
F5 Distributed Cloud Web Application and API Protection (WAAP) earns SecureIQLab's "Secure by Design" rating as one of the seven vendors to pass the WAAP vulnerability assessment with a perfect score. It rates high in both security efficacy and operational efficiency, achieving:
- Complete Security Score of 98.54% (ranked among the top two performers)
- Operational Efficiency Rating of 93% (ranking in the top three)
- 99.37 top score for WAF OWASP with zero false positives
More insight into testing criteria is presented around each of the major security areas evaluated:
API protection
APIs are susceptible to similar attacks as web applications because they share vulnerabilities such as injection flaws, authentication issues, and data exposure risks due to inadequate input validation and insufficient security measures. The API security test evaluated F5 Distributed Cloud API Security effectiveness in preventing unauthorized access to sensitive data across six API protocols using over 70 attacks from the 2023 OWASP API Security Top 10. Ratings, based on security efficacy percentages, ranged from 1 to 5, indicating varying levels of protection, with the results serving as a baseline for the WAAP industry's API security standards. The report highlights F5’s better than average OWASP API security protection.
Bot defense
F5’s domain experts and data scientists continuously research attacker tools, along with behavioral and environmental signals, and utilize advanced ML to rapidly detect attacker retooling and deploy updated models to mitigate attacks in real time. F5 Distributed Cloud Bot Defense was tested against five types of bot attacks, including two from OWASP, originating from Asian and North American locations, revealing that geolocation does not affect the product's security effectiveness, with bot attack scores ranging from 0% to 100%. F5 received a perfect score in bot protection and performed considerably better than the group average.
DDoS defense
Layer 7 Distributed Denial-of-Service (DDoS) and Layer 7 Denial-of-Service (DoS) attacks, using valid TCP connections, pose a challenge for detection; testing F5 Distributed Cloud DDoS Mitigation against two Layer 7 DDoS attacks and five Layer 7 DoS attacks yielded scores ranging from 57% to 100%.
Operational resilience
F5 Distributed Cloud WAAP also underwent operational resilience testing against 103 resiliency test cases employing 3 unique attack vectors, aiming to block unseen attacks; the Resiliency Score, representing the percentage of attacks blocked out of the total, ranged from 54.9% to 99.3%, indicating its capability to withstand and absorb various attack variations. F5 tied for the highest score by earning a 99.3% block rate and performed notably better than average.
Inherent security
SecureIQLab evaluated the security of the cloud WAAP product to ensure it doesn't increase the attack surface of protected environments and its privileges are not exploitable. F5 Distributed Cloud WAAP underwent testing against 11 vulnerability assessment techniques, with seven out of the 12 WAAP solutions (including F5) achieving a perfect score of 100% in the WAAP Vulnerability Assessment. For earning a 100% WAAP Vulnerability Assessment Score, SecureIQLab rates F5 as “Secure by Design.”
Operational efficiency
Operational efficiency is crucial for deploying and managing WAAP solutions effectively, ensuring minimal resource allocation and operational costs. SecureIQLab validated WAF and API security operational efficiency in various areas, employing a scoring system based on feature capabilities to provide comprehensive ratings for each category, guiding organizations in selecting solutions that optimize security without disrupting business workflows. SecureIQLab highlights how F5 demonstrates above-average operational efficiency in its API operations, achieving perfect scores in two out of seven categories.
Avoiding false positives
WAAP solutions must effectively distinguish between legitimate business transactions and malicious activity to avoid false positives, which can disrupt business operations. F5’s AI/ML-based malicious user detection provides dynamic risk assessment and scoring for potential threats based on behavioral and signature-based attributes. Through testing with over 6500 false positive cases simulating normal user behavior, F5 Distributed Cloud WAAP was evaluated for its ability to accurately differentiate benign traffic from threats, with higher False Positive Avoidance Scores indicating less impact on operational efficiency.
Designed to defend today’s hybrid environments
Organizations need comprehensive application security that aligns with their specific requirements, regardless of where their applications and APIs are hosted or their users reside. F5's hybrid SaaS delivery model supports both internal and public-facing applications, allowing for extended deployment into private cloud and on-premises environments. F5 Distributed Cloud WAAP solution includes a WAF with AI/ML-based malicious user detection, integrated API discovery and protection, DDoS and bot mitigation, enabling comprehensive web application and API protection with centralized management. With so many application security solutions available on the market, the SecureIQLab report helps identify solutions with high efficacy and lower false positives—providing customers with clear guidance on the vendors to consider when evaluating prospective solutions to help improve their overall app security posture.
For more details, download the report here or contact F5 to learn more about how F5 Distributed Cloud WAAP can benefit your organization.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...