Bolster your API security on AWS with New Managed Rules for AWS WAF

Tom Atkins Miniatura
Tom Atkins
Published March 26, 2019

It’s no great secret that the number of applications worldwide is growing exponentially. Just look at any business, and the broad suite of workloads utilized ranges from externally facing marketing and e-commerce workloads to internally focused productivity and HRM apps. And more often than not, these hordes of apps are deeply intertwined and dependent on one another, creating a complex web of ‘chatter’ as API requests are fired back and forth between them. While these APIs enable your employees, customers, and partners to benefit from sophisticated applications, they also expand your threat perimeter, providing another surface for cyberattacks to exploit. In fact, recent breaches at Amazon, Facebook and even the Black Hat security conference all targeted vulnerable APIs—resulting in mass data loss.

At F5, our goal is to ensure the security of every app, anywhere.

Appreciating that not all apps are created equal—with mission-critical applications taking precedence over less sensitive workloads—we understand that it can be incredibly difficult and costly to secure every application interface across your entire portfolio. For this reason, many businesses turn to cloud-native security solutions to protect their less sensitive apps, while relying on an F5 Advanced WAF to secure their more critical workloads. But as many organizations have found out (the hard way), any application interface can be an entry point in to your network and data, meaning that ‘good enough’ security, really isn’t.

As you may recall, last year F5 partnered with AWS to deliver three sets of managed rules that can be layered atop AWS’ native WAF—to extend its security capabilities to include bot, OWASP and CVE (common vulnerabilities and exposures) protection. Building on this integration, we’re pleased to release another ruleset which focuses solely on protecting your APIs against existing and emerging threats, including XML external entity (XXE) attacks and server-side request forgery (SSRF).

With AWS API Gateway recently adding support for the AWS WAF, adding F5’s Managed Rules for API Protection is a quick and easy way to enhance your API security posture here without any security expertise or adopting an advanced WAF solution. In addition to supporting APIs within API Gateway, the rules also protect various other common web API frameworks.

All rules are written, managed, and updated regularly by F5 security experts, so you never need to worry about manually updating versions to protect against emerging vulnerabilities. The rules can be applied in a few clicks, to specific applications, and licensed on a pay-as-you-go utility model without contracts or other commitments.

For more information about any of F5’s Managed Rules for AWS WAF, head on over to the AWS Marketplace to check them out:

Or check out F5’s Advanced WAF which provides everything covered in the rules and much, much more: