According to Forrester’s 2021 State of Application Security Report, a staggering 39% of all cyberattacks last year targeted web applications, and for good reason. The public-facing nature of web apps, their sprawling surface area, and the ever-present risk of code vulnerabilities make them notoriously difficult to protect—increasing the chances that attackers will find success. A study by Positive Technologies found that when penetration-tested, workloads contained an average of 22 potential security vulnerabilities, one in five of which were deemed to be of high severity. Unsurprisingly, the vulnerabilities uncovered during this study were dominated by those making up the OWASP Top 10, as shown in Figure 1.
Now, when it comes to running apps on the AWS Cloud, application developers sometimes choose to prioritize getting their workloads spun up and operational as quickly as possible, while overlooking the importance of implementing application security as a “job zero” measure. Acknowledging this tendency to overlook app security and appreciating that many organizations lack dedicated in-house security expertise, AWS fashioned its own native web application firewall (WAF) designed for ease-of-use and rapid operationalization. While quick and easy to implement, the AWS WAF requires user-configured web access control lists (ACLs) to protect resources and is intended to be heavily customized to meet the needs of a diverse range of workloads. WAF customization, however, is a process that can be a challenge, as it requires specific app and domain knowledge as well as a solid appreciation of the current threat landscape.
That’s why AWS partnered with various security vendors including F5 to offer a variety of Managed Rulesets that can be attached to AWS WAF instances, up-leveling them to mitigate a range of web app and API attack types. When AWS WAF customers attach custom F5 WAF rulesets to their WAF instances, AWS users can maintain simplicity and ease-of-use while mitigating more sophisticated threats.
F5 currently offers four unique rulesets, each of which grants protection against different threat types:
- OWASP Top 10 Web Exploits Protection Ruleset: Mitigates attacks that seek to exploit vulnerabilities contained in the OWASP Top 10, including cross-site scripting (XSS) attacks, injection attacks, and many more.
- Bot Protection Ruleset: Analyzes all incoming requests and blocks any malicious bot activities including DDoS tools, vulnerability scanners, web scraper, and forum spam tools.
- API Security Ruleset: Secures against API-level attacks, XML external entity attacks, and server-side request forgery (SSRF) exploits and offers support for both XML and JSON payloads and common web API frameworks.
- Common Vulnerability and Exposures (CVE) Protection Ruleset: Defends against high-profile CVEs that can be found in popular systems such as Apache, Java, MySQL, WordPress, and many more.
Each of these rulesets is written, managed, and regularly updated by F5 security specialists, thus enabling customers to protect their apps against evolving threats—without the need for any intervention from the AWS WAF user. Whether the rules are applied to new or existing AWS WAF instances, AWS application load balancers, or AWS CloudFront, any of the F5 rulesets can be attached in minutes from the AWS WAF console with just a few click
You can find more information about any of our rulesets on their respective AWS Marketplace Listings:
- F5 Rules for AWS WAF—Web exploits OWASP Rules
- F5 Rules for AWS WAF—Bot Protection Rules
- F5 Rules for AWS WAF—Common Vulnerabilities and Exposures (CVE)
- F5 Rules for AWS WAF—API Security Rules
If you’re considering trying out any of our rules with your AWS WAF and have any questions or need assistance, simply sign in to ask a question on the F5 DevCentral community site. One of our technical experts or a member of our outstanding community will help you get started. You can also learn more via the supporting resources below or contact F5 sales for additional support.
Additional Resources:
- Solution Overview
- Web Exploits OWASP Rules Getting Started Demo
- Web Exploits OWASP Rules Deployment Guide
About the Author
Related Blog Posts
The everywhere attack surface: EDR in the network is no longer optional
All endpoints can become an attacker’s entry point. That’s why your network needs true endpoint detection and response (EDR), delivered by F5 and CrowdStrike.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.