Web App & API Protection

How well you protect web applications and APIs can determine whether you’re a proven, reputable online presence or an unreliable, untrusted one. F5 provides app protection in any architecture that stands up to a range of ever-evolving attack types.

TOP CUSTOMER USE CASES

Advanced threat defense

Advanced threat defense



Deter bad bots

Deter bad bots

protect user credentials

Protect user credentials

Cut costs in the cloud

Cut costs in the cloud

F5 Positioned as a Leader in The Forrester Wave™: Web Application Firewalls, Q2 2018

Get the report

KNOW WHAT YOU’RE UP AGAINST

Understanding how web apps can be compromised is the first step in protecting them. 

APP SERVICES APP SERVICES APP SERVICES

Injection

Injection occurs when input provided by external sources contains hidden application commands from an attacker. When a web application isn’t properly filtering the input, it allows injected commands to be passed through to either the local system or a dependent one. A common example is SQL injection, as many applications rely on user input to build SQL statements to fetch information or to log them in.

Cross-Site Scripting (XSS)

Cross-site scripting (XSS) allows attackers to run their own malicious scripts in a victim’s browser, within the trusted context of a site they’re visiting. XSS can be used to steal session tokens, initiate hidden transactions, or display falsified or misleading content. More sophisticated XSS scripts can even load key loggers that relay victims’ passwords to command-and-control servers operated by the attackers.

Man-in-the-Middle (MitM)

An attacker gains full access to both sides of a conversation or connection between two parties, allowing them to eavesdrop on sensitive data, tamper with data in transit, or even inject false data or commands that will be interpreted as genuine, authenticated, or otherwise trustworthy.

Sensitive Data Disclosure

Inadvertent exposure of sensitive information is low-hanging fruit for automated scanners and ripe for exploitation. Common examples include error messages detailing how unexpected input is handled, physical locations of files on servers, specific versions of components and libraries, and stack traces from failed functions.

Insecure Deserialization

Object serialization converts an object into a data format; deserialization reads this structured data and builds an object from it. Many programming languages offer native serialization or allow customization of the serialization process, which bad actors can use maliciously. Insecure deserialization has led to remote code execution, denial-of-service, replay, injection, and privilege escalation attacks.

Session Hijacking

In the context of HTTP applications, session hijacking usually involves the theft of session cookies used to authenticate and subsequently authorize HTTP requests initiated by a known user. With the stolen session cookie, an attacker is then able to effectively impersonate their victim to initiate fraudulent transactions.

Resource Hoarding (Scalping)

Scalpers use bots and other automation to purchase high-demand items, like concert tickets or limited-edition products, at a faster rate than humans are capable of. These products are resold to actual consumers at a significant markup. Over time, consumers no longer trust you to be a reliable source for in-demand products and services.

Man-in-the-Browser

Attackers use some kind of browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data.

Arrow

ACCESS ACCESS ACCESS

Credential Theft

Most users with compromised devices are unaware they’re infected with malware. Their credentials stolen by malware-controlled web browsers, then used to take over a user account or move laterally within the corporate network.

Brute Force

An attacker tries multiple username and password combinations, often using a dictionary of words or commonly used passwords or passphrases in an attempt to gain unauthorized access to an application or website.

Credential Stuffing

Attackers use automated injection of previously breached username/password pairs in order to fraudulently gain access and take over user accounts. Breached credentials are available for sale on the dark web, and it’s no secret that users frequently re-use passwords across multiple apps or websites.

Man-in-the-Browser

Attackers use some kind of browser-based malware to read HTTP messages, intercept data, or initiate malicious transactions. In effect, the attacker is invading browser sessions to spy on users and steal credentials, login information, and session data.

Arrow

Global availability

Global availability

Keep your applications healthy and performing for all users—everywhere.

Better time-to-market

Better time-to-market

Get your apps out the door and in the hands of your customers faster.

Dynamic defense

Dynamic defense

Defend against emergent threats with adaptive solutions that grow with your business. 

Refined Application Intelligence

Refined Application Intelligence

Refine business intelligence for your applications by filtering unwanted interactions.

Web app and API solutions

F5 WAF can protect against application exploits, deter unwanted bots and other automation, and reduce costs in the cloud.

See buying options

ADVANCED THREAT DEFENSE

Shield applications with a web application firewall

In the world of application security, there is one constant: the threats are always evolving. Even well-known threats receive renewed life as attackers develop new ways to leverage them. And it’s not just software vulnerabilities that must be repelled; bots and fraudsters continually advance their tactics in order to divert your revenue into their pockets. Advanced threats necessitate advanced countermeasures and application layer visibility is key to ensuring that your defenses remain effective over time.

WEB APPLICATION AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 Advanced WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fit into the environment that makes sense for your organization.

Learn more >

F5 Silverline WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more >
 

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solution? F5 offers numerous training opportunities and professional services.

Learn more >

Fully-Managed

F5 Silverline WAF delivers the always-on or on-demand, fully-managed WAF defenses you need and the ease of manageability you desire.


Self-Managed

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your web application security.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

Hardware Appliance

Deploy our high-performance hardware in your on-premises datacenter or colocation facility.

Software Virtual Edition

Deploy our software solution on any hypervisor of your choice within your datacenter, colocation facility, or in AWS, Azure, or Google’s cloud.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

DETER BAD BOTS

Manage your relationship with bots

Dealing with bots is part and parcel to conducting business online. Some are benign or can even be helpful, as is the case with digital assistants. But like any useful tool, bots can be co-opted by attackers to enable criminal activity. The threats are constantly evolving, driven by a growing list of motivations, including direct consumer fraud, IP theft, long-tail profiteering, political ends, or petty personal grudges—and bots are doing the dirty work.

WEB APP AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 Advanced WAF

F5’s suite of advanced application defense features integrated bot management, and easily fit into the environment that makes sense for your organization.

Learn more >

F5 Silverline WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more >
 

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solutions? F5 offers numerous training opportunities and professional services.

Learn more >

Self-Managed

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your web application security.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

Hardware Appliance

Deploy our high-performance hardware in your on-premises datacenter or colocation facility.

Software Virtual Edition

Deploy our software solution on any hypervisor of your choice within your data center, colocation facility, or in AWS, Azure, or Google’s cloud.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

PROTECT USER CREDENTIALS

Defeat credential stuffing

Billions of user credentials have been stolen from various services over the past decade. These usernames, email addresses, and passwords are fed through automated systems to take over accounts all over the net. And even if you haven’t been breached, your customers are still at risk if they used the same account information elsewhere. Proactive systems like F5 Advanced WAF not only defend against these attempts, they actually help prevent such credentials from being captured and stolen in the first place.

WEB APP AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 Advanced WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fit into the environment that makes sense for your organization.

Learn more >

F5 Silverline WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more >
 

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solutions? F5 offers numerous training opportunities and professional services.

Learn more >

Self-Managed

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your secure access proxy.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

Hardware Appliance

Deploy our high-performance hardware in your on-premises datacenter or colocation facility.

Software Virtual Edition

Deploy our software solution on any hypervisor of your choice within your data center, colocation facility, or in AWS, Azure, or Google’s cloud.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

CUT COSTS IN THE CLOUD

The utility billing model of cloud services gives every client—and indeed every request— a quantifiable cost. Automated bots and scanners are literally costing money every time they interact with your services. Over time, these costs add up, contributing to a significant portion of your overall cloud bill. Smart solutions allow you to manage bot interactions and deflect unwanted ones. The end result is a boost to both your overall security posture and your bottom line.

The Hidden ROI of Cloud-Friendly Security
Get the eBook >

 

WEB APP AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 Advanced WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fit into the environment that makes sense for your organization.

Learn more >

F5 Silverline WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more >
 

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solutions? F5 offers numerous training opportunities and professional services.

Learn more >

Self-Managed

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your secure access proxy.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

Hardware Appliance

Deploy our high-performance hardware in your on-premises datacenter or colocation facility.

Software Virtual Edition

Deploy our software solution on any hypervisor of your choice within your datacenter, colocation facility, or in AWS, Azure, or Google’s cloud.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

SHIP APPS FAST

Get speed and security

SQL injection and cross-site-scripting continue to be common attack types. They’re well-understood, but difficult to mitigate again and again, in every app shipped. Development teams simply don’t have the time or resources to build comprehensive coverage and meet their project timelines. F5 security solutions can give you the security you need while reducing your time to market.

WEB APP AND API PROTECTION PRODUCTS

Web Application and API Protection Products

F5 Advanced WAF

F5’s suite of advanced application defense features offers comprehensive protection and easily fit into the environment that makes sense for your organization.

Learn more >

F5 Silverline WAF

An always-on or on-demand managed WAF in the cloud gives you the comprehensive defense you need and the ease of manageability you desire.

Learn more >
 

MANAGING YOUR SOLUTION

MANAGING YOUR SOLUTION

Need help managing your WAF security solutions? F5 offers numerous training opportunities and professional services.

Learn more >

Self-Managed

An appliance or software virtual image for your on-premises, collocated data-center, or public cloud environment that provides you direct control over your secure access proxy.

DEPLOYING YOUR SOLUTION

DEPLOYING YOUR SOLUTION

F5 web application security solutions are available in both hardware and software to meet your deployment needs.

Need help deploying your F5 solution?

Learn more >

Hardware Appliance

Deploy our high-performance hardware in your on-premises datacenter or colocation facility.

Software Virtual Edition

Deploy our software solution on any hypervisor of your choice within your datacenter, colocation facility, or in AWS, Azure, or Google’s cloud.

HOW TO BUY

How To Buy

SUBSCRIPTION

Specify the number of instances you need and sign up for a 1-, 2-, or 3-year term that includes maintenance and support for updates.

PERPETUAL

Determine the number of instances you need and set up a licensing agreement. Perpetual licenses extend for the lifetime of the product and are available by individual service or in bundles.

ENTERPRISE LICENSE AGREEMENT (ELA)

Available in 1-, 2-, or 3-year terms, ELAs offer flexibility for large organizations to spin virtual instances up or down as needed. Product maintenance and support are included.

UTILITY

Buy an instance of the service you need through Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform, and just pay hourly for what you use.

WHY ADVANCED THREATS REQUIRE AN ADVANCED WAF

This on-demand webinar provides an in-depth look at the challenges we’re facing and how to meet them head-on.

Customer story

Premier Management Company Secures Healthcare Data with F5 Cloud-Based WAF

Read the story

GET STARTED

Security products

Visit our Security Products page to learn about our robust portfolio for your application security needs.

Try before you buy

Get a free 90-day trial—see which products offer trials today.

Get the latest threat intel

Actionable application threat intelligence that analyzes the Who, What, When, Why, How, and What’s Next of cyber attacks to benefit the security community.