Forum Discussion

zandar_304392's avatar
zandar_304392
Icon for Nimbostratus rankNimbostratus
Apr 20, 2017

Best way to let developers adjust ASM policy

Hello Everyone,   Intro: Behind our F5's we have multiple web servers managed be different dev teams with different security levels and also working with different technologies.   I'd like to a...
ASM Advanced WAF
asm deployment
automatization
devops
security
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Jul 11, 2017

    You're describing the typical dilemma of risk management. Luckily (or sadly), you only have 2 choices here. The same as with any other security upgrades.

     

    1. Accept increased risk of service disruption but minimize risk of security breaches
    2. Accept increased risk of security breaches but minimize risk of service disruption

    My preference is first. I always want to avoid using any learning or staging. But this also means a WAF 'babysitter' must personally attend every application upgrade intervention to make quick calls and policy adjustments accordingly. Legitimate traffic blockings will inevitably occur more often with this path of action. That's the tradeoff. On positive, policies will be exposed to 'unfinished' status for a much shorter period of time as the application upgrades take place.

     

CharlesCS's avatar
CharlesCS
Icon for Cirrus rankCirrus
Apr 20, 2017

If each application and its associated ASM policy (or policies) are in separate partitions, then users can be assigned the "Application Security Editor" role with access only to their relevant partition.

 

Remotely-authenticated users can instead be associated with a Remote Role Group having the Application Security Editor role for their partition.