Forum Discussion

Nimbostratus

Apr 20, 2017

Best way to let developers adjust ASM policy

Hello Everyone, Intro: Behind our F5's we have multiple web servers managed be different dev teams with different security levels and also working with different technologies. I'd like to a...

Hannes_Rapp_162
Jul 11, 2017
You're describing the typical dilemma of risk management. Luckily (or sadly), you only have 2 choices here. The same as with any other security upgrades.

Accept increased risk of service disruption but minimize risk of security breaches
Accept increased risk of security breaches but minimize risk of service disruption

My preference is first. I always want to avoid using any learning or staging. But this also means a WAF 'babysitter' must personally attend every application upgrade intervention to make quick calls and policy adjustments accordingly. Legitimate traffic blockings will inevitably occur more often with this path of action. That's the tradeoff. On positive, policies will be exposed to 'unfinished' status for a much shorter period of time as the application upgrades take place.

Hannes_Rapp

Nimbostratus

Jul 11, 2017

You're describing the typical dilemma of risk management. Luckily (or sadly), you only have 2 choices here. The same as with any other security upgrades.

Accept increased risk of service disruption but minimize risk of security breaches
Accept increased risk of security breaches but minimize risk of service disruption

My preference is first. I always want to avoid using any learning or staging. But this also means a WAF 'babysitter' must personally attend every application upgrade intervention to make quick calls and policy adjustments accordingly. Legitimate traffic blockings will inevitably occur more often with this path of action. That's the tradeoff. On positive, policies will be exposed to 'unfinished' status for a much shorter period of time as the application upgrades take place.

zandar_304392
Nimbostratus
Jul 11, 2017
Hello Hannes Rapp,

thank you for your answer. We are currently using let say little bit automated option nr. 1. But as our web services are growing, I'm looking for maybe more optimal way to address this issues.

I'm completli aware of what are you writing here and thats why I believe I could develop some kind of "self provisioning" portal for developers to upgrade the security policy.

Y

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Best way to let developers adjust ASM policy

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Re: Intro to Load Balancing for Developers – The Algorithms

Access policy, LTM policy and iRules

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 2 - Policy Import)

iRule LX (Node.js) development environment

Deploying F5 BIG-IP in Microsoft Azure for Developers

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS