Policy creation: who's in the driver's seat?
We have ASM 10.1.0 in-house. We've not yet gotten around to putting it into use but I've lately been asked to setting up policies for some of our applications. I've taken a look at the Getting Started manual and the Configuration manual but I'm still not sure on where to begin. My main challenge is that all of my history in our IT organization has been on the systems side of things especially OS (mostly Linux nowadays) and networking, but ASM configuration looks as though it's driven by the application. Since I am not acquainted with our applications beyond being able to log in to one or two of them, I'm not clear on how I'd proceed with the creation of an ASM app policy. Although I can click "Next/Next/Next/Finish" with the best of 'em, it seems to me that tailoring an ASM policy requires some level of understanding of the application not just overall OS/networking/etc. knowledge.
My question is pretty basic: who drives ASM policy creation at your shop: application owner, overall application architect/guru, systems guy, etc.? If you have a primary F5 ASM administrator, does he possess a strong knowledge of your applications or does he work closely with application experts? What kind of ASM administration role (if any) do you give to app owners?
My goal: convince the powers that be that we're going to have to get applications people involved in ASM policy creation and/or get the app people to work with me to get me up to speed on the apps which they'd like me to secure for them.
Thanks for your input!