Forum Discussion
daveu8282_20327
Nimbostratus
NimbostratusPolicy creation: who's in the driver's seat?
We have ASM 10.1.0 in-house. We've not yet gotten around to putting it into use but I've lately been asked to setting up policies for some of our applications. I've taken a look at the Getting Started...
hooleylist
Cirrostratus
CirrostratusHi Dave,
Administering an ASM policy requires some knowledge of web applications and web app security as well as the specific web app behavior of the application being protected. In large enterprises, there might be a specific person or team that has this knowledge. In that case, they would be the natural pick for who administers the ASM policy.
In smaller organizations without a dedicated web app security team, the application owners and network administrators generally share responsibility for ASM administration. In many implementations, the LTM admins will administer the policy, but check with the application owners to get more information on what the expected client and web app behaviors are. If the LTM admins don't have any understanding of web applications, some companies have had the application owners administer the ASM policies. I'd say the latter is less common in my experience.
It doesn't take an expert in web app security to administer a policy. Once someone has a bit of experience interpreting ASM forensics, it will become much simpler to administer the policy with less and less help from the application owners.
I'm interested in seeing what other people's experiences are with this.
Aaron