WAF Organizational Processes

Hello!

I'm a project manager responsible for our WAF implementation and likely more engaged in WAF care and feeding that most project managers.  😀

I'd like to understand from others their WAF organizational processes with the goal of improving ours.

I'm responsible for hosting a weekly WAF tuning meeting.  Our WAF admin pulls data from our Splunk logs and brings up samples for policies that we've not yet put into production mode.  Our WAF admin wants our two application developers on our WAF team to say "yea" or "nay" for each sample to be tuned.  This is incredibly tedious but our hope is to reduce false positives.  How do other orgs handle pre-production tuning?

We have a similar process if a production deployed policy receives a block.  Our business owner for the application opens a ticket for their end user.  Since I'm not allowed access to F5 WAF, I use the support ID to look up the WAF report in an Apex application one of our developers wrote.  I provide this report to our WAF admin who waits for one of our WAF team app devs to say "yea" or "nay" on whether it's legit traffic.  If it's legit, he tunes the policy but sometimes still with apprehension.  This results in either my needing to schedule a special meeting with our WAF team (includes me, 2 apps devs, WAF admin, sys admin manager, my manager, and 1-2 reps from security) or taking time in a tuning meeting to review the tuning adjustment that was made and get a ruling on whether it it's too risky to keep in place or it's safe to remain.  How do your organizations handle reports of blocks from your business owners and their end users?

I truly feel we can and should improve so I'm eager to hear what others in the community are doing.

Thank you!

Jodi