F5 BIG-IP Advanced WAF: OWASP Top 10 Application Security Risks 2021 Compliance Dashboard
Introduction
The increase in vulnerabilities and application or API-related attacks exploiting those vulnerabilities has steadily risen. Vulnerabilities like Log4j, and the Log4Shell exploit are spawned and continue to impact many organizations even today. This is where a web application firewall (WAF) solution can protect your apps and APIs.
One of the most respected authorities in web application security is the Open Web Application Security Project (OWASP). OWASP is an open-source project to improve web application security, a coalition of individual contributors and sponsor companies who come together to contribute resources to the project. One of the best-known resources the project delivers is the OWASP Top 10 List. Since web application vulnerability risks change frequently, becoming comparatively more or less critical over time, the OWASP Top 10 List is periodically updated to reflect these changes. The first version of the list was created in 2004, then updated in 2007, 2010, 2013, 2017, and again in 2021 (its most recent version).
Figure 1: OWASP Top 10 Web Application Security Risks of 2021
F5 delivers a number of security solutions to help mitigate vulnerabilities in the OWASP categories, and the exploits that are produced from them. To ensure you’re compliant with the OWASP Top 10, F5 BIG-IP Advanced WAF offers a dedicated OWASP compliance dashboard that enables security admins to check how well their policy is set to defend against the OWASP Top 10 and allow organizations to easily reach 100% coverage. The solution makes it simple to modify policies to improve protection from exploit of vulnerabilities in the OWASP Top 10.
The compliance dashboard provides a holistic and interactive view that shows the level of mitigation applied by SecOps team against the OWASP Top 10 vulnerability categories. It provides an overall assessment of the policies created and a percentage of how much the policies protect against the various vulnerability categories. The dashboard allows SecOps to increase/adjust the level of protection in real-time based on their needs by deploying pre-defined policies that mitigate the vulnerabilities and their associated exploits. This can be achieved directly from the BIG-IP Advanced WAF’s OWASP Top 10 2021 Dashboard, simplifying protection against known, unknown, and hidden vulnerabilities. Simple, quick, and easy vulnerability and exploit protection, from a single dashboard.
Protection Overview
Navigating to the OWASP Compliance screen, you can see the list of all the security policies. Clicking on a policy displays the OWASP compliance status for that policy and the coverage for each category.
Figure 2: OWASP Compliance screen
Expanding a category presents the compliance percentage, a description of that security risk, and the configuration required for full security coverage for this category. Each category is broken down into specific security protections, including positive and negative security controls that can be enabled, disabled, or ignored directly on the dashboard based on your organization’s requirements.
- Required Attack Signatures: Enforce all the relevant Attack Signatures for this attack type directly from the Dashboard.
- Required Policy Entities: Add protection configuration components such as Cookies and login Enforcement, data masking, Evasion techniques, detection, methods, URLs, and more relevant configurations for each attack type.
In addition to WAF-specific security protections, the OWASP Compliance Dashboard also provides security Best Practices to follow in your processes, such as vulnerability scanning or using trusted repositories.
Figure 3: OWASP category A03 Injection – protection and compliance
The following video shows how to monitor the compliance coverage of security risks and how to quickly enhance an organization's security configuration directly from the dashboard to receive full compliance with protection from OWASP Top 10 vulnerabilities being actively exploited.
Conclusion
Web applications remain a top target for threats, such as automated attacks, data exfiltration, and vulnerabilities. But F5 can help! Not only can you check off regulatory compliance, but also be able to create reports via the security score relative to deployed policies that address the OWASP Top 10, enabling security admins to view each policy’s coverage status, improving protections if necessary, and even allowing security configuration to be performed directly from the dashboard.
To learn more, please visit:
- How to deploy a basic OWASP Top 10 for 2021 compliant declarative WAF policy for BIG-IP
- K45215395: Guide introduction and contents | Secure against the OWASP Top 10 for 2021
- K000135973: Guide Introduction and contents | APIs and the OWASP Top 10 guide (2023)
- Mitigating OWASP API Security risks using BIG-IP
- BIG-IP Advanced WAF Webpage
- Overview of BIG-IP