Where are F5's archived deployment guides?
Archived F5 Deployment Guides This article contains an index of F5’s archived deployment guides, previously hosted on F5 | Multi-Cloud Security and Application Delivery. They are all now hosted on cdn.f5.com. Archived guides... are no longer supported and no longer being updated - provided for reference only. may refer to products or versions, by F5 or 3rd parties that are end-of-life (EOL) or end-of-support (EOS). may refer to iApp templates that are deprecated. For current/updated iApps and FAST templates see myF5 K13422: F5-supported and F5-contributed iApp templates Current F5 Deployment Guides Deployment Guides (https://www.f5.com/resources/deployment-guides) IMPORTANT: The guidance found in archived guides is no longer supported by F5, Inc. and is supplied for reference only. For assistance configuring F5 devices with 3 rd party applications we recommend contacting F5 Professional Services here: Request Professional Services | F5 Archived Deployment Guide Index Deployment Guide Name (links to off-platform) Written for… CA Bundle Iapp BIG-IP V11.5+, V12.X, V13 Microsoft Internet Information Services 7.0, 7.5, 8.0, 10 BIG-IP V11.4 - V13: LTM, AAM, AFM Microsoft Exchange Server 2016 BIG-IP V11 - V13: LTM, APM, AFM Microsoft Sharepoint 2016 BIG-IP V11.4 - V13: LTM, APM, ASM, AFM, AAM Microsoft Active Directory Federation Services BIG-IP V11 - V13: LTM, APM SAP Netweaver: Erp Central Component BIG-IP V11.4: LTM, AAM, AFM, ASM SAP Netweaver: Enterprise Portal BIG-IP V11.4: LTM, AAM, AFM, ASM Microsoft Dynamics CRM 2013 And 2011 BIG-IP V11 - V13: LTM, APM, AFM IBM Qradar BIG-IP V11.3: LTM Microsoft Dynamics CRM 2016 and 2015 BIG-IP V11 - V13: LTM, APM, AFM SSL Intercept V1.5 BIG-IP V12.0+: LTM IBM Websphere 7 BIG-IP LTM, WEBACCELERATOR, FIREPASS Microsoft Dynamics CRM 4.0 BIG-IP V9.X: LTM SSL Intercept V1.0 BIG-IP V11.4+, V12.0: LTM, AFM SMTP Servers BIG-IP V11.4, V12.X, V13: LTM, AFM Oracle E-Business Suite 12 BIG-IP V11.4 - V13: LTM, AFM, AAM HTTP Applications BIG-IP V11.4 - V13: LTM, AFM, AAM Amazon Web Services Availability Zones BIG-IP LTM VE: V12.1.0 HF2+, V13 Oracle PeopleSoft Enterprise Applications BIG-IP V11.4+: LTM, AAM, AFM, ASM HTTP Applications: Downloadable IApp: BIG-IP V11.4 - V13: LTM, APM, AFM, ASM Oracle Weblogic 12.1, 10.3 BIG-IP V11.4: LTM, AFM, AAM IBM Lotus Sametime BIG-IP V10: LTM Analytics BIG-IP V11.4 - V14.1: LTM, APM, AAM, ASM, AFM Cacti Open Source Network Monitoring System BIG-IP V10: LTM NIST SP-800-53R4 Compliance BIG-IP: V12 Apache HTTP Server BIG-IP V11, V12: LTM, APM, AFM, AAM Diameter Traffic Management BIG-IP V10: LTM Nagios Open Source Network Monitoring System BIG-IP V10: LTM F5 BIG-IP Apm With IBM, Oracle and Microsoft BIG-IP V10: APM Apache Web Server BIG-IP V9.4.X, V10: LTM, WA DNS Traffic Management BIG-IP V10: LTM Diameter Traffic Management BIG-IP V11.4+, V12: LTM Citrix XenDesktop BIG-IP V10: LTM F5 As A SAML 2.0 Identity Provider For Common SaaS Applications BIG-IP V11.3+, V12.0 Apache Tomcat BIG-IP V10: LTM Citrix Presentation Server BIG-IP V9.X: LTM Npath Routing - Direct Server Return BIG-IP V11.4 - V13: LTM Data Center Firewall BIG-IP V11.6+, V12: AFM, LTM Citrix XenApp Or XenDesktop Iapp V2.3.0 BIG-IP V11, V12: LTM, APM, AFM Citrix XenApp Or XenDesktop BIG-IP V10.2.1: APMDEVCENTRAL END-USER LICENSE AGREEMENT
DEVCENTRAL END-USER LICENSE AGREEMENT Effective: January 24, 2022 IMPORTANT-READ CAREFULLY: This F5 End User License Agreement (“License”) is a legal agreement between you (either an individual or a single entity) and F5, Inc. for materials obtained from and participation in the F5 DevCentral site, which includes computer software and may include associated media, printed materials, and “online” or electronic documentation (“Software Product”). By installing, copying, or otherwise using the Software Product, you agree to be bound by the terms of this License. If you do not agree to the terms of this License, do not install or use the Software Product. The Software Product is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The Software Product is licensed, not sold. GRANT OF LICENSE (a) This License grants you the following rights: Software Product. F5 grants to you a non-transferable, nonexclusive license to make and use copies of the Software Product for the sole purposes of designing, developing, and testing your software product(s). You may install copies of the Software Product on an unlimited number of computers within your organization provided that you remain responsible for the compliance of each user with the terms and conditions hereof. Electronic Documents. Solely with respect to electronic documents included with the Software Product, you may make an unlimited number of copies (either in hardcopy or electronic form), provided that such copies shall be used only for internal purposes and are not republished or distributed to any third party. iii. Storage/Network Use. You may also store or install a copy of the Software Product on a storage device, such as a network server, used only to install or run the Software Product on your other computers over an internal network. (b) Control Library and Sample Code. In addition to the rights granted in Section 1(a.i), in the event the Software Product you are licensing is part of an iControl library or sample code identified in the F5 code share, F5 grants you a non-exclusive, royalty-free right to modify the source code version of those portions of the Software Product for the sole purposes of designing, developing, and testing your software product(s), provided that you comply with Section 1(b.iii), below. Redistributable Files. In addition to the rights granted in Section 1( b.i. ), F5 grants you a nonexclusive, royalty-free right to reproduce and distribute in object code form only the iControl library and sample code, provided that you comply with Section 1( b.iii. ), below. iii. Redistribution Requirements. If you wish to distribute the Redistributable Files (or any portion thereof), you agree to: ( 1 ) distribute the Redistributable Files in object code only in conjunction with and as a part of a software product (each, a “Licensee Product”) developed by you that is based on the Software Product and adds significant and primary functionality to an F5 product; (2) not use F5’s name, logo, or trademarks to market your Licensee Product unless you have obtained prior written approval from F5; (3) include a valid copyright notice on your Licensee Product and not remove any copyright, trademark, or other proprietary notices including attribution information, credits, and notices already placed in the Software Product; (4) indemnify, hold harmless, and defend F5 from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of your Licensee Product or your distribution of the Redistributable Files; (5) distribute all of the files listed under each of the headings in the Samples Directory; (6) not permit further distribution of the Redistributable Files, except as specifically provided for in this Agreement. Other than for iControl libraries and sample code, Software Products may not be redistributed without the prior written consent of F5. (c) The following exceptions apply to subsection 1( b.iii )(6), above: (A) you may permit further redistribution of the Limited Use Redistributable Files by your distributors to your end-user customers if your distributors only distribute the Limited Use Redistributable Files in conjunction with, and as part of, your Licensee Product and you and your distributors comply with all other terms of this License; (B) you may permit your end users to reproduce and distribute the object code version of the Limited-Use Redistributable files for use in development of an application created by your end user (“End User Application”), provided that your end user agrees in writing to: (i) distribute the Limited-Use Redistributable Files in object code only in conjunction with and as a part of a software application product developed by them that adds significant and primary functionality to the Limited-Use Redistributable Files (“End User Application”); (ii) not use F5’s name, logo, or trademarks to market the End User Application unless it has obtained prior written approval from F5; (iii) include a valid copyright notice on the End User Application and not remove any copyright, trademark, or other proprietary notices including attribution information, credits, and notices already placed in the Software Product; (iv) indemnify, hold harmless, and defend F5 from and against any claims or lawsuits, including attorney’s fees, that arise or result from the use or distribution of the End User Application; (v) disclaim all express and implied warranties on behalf of F5, and exclude liability of F5 and its licensors for any special, indirect, exemplary, incidental or consequential damages; (vi) not distribute less than all of the files listed under each of the headings in the Samples Directory file if your end user distributes any one or more of such files in an End User Application; and (vii) not permit further distribution of the Limited-Use Redistributable Files by the user of the End User Application. Limited-Use Redistributable Files: the Limited-Use Redistributable Files are all of the files listed in an iControl library or sample code identified in the F5 code share, except those in Section 3. COPYRIGHT. All title and copyrights in and to the Software Product (including but not limited to any images, photographs, and text incorporated into the Software Product), the accompanying printed materials, and any copies of the Software Product are owned by F5 and their respective copyright owners. The Software Product is protected by copyright laws and international treaty provisions. Therefore, you must treat the Software Product like any other copyrighted material except that you may install the Software Product on a single computer provided you keep the original solely for backup or archival purposes. You may not copy the printed materials accompanying the Software Product. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS (a) Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble the Software Product, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. (b) Separation of Components. The Software Product is licensed as a single product. Its component parts may not be separated for use on more than one computer. (c) Rental. You may not rent, lease, or lend the Software Product. (d) Support Services. F5 may, but shall be under no obligation to, correct any defects in the Software Product and/or provide updates to licensees of the Software Product. You shall make reasonable efforts to promptly report to F5 any defects you find in the Software Product, as an aid to creating improved revisions of the Software Product. You shall be solely responsible for, and F5 shall have no obligation to honor, any warranties that you provide to your customers or to end users with respect to the Software Product or Licensee Products. You shall defend any claim against F5 arising in connection with any such warranties, express, implied, statutory, or otherwise, and shall pay any settlements or damages awarded against F5 that are based on any such warranties. (e) Assignment. This Agreement shall be binding upon and inure to the benefit of the parties and their respective successors and assigns, provided, however that you may not assign this Agreement or any rights or obligation hereunder, directly or indirectly, by operation of law or otherwise, without the prior written consent of F5, and any such attempted assignment shall be void. Notwithstanding the foregoing, ( i ) you may assign this Agreement to a successor to all or substantially all of your business or assets to which this Agreement relates that is not a competitor of F5, and (ii) you shall have the right to transfer your rights hereunder to any company which is wholly owned by you provided such successor or subsidiary agrees in writing to be bound by all the terms and conditions of this Agreement that are applicable to you. (f) Termination. Without prejudice to any other rights, F5 may terminate this License if you fail to comply with the terms and conditions of this License. In such event, you must destroy all copies of the Software Product and all of its component parts. (g) No Other Rights Granted. Apart from the license rights expressly set forth in this Agreement, F5 does not grant and you do not receive any ownership right, title or interest nor any security interest or other interest in any intellectual property rights relating to the Software Product, nor in any copy of any part of the foregoing. You shall not use, license, sell or otherwise distribute the Software Product or any Licensee Product except as provided in this Agreement. U.S. GOVERNMENT RESTRICTED RIGHTS. The Software Product and documentation are provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c )(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs ( c )(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19, as applicable. Manufacturer is F5, Inc./801 5 th Ave West/Seattle, WA 98104. EXPORT RESTRICTIONS. You agree that neither you nor your customers intend to or will, directly or indirectly, export or transmit ( i ) the SOFTWARE or related documentation and technical data or (ii) your software product as described in Section 1( f ) of this License (or any part thereof), or process, or service that is the direct product of the SOFTWARE, to any country to which such export or transmission is restricted by any applicable U.S. regulation or statute, without the prior written consent, if required, of the Bureau of Export Administration of the U.S. Department of Commerce, or such other governmental entity as may have jurisdiction over such export or transmission. PARTICIPATION IN THE DEVCENTRAL COMMUNITY. You agree to comply with the Terms of Use for the F5 website on which DevCentral is hosted. Any personal information you provide when participating in the DevCentral community will be treated in accordance with the F5 Privacy Notice. LIMITATION OF LIABILITY. (a) THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE DevCentral WEB SITE MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. DevCentral AND/OR ITS SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE DevCentral WEB SITE AT ANY TIME. ADVICE RECEIVED VIA THE DevCentral WEB SITE SHOULD NOT BE RELIED UPON FOR PERSONAL, MEDICAL, LEGAL OR FINANCIAL DECISIONS AND YOU SHOULD CONSULT AN APPROPRIATE PROFESSIONAL FOR SPECIFIC ADVICE TAILORED TO YOUR SITUATION. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE DevCentral WEB SITE, OR WITH ANY OF THESE TERMS OF USE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE DevCentral WEB SITE. Service Contact: devcentral@f5.com. (b) THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE Software Product IS PROVIDED “AS IS” AND F5 AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR CONDUCT WITH LICENSEE, OR OTHERWISE. F5 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THE Software Product OR ANY UPGRADES TO OR DOCUMENTATION FOR THE Software Product. WITHOUT LIMITATION OF THE ABOVE, F5 GRANTS NO WARRANTY THAT THE Software Product IS ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION, AND GRANTS NO WARRANTY REGARDING ITS USE OR THE RESULTS THEREFROM INCLUDING, WITHOUT LIMITATION, ITS CORRECTNESS, ACCURACY OR RELIABILITY. NOTWITHSTANDING THE FOREGOING, F5 WARRANTS THAT IT HAS ALL THIRD PARTY LICENSE RIGHTS THAT ARE NECESSARY TO GRANT THE LICENSE RIGHTS SET FORTH HEREIN. (c) IN NO EVENT SHALL F5 HAVE ANY LIABILITY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER FOR BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, ARISING OUT OF THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, EVEN IF F5 HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. EXCEPT WITH RESPECT TO THE WARRANTY SET FORTH IN THE LAST SENTENCE OF THE “LIMITED WARRANTY” SECTION ABOVE, F5’s ENTIRE LIABILITY AND YOUR EXCLUSIVE REMEDY UNDER THIS License SHALL NOT EXCEED ONE HUNDRED DOLLARS (US{0}00.00). MISCELLANEOUS. If you acquired this product in the United States, this License is governed by the laws of the State of Washington. If this product was acquired outside the United States, then local law may apply. Should you have any questions concerning this License, or if you desire to contact F5 for any reason, please contact the F5 location serving your country, or write: F5, Inc./Attn: Legal Department/801 5th Ave/Seattle, WA 98104. If you have a specific question regarding the licensing of redistributable files, you may call contact F5 at info@f5.com inquiries via fax to F5 SDK for iControl (206) 272-5556 (United States only).DevCentral MVP Program
Every day, all over the world, smart, passionate people are doing amazing things with their F5 gear and sharing that knowledge with their peers. The DevCentral Community MVP program shines a spotlight on the best, brightest and most active members of our community, and rewards them for their efforts. The DevCentral Community MVP is an annual award given to a select cohort of the best, brightest, and most active members of our community - users who actively improve F5 user communities and the broader tech industry by sharing their technical experience and expertise with others. We like to reward people who help make our technical user communities healthy and a place users want to interact, and would like to say thank-you to you specifically for making our communities a valuable resource for all users. MVPs get a special badge on their profile for the calendar year of their cohort, so users can know at a glance who they are. Among other things, they also get exclusive swag, invitations to technical deep-dive and sneak-preview sessions presented by F5 SMEs, invitations to the MVP Group and are often highlighted in our monthly Featured Member articles. Here's the announcement of the 2023 cohort! To nominate someone who has helped you to be an MVP, click HERE.Getting Started on DevCentral
DevCentral, supported by F5, is an online community of technical peers dedicated to learning, exchanging ideas, and solving problems - together. Here are some tips to get you started, so you can maximize the value from this community space. Register a free user account Click the Register link at the top right of every DevCentral page Authenticate with any valid email address. TIP: You may use the same email address as your MyF5 profile (this will enable a simpler, Single Sign On (SSO) experience between my.f5.com and community.f5.com) or you may opt to use a personal email address for your community profile. Using a personal email address for community usually requires a separate login, using a customer email account, to access support and subscription information via my.f5.com. Next you will be taken to a confirmation page Email Verification You will receive an email from <noreply@mail.account.f5.com> Click the Activate Account button in the confirmation email in order to activate your new account. Setting up MFA / 2-step Authentication Successful email activation brings you to 2-Step Authentication setup. Mandatory: Choose one or more of the available 2-step modes to secure your account and follow the steps provided. Complete (DevCentral) Registration Once you have finished with 2-step Authentication you will be asked to Choose a unique username Accept the Terms of Service. Click the Complete button TIP: You will receive confirmation email from noreply@mail.account.f5.com related to your SSO account AND email from replies-disabled@community-mail.f5.com welcoming you to the community or alerting you to badges earned, etc. To be notified in the future of content updates you choose to follow - be sure to allow email from replies-disabled@community-mail.f5.com You may also choose to limit what email you want to see and/or how often you want to see it by configuring your Follows & Notification Preferences under My Profile > My Settings. Congratulations! Your DevCentral community profile is complete. Build Community Profile To maximize the value of your community experience visit My Settings to adjust the behavior of the community to suit your needs. Settings include Personal details, global Preferences, settings under Follows & Notifications to control platform alerts and email, and Security & Account settings to control your data. Click on your profile avatar in the top right of the page and go to My Settings. Personal Information Change your username, avatar, Bio, Personal Notes, and Personal Site URL at any time. RE: Email Addresses At this time email addresses are key and cannot be changed directly. To update an email address on an existing DevCentral profile contact us at DevCentralFeedback@f5.com and ask to help updating your email address. Preferences At this time preference options are limited to Date and TimeZone choices. Follows & Notifications See the content you are Following. You can filter the way this displays using the dropdown at the top. A revealed ellipses at right lets you unfollow. Below that is the Email Notification preferences. Including global enable/disable and choices for delivery timing for all manner of triggers. Security & Account Personal information related to IP Addresses and the ability to download a copy of your data from the community is here. Only you can see this information. Still need help? If you still can’t find what you need, send a message to DevCentralFeedback@f5.com and we’ll work to get your issue sorted.DevCentral Resources
DevCentral offers resources that let you get a closer look at F5 products and the code behind them. API Documentation - Here's where you'll find documentation on iRules, iControl, and iApps; advanced design and configuration techniques, and more. Downloads - Get a comprehensive, fully sortable, list of downloads of interest to devs. Developer License - Buy a low-cost Developer License so you can try F5 products in your own development and test environments. Support Self-solve issues with Knowledge Base articles, the iHealth Diagnostic Tool, technical product documentation, and more - all on F5 Support. Knowledge Center Articles Product Documentation iHealth Diagnostic Tool Resources on F5.com F5's corporate site offers everything from the latest deployment guides to training opportunities. Deployment Guides Training and Certification F5 Labs
Making WAF Simple: Introducing the OWASP Compliance Dashboard
Whether you are a beginner or an expert, there is a truth that I want to let you in on; building and maintaining Web Application Firewall (WAF) security policies can be challenging. How much security do you really need? Is your configuration too much or too little? Have you created an operational nightmare? Many well-intentioned administrators will initially enable every available feature, thinking that it is providing additional security to the application, when in truth, it is hindering it. How, you may ask? False positives and noise. The more noise and false positives, the harder it becomes to find the real attacks and the increased likelihood that you begin disabling features that ARE providing essential security for your applications. So… less is better then? That isn't the answer either, what good are our security solutions if they aren't protecting against anything? The key to success and what we will look at further in this article, is implementing best practice controls that are both measurable and manageable for your organization. The OWASP Application Security Top 10 is a well-respected list of the ten most prevalent and dangerous application layer attacks that you almost certainly should protect your applications from. By first focusing your security controls on the items in the OWASP Top 10, you are improving the manageability of your security solution and getting the most "bang for your buck". Now, the challenge is, how do you take such a list and build real security protections for your applications? Introducing the OWASP Compliance Dashboard Protecting your applications against the OWASP Top 10 is not a new thing, in fact, many organizations have been taking this approach for quite some time. The challenge is that most implementations that claim to "protect" against the OWASP Top 10 rely solely on signature-based protections for only a small subset of the list and provide zero insight into your compliance status. The OWASP Compliance Dashboard introduced in version 15.0 on BIG-IP Advanced WAF reinvents this idea by providing a holistic and interactive dashboard that clearly measures your compliancy against the OWASP Application Security Top 10. The Top 10 is then broken down into specific security protections including both positive and negative security controls that can be enabled, disabled, or ignored directly on the dashboard. We realize that a WAF policy alone may not provide complete protection across the OWASP Top 10, this is why the dashboard also includes the ability to review and track the compliancy of best practices outside the scope of a WAF alone, such as whether the application is subject to routine patching or vulnerability scanning. To illustrate this, let’s assume I have created a brand new WAF policy using the Rapid Deployment policy template and accepted all default settings, what compliance score do you think this policy might have? Let's take a look. Interesting. The policy is 0/10 compliant and only A2 Broken Authentication and A3 Sensitive Data Exposure have partial compliance. Why is that? The Rapid Deployment template should include some protections by default, shouldn't it? Expanding A1 Injection, we see a list of protections required in order to be marked as compliant. Hovering over the list of attack signatures, we see that each category of signature is in 'Staging' mode, aha! Signatures in staging mode are not enforced and therefore cannot block traffic. Until the signature set is in enforced, we do not mark that protection as compliant. For those of you who have mistakenly left entities such as Signatures in staging for longer than desired, this is also a GREAT way to quickly find them. I also told you we could also interact with the dashboard to influence the compliancy score, lets demonstrate that. Each item can be enforced DIRECTLY on the dashboard by selecting the "Enforce" checkmark on the right. No need to go into multiple menus, you can enforce all these security settings on a single page and preview the compliance status immediately. If you are happy with your selection, click on "Review & Update" to perform a final review of what the dashboard will be configuring on your behalf before you can click on "Save & Apply Policy". Note: Enforcing signatures before a period of staging may not be a good idea depending on your environment. Staging provides a period to assess signature matches in order to eliminate false positives. Enforcing these signatures too quickly could result in the denying of legitimate traffic. Let's review the compliancy of our policy now with these changes applied. As you can see, A1 Injection is now 100% compliant and other categories have also had their score updated as a result of enforcing these signatures. The reason for this is because there is overlap in the security controls applied across these other categories. Not all security controls can be fully implemented directly via the dashboard, and as mentioned previously, not all security controls are signature-based. A6 Cross-Site Scripting was recalculated as 50% complaint with the signatures we enforced previously so let's take a look at what else it required for full compliancy. The options available to us are to IGNORE the requirement, meaning we will be granted full compliancy for that item without implementing any protection, or we can manually configure the protection referenced. We may want to ignore a protection if it is not applicable to the application or if it is not in scope for your deployment. Be mindful that ignoring an item means you are potentially misrepresenting the score of your policy, be very certain that the protection you are ignoring is in fact not applicable before doing so. I've selected to ignore the requirement for "Disallowed Meta Characters in Parameters" and my policy is now 100% compliance for A7 Cross-Site Scripting (XSS). Lastly, we will look at items within the dashboard that fall outside the scope of WAF protections. Under A9 Using Components with Known Vulnerabilities, we are presented with a series of best practices such as “Application and system hardening”, “Application and system patching” and “Vulnerability scanner integration”. Using the dashboard, you can click on the checkmark to the right for "Requirement fulfilled" to indicate that your organization implements these best practices. By doing so, the OWASP Compliance score updates, providing you with real-time visibility into the compliancy for your application. Conclusion The OWASP Compliance Dashboard on BIG-IP Advanced WAF is a perfect fit for the security administrator looking to fine-tune and measure either existing or new WAF policies against the OWASP App Security Top 10. The OWASP Compliance Dashboard not only tracks WAF-specific security protections but also includes general best practices, allowing you to use the dashboard as your one-stop-shop to measure the compliancy for ALL your applications. For many applications, protection against the OWASP Top 10 may be enough, as it provides you with best practices to follow without having to worry about which features to implement and where. Note: Keep in mind that some applications may require additional controls beyond the protections included in the OWASP Top 10 list. For teams heavily embracing automation and CI/CD pipelines, logging into a GUI to perform changes likely does not sound appealing. In that case, I suggest reading more about our Declarative Advanced WAF policy framework which can be used to represent the WAF policies in any CI/CD pipeline. Combine this with the OWASP Compliance Dashboard for an at-a-glance assessment of your policy and you have the best of both worlds. If you're not already using the OWASP Compliance Dashboard, what are you waiting for? Look out for Bill Brazill, Victor Granic and myself (Kyle McKay) on June 10th at F5 Agility 2020 where we will be presenting and facilitating a class called "Protecting against the OWASP Top 10". In this class, we will be showcasing the OWASP Compliance Dashboard on BIG-IP Advanced WAF further and providing ample hands-on time fine-tuning and measuring WAF policies for OWASP Compliance. Hope to see you there! To learn more, visit the links below. Links OWASP Compliance Dashboard: https://support.f5.com/csp/article/K52596282 OWASP Application Security Top 10: https://owasp.org/www-project-top-ten/ Agility 2020: https://www.f5.com/agility/attendHow to listen to the DevCentral Podcasts
Announcing the DevCentral Podcasts! DevCentral Podcasts After about 100 video live streams, we are now offering the DevCentral Connects live stream as an audio podcast. This can be found on all the main podcast platforms. Additional podcasts can be found under the DevCentral channel as well. F5's Office of the CTO shares "WebAssembly Unleashed," a podcast for architects, practitioners, technologists, and general Wasm enthusiasts. Watch the feed and join the hosts to dig into all things Wasm! DevCentral Connects on Apple Podcasts DevCentral Connects on Spotify To accommodate this format, I'll ensure that if there is ever any video content, it will be narrated such that the audio experience isn't missing out. Heavily technical content requiring following screen actions such as JRahm 's Live Coding Sessions will be done in its own format, still via live stream video. These shows pop-up whenever Jason has an idea brewing in his mind so I suggest you subscribe to DevCentral on YouTube, LinkedIn, Twitter or Facebook to get notified when he does go live. Hint: Join the DevCentral Connects Group hub to get advance notice of events like these! This Month In Security Podcast Be sure to check out AubreyKingF5on his Security collaboration podcast which is also available on all major platforms. This collaboration with F5 SIRT and F5 Labs is a must see listen if you want dive deeper into security! This Month in Security on Apple PodcastsDevCentral Community Ranking Explained
What is that little cloud icon for? What does it mean? I've heard this question a handful of times since we launched and finally grabbed some time to describe it for you all. TL;DR, that icon signifies a members' level of engagement on DevCentral. and we decided to play with the cloud motif because it was fun. Rankings in Greater Detail Ranks (and clouds for that matter) are derived from a semi-fluid arrangement of factors such as time, contributions, reactions, and interactions with the content of the site (or environment). As of this writing, outside of employees and MVPs, the highest rank for active members is Nacreous achieved only by Samir and cjunior. In the end, this means that if you see someone with a rank icon with a lightning bolt or star in it, that user has established credibility with the rest of our community! These ranks do NOT imply accuracy of a given piece of advice. Nor do they illuminate skill or knowledge generally; those things are earned from innumerable places well beyond our virtual walls, but we hope this rank designation is one simple way we might help you, at a glance, understand just who you a member is with respect to their energies at DevCentral. As you can see in this chart, we have room for growth. By way of comparison, I checked on JRahm, and he *would be* at that level right above Nacreous. For the sake of intrigue, I have left off the names we provided for the next four ranks. It'll be fun to see those ranks get exposed. 😄 I should note that during the recent migration we were unable to translate any of the kudos/upvotes users may have earned or given between 2005 & 2019. This is a softspot that primarily affects really long-term members (like JRahm) but once kudos and solutions begin piling up in our new system I would expect to see increased movement up the ranks. Next time, I'll review our incoming badging system. Cheers!
