Policy creation: who's in the driver's seat?

Question

We have ASM 10.1.0 in-house. We've not yet gotten around to putting it into use but I've lately been asked to setting up policies for some of our applications. I've taken a look at the Getting Started manual and the Configuration manual but I'm still not sure on where to begin. My main challenge is that all of my history in our IT organization has been on the systems side of things especially OS (mostly Linux nowadays) and networking, but ASM configuration looks as though it's driven by the application. Since I am not acquainted with our applications beyond being able to log in to one or two of them, I'm not clear on how I'd proceed with the creation of an ASM app policy. Although I can click "Next/Next/Next/Finish" with the best of 'em, it seems to me that tailoring an ASM policy requires some level of understanding of the application not just overall OS/networking/etc. knowledge.&nbsp;
&nbsp;My question is pretty basic:  who drives ASM policy creation at your shop: application owner, overall application architect/guru, systems guy, etc.?  If you have a primary F5 ASM administrator, does he possess a strong knowledge of your applications or does he work closely with application experts? What kind of ASM administration role (if any) do you give to app owners?&nbsp;
&nbsp;My goal: convince the powers that be that we're going to have to get applications people involved in ASM policy creation and/or get the app people to work with me to get me up to speed on the apps which they'd like me to secure for them.&nbsp;
&nbsp;Thanks for your input!
&nbsp;Dave U.&nbsp;

hooleylist · Answer

Hi Dave, 
&nbsp;  
&nbsp; Administering an ASM policy requires some knowledge of web applications and web app security as well as the specific web app behavior of the application being protected.  In large enterprises, there might be a specific person or team that has this knowledge.  In that case, they would be the natural pick for who administers the ASM policy.   
&nbsp;  
&nbsp; In smaller organizations without a dedicated web app security team, the application owners and network administrators generally share responsibility for ASM administration.  In many implementations, the LTM admins will administer the policy, but check with the application owners to get more information on what the expected client and web app behaviors are.  If the LTM admins don't have any understanding of web applications, some companies have had the application owners administer the ASM policies.  I'd say the latter is less common in my experience. 
&nbsp;  
&nbsp; It doesn't take an expert in web app security to administer a policy.  Once someone has a bit of experience interpreting ASM forensics, it will become much simpler to administer the policy with less and less help from the application owners. 
&nbsp;  
&nbsp; I'm interested in seeing what other people's experiences are with this. 
&nbsp;  
&nbsp; Aaron

mike_maher · Answer

Well I am pretty much the ASM administrator at my company, or rather it belongs to my team, which is defined basically as a Perimeter Security group. So we mostly deal with network security, but this landed with us years ago when it was TrafficShield. I took it on from someone who left about 2 years ago and my background is mostly in network and systems security. Most of the time I setup the ASM and get the policy in learning mode in our test environment and then take time with the developers/application owners to go over what was learned in the policy and what I should accept. The whole process from test environment setup to production implementation takes about a month on average. I am currently working to define and document a process for all of this so that I can hand it to basically anyone on my team to work with a project for a new application. As well as documentation for the developers on suggested testing procedure, how ASM works, what it blocks on, and why. The problem I see with just handing over policy management to application owners/developers is that at least in my company they are not very security minded, and they just want to make it work and get it out there. Not to say they would purposely turn something off that they knew would create a security hole, but a lot of the time if you are not dealing with security on a day to day basis you don't necessarily think it all the way through, just like anything else.

hooleylist · Answer

Your situation is pretty similar to the customers I was working with on ASM.  I don't like the idea of app owners exclusively maintaining the policy.  Management generally already places too much emphasis on functionality and new features over security.  If there is no one outside them and the app owners to dictate security policy, you end up with very open, insecure implementations. 
&nbsp;  
&nbsp; If you feel like publishing anonymized versions of any of your documentation or processes, I'm sure other ASM admins would appreciate it.  I know a lot might be specific to your company, but I imagine a decent amount could go towards helping others establish best practices. 
&nbsp;  
&nbsp; Aaron

mike_maher · Answer

Some will be specific to my company but some of them should be fairly generic, I will post as much as I can.  &nbsp;
&nbsp;Mike&nbsp;

christopher_boo · Answer

Mike, 
&nbsp;  
&nbsp; Ddi you ever get a chance to post your documentation?  I'd love to see it. 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Chris &nbsp;

Forum Discussion

Policy creation: who's in the driver's seat?

6 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 1 - Policy Creation)

Auditing Security Policy Updates

Minimizing Security Complexity: Managing Distributed WAF Policies

Prevent BIG-IP Edge Client VPN Driver to roll back (or forward) during PPP/RAS errors

AS3 Json for pool creation