ASM Performance Optimization (Conditional policy selection based on HTTP method)
There are significantly more opportunities for web application exploitation with the use of HTTP POST requests (search forms, registration forms, "leave comment" fields, and much more). On the other hand, when it comes to HTTP GET requests, there are not as many attack vectors. Perhaps going for a 2-policy setup (GET policy + POST policy) per application would make sense for the performance optimization benefit.
Here goes my question. Assuming that I'm willing to put in the effort to create a second policy (for GET requests only) which excludes all the security-checks and attack detection signatures that are only relevant for POST requests, will there be any considerable performance gains?
Alternatively, is it not worth the effort for whatever reason? I'm not sure if the recent versions of ASM software include built-in self intelligence to take care of this problem automatically.
Hannes,