Baseline security

Thanks Erik for the reply, We have policies that works well. But what i am looking for is more of a business side of minimum/baseline level of security configuration (settings) when creating policies..like the acceptable length of URL to be 2048. We have many applications (legacy) that uses more than 2048 which is considered as a risk. If an alert occur and i go back to application team with recommended size of 2048 he is going to ask me the 'what is your baseline configuration settings'? or he will say 'What's F5 recommendation (i know its silly and hard to explain to these guys !) . We need this documentation to convince the client/business that you cannot deviate the standards. If deviation we will ask for RAF ( Risk acceptance Form) to be approved by management so that this risk wont kept on our (security guys) shoulder. Simply i need to noted down all the baseline configuration settings in a document and approved by security & application owner.

Hello Mate,

 

As Eric arlready said, it is difficult to define baseline without understanding the application. However, to start with generic approach, cover OWASP 10.

 

For the ASM implementations, select the suitable implementation method according to your requirements. ASM can create the policy automatically according to your traffic flow but again that depends on your requirement.

 

-Jinshu

 

It's difficult to define "baseline standards" as every application is different and their are variances in security needs. In many cases, ASM implementations begin with a security policy based on the Rapid Deployment template, which will cover the OWASP Top 10, will provide HTTP RFC compliance, attack signatures, and evasion detection protection. As you get more comfortable with ASM and improve at interpreting and handling violations, you can develop a more comprehensive policy by layering on more protection for allowing only specific file types, URLs, and various types of parameter protection.