A few day ago, I had a great conversation with an ASM specialist around how ASM can be included in DevOps.
Every application developed and deployed needs to be secured and using ASM as an application firewall is a great solution. In large part because ASM is based on policies, describing allowed and blocked signatures.
By default, developers are the ones that understand the application they develop better than anybody else. Because of that, it makes sense to let them develop ASM security policy.
Once the policy is developed it needs to be tested. One excellent centralized tool for helping to test (manual or automatic) is our SCOM F5 BIG-IP Management Pack where we provide a report with all the details about blocked sessions, when, why and by which policy.
Report showing list of blocked sessions, when, why and by which policy the session was blocked
This report can be used for manual review of results or exported automatically to CSV to support automatic tests.
Once developers are happy with the policy they can send it for “peer review” by ASM specialists. One item ASM specialists may appreciate is that they can use our SCOM F5 BIG-IP Management Pack as a communication tool to report any blocked solutions. By using SCOM this report can be automatically attached to an issue tracking system issue or delivered i.e. by email.
Once approved by ASM SME, developers can script policy deployment with a new application version deployment.
If you’re looking for ways to tie and test ASM with DevOps, take a look at our solution and see how you can benefit from it. You can also get a free evaluation. For more on the solution and free evaluation, check out here!