Securing Applications and APIs with F5 Distributed Cloud Services (XC-WAAP) – Details

Detaillierter Kursinhalt

Intro
  • Overview of how F5XC WAAP protects web apps in any cloud, edge, or on-premises environment
  • Defining the core features: WAF, bot defense, DDoS protection, and securing APIs
Module 1: Introduction to Distributed Cloud WAAP and WAF Deployment
  • Exploring the security flow through application proxy
  • Lab: Deploy Juice Shop (target application) on an HTTP load balancer and configure API endpoint discover
    • Create load balancer and connect origin pool to expose Juice Shop application
    • Enable API discovery (so that we can discuss API protection and have ready examples)
    • Run some traffic and review request log
Module 2: Setting the Stage: Analyzing Web Applications and HTTP
  • Overview of web application communication elements
  • Overview of HTTP message structure (headers and methods)
  • Parsing HTTP requests
  • Lab: Exploring the target application
Module 3: Exploiting Web Application Vulnerabilities
  • A taxonomy of attacks: the threat landscape
  • Common exploits against web applications (OWASP Top 10, OWASP API)
  • Lab: Exploiting web application vulnerabilities
    • SQL injection
    • Cross-site scripting
    • Poison byte
    • Forceful browsing
Module 4: Mitigating Threats with Web Application Firewall Policies
  • Defining web application firewall processing at layer 7
  • Applying different protections to a load balancer
  • Defining violations and false positives
  • Reviewing RFC 2616 as it drives protocol compliance
  • Differentiating positive and negative security
  • Differentiating blocking and monitoring actions
  • Reviewing security event logging
  • Defining Threat Campaigns
  • Defining Attack Signatures
  • Lab: Create App Firewall, enable blocking mode, attach to load balancer
    • Lab: Launch XSS attack and observe security processing in the log
    • Lab: Launch SQL injection attack and observe security processing in the log
    • Lab: Launch poison null byte attack and observe security processing in the log
Module 5: Manage Security Events with Exclusion Rules
  • Defining exclusion rules
  • Analyzing elements and contexts of exclusion rules
  • Lab: Create an Exclusion Rule for Two Attack Signature IDs
Module 6: Mitigating Threats with Service Policies
  • Differentiating protections at namespace vs. load balancer levels
  • Exploring service policy rules, policies, and policy sets
  • Handling traffic flow
  • Enforcing layer 7 elements of HTTP processing
  • Lab: Practicing service policy protections for geolocation enforcement, file types enforcement, method and path enforcement, and IP address enforcement.
Module 7: Bot Defense
  • Classifying and categorizing bots (good/suspicious/malicious)
  • Reviewing bot signatures
  • Configuring bot defense on the XC load balancer
  • Lab: Mitigating an attack from an automated agent (python scripts for bad traffic and credential stuffing/brute force)
Module 8: Mitigate Threats using Machine Learning and Artificial Intelligence
  • Defining Malicious User Detection
    • TLS fingerprinting
    • JavaScript challenges/client side defense
  • Lab: Deploying Machine Learning
Module 9: Protecting Your Public APIs
  • Defining an API
  • Defining API specifications
  • Defining a RESTful API
  • Recognizing API endpoints
  • Defining Shadow APIs
  • Defining OpenAPI 3.0 and the Swagger specification
  • Analyzing API routing in F5XC
  • Analyzing API protection in F5XC
    • App firewall (OWASP vulnerabilities)
    • CAPTCHA/JS challenges
    • Network firewall
    • API usage characterizations
    • User anomaly detection
    • API rate limiting (threshold configuration)
    • API Learning
  • Endpoint learning
  • Schema learning
  • Behavioral firewall/business logic markup
  • Lab: Machine Learning Lab
    • Review discovered APIs
    • Configure malicious users mitigation
    • Configure user identification
    • Configure load balancer
    • Test XSS (without WAF policy)
Module 10: API Automation using Postman
  • Introduction to Postman
    • Defining environments
    • Defining collections
    • Reviewing variables
  • Lab: Use a postman collection to create a WAF policy for a namespace
  • Lab: Use a postman collection to create service policies for a shared namespace