Securing Applications and APIs with F5 Distributed Cloud Services

Securing Applications and APIs with F5 Distributed Cloud ServicesXC-WAAPF5F5 NetworksF5-XC-WAAP1.0<p>By the end of this course, you will be able to: </p> <ul> <li>Deploy and manage F5XC WAAP to mitigate the OWASP Top 10 - via WAF Policy and via Service Policy</li><li>Deploy F5XC WAAP to mitigate bot traffic</li><li>Deploy F5XC WAAP to mitigate DDoS attacks at layers 3, 4, and 7</li><li>Use F5XC WAAP to automatically discover and secure APIs</li></ul><p>Administering Applications in F5 Distributed Cloud Services</p><p>The course is designed for DevOps, SecOps, NetOps, and application developers who have foundational knowledge of F5 Distributed Cloud services.</p><ul> <li>Module 1: Introduction to Distributed Cloud WAAP and WAF Deployment</li><li>Module 2: Setting the Stage: Analyzing Web Applications and HTTP</li><li>Module 3: Exploiting Web Application Vulnerabilities</li><li>Module 4: Mitigating Threats with Web Application Firewall Policies</li><li>Module 5: Manage Security Events with Exclusion Rules</li><li>Module 6: Mitigating Threats with Service Policies</li><li>Module 7: Bot Defense</li><li>Module 8: Mitigate Threats using Machine Learning and Artificial Intelligence</li><li>Module 9: Protecting Your Public APIs</li><li>Module 10: API Automation using Postman</li></ul><h5>Intro</h5><ul> <li>Overview of how F5XC WAAP protects web apps in any cloud, edge, or on-premises environment</li><li>Defining the core features: WAF, bot defense, DDoS protection, and securing APIs</li></ul><h5>Module 1: Introduction to Distributed Cloud WAAP and WAF Deployment</h5><ul> <li>Exploring the security flow through application proxy</li><li>Lab: Deploy Juice Shop (target application) on an HTTP load balancer and configure API endpoint discover <ul> <li>Create load balancer and connect origin pool to expose Juice Shop application</li><li>Enable API discovery (so that we can discuss API protection and have ready examples)</li><li>Run some traffic and review request log</li></ul></li></ul><h5>Module 2: Setting the Stage: Analyzing Web Applications and HTTP</h5><ul> <li>Overview of web application communication elements</li><li>Overview of HTTP message structure (headers and methods)</li><li>Parsing HTTP requests</li><li>Lab: Exploring the target application</li></ul><h5>Module 3: Exploiting Web Application Vulnerabilities</h5><ul> <li>A taxonomy of attacks: the threat landscape</li><li>Common exploits against web applications (OWASP Top 10, OWASP API)</li><li>Lab: Exploiting web application vulnerabilities <ul> <li>SQL injection</li><li>Cross-site scripting</li><li>Poison byte</li><li>Forceful browsing</li></ul></li></ul><h5>Module 4: Mitigating Threats with Web Application Firewall Policies</h5><ul> <li>Defining web application firewall processing at layer 7</li><li>Applying different protections to a load balancer</li><li>Defining violations and false positives</li><li>Reviewing RFC 2616 as it drives protocol compliance</li><li>Differentiating positive and negative security</li><li>Differentiating blocking and monitoring actions</li><li>Reviewing security event logging</li><li>Defining Threat Campaigns</li><li>Defining Attack Signatures</li><li>Lab: Create App Firewall, enable blocking mode, attach to load balancer <ul> <li>Lab: Launch XSS attack and observe security processing in the log</li><li>Lab: Launch SQL injection attack and observe security processing in the log</li><li>Lab: Launch poison null byte attack and observe security processing in the log</li></ul></li></ul><h5>Module 5: Manage Security Events with Exclusion Rules</h5><ul> <li>Defining exclusion rules</li><li>Analyzing elements and contexts of exclusion rules</li><li>Lab: Create an Exclusion Rule for Two Attack Signature IDs</li></ul><h5>Module 6: Mitigating Threats with Service Policies</h5><ul> <li>Differentiating protections at namespace vs. load balancer levels</li><li>Exploring service policy rules, policies, and policy sets</li><li>Handling traffic flow</li><li>Enforcing layer 7 elements of HTTP processing</li><li>Lab: Practicing service policy protections for geolocation enforcement, file types enforcement, method and path enforcement, and IP address enforcement.</li></ul><h5>Module 7: Bot Defense</h5><ul> <li>Classifying and categorizing bots (good/suspicious/malicious)</li><li>Reviewing bot signatures</li><li>Configuring bot defense on the XC load balancer</li><li>Lab: Mitigating an attack from an automated agent (python scripts for bad traffic and credential stuffing/brute force)</li></ul><h5>Module 8: Mitigate Threats using Machine Learning and Artificial Intelligence</h5><ul> <li>Defining Malicious User Detection <ul> <li>TLS fingerprinting</li><li>JavaScript challenges/client side defense</li></ul></li><li>Lab: Deploying Machine Learning</li></ul><h5>Module 9: Protecting Your Public APIs</h5><ul> <li>Defining an API</li><li>Defining API specifications</li><li>Defining a RESTful API</li><li>Recognizing API endpoints</li><li>Defining Shadow APIs</li><li>Defining OpenAPI 3.0 and the Swagger specification</li><li>Analyzing API routing in F5XC</li><li>Analyzing API protection in F5XC <ul> <li>App firewall (OWASP vulnerabilities)</li><li>CAPTCHA/JS challenges</li><li>Network firewall</li><li>API usage characterizations</li><li>User anomaly detection</li><li>API rate limiting (threshold configuration)</li><li>API Learning</li></ul></li><li>Endpoint learning</li><li>Schema learning</li><li>Behavioral firewall/business logic markup</li><li>Lab: Machine Learning Lab <ul> <li>Review discovered APIs</li><li>Configure malicious users mitigation</li><li>Configure user identification</li><li>Configure load balancer</li><li>Test XSS (without WAF policy)</li></ul></li></ul><h5>Module 10: API Automation using Postman</h5><ul> <li>Introduction to Postman <ul> <li>Defining environments</li><li>Defining collections</li><li>Reviewing variables</li></ul></li><li>Lab: Use a postman collection to create a WAF policy for a namespace</li><li>Lab: Use a postman collection to create service policies for a shared namespace</li></ul>By the end of this course, you will be able to: - Deploy and manage F5XC WAAP to mitigate the OWASP Top 10 - via WAF Policy and via Service Policy - Deploy F5XC WAAP to mitigate bot traffic - Deploy F5XC WAAP to mitigate DDoS attacks at layers 3, 4, and 7 - Use F5XC WAAP to automatically discover and secure APIsAdministering Applications in F5 Distributed Cloud ServicesThe course is designed for DevOps, SecOps, NetOps, and application developers who have foundational knowledge of F5 Distributed Cloud services.- Module 1: Introduction to Distributed Cloud WAAP and WAF Deployment - Module 2: Setting the Stage: Analyzing Web Applications and HTTP - Module 3: Exploiting Web Application Vulnerabilities - Module 4: Mitigating Threats with Web Application Firewall Policies - Module 5: Manage Security Events with Exclusion Rules - Module 6: Mitigating Threats with Service Policies - Module 7: Bot Defense - Module 8: Mitigate Threats using Machine Learning and Artificial Intelligence - Module 9: Protecting Your Public APIs - Module 10: API Automation using PostmanIntro - Overview of how F5XC WAAP protects web apps in any cloud, edge, or on-premises environment - Defining the core features: WAF, bot defense, DDoS protection, and securing APIs Module 1: Introduction to Distributed Cloud WAAP and WAF Deployment - Exploring the security flow through application proxy - Lab: Deploy Juice Shop (target application) on an HTTP load balancer and configure API endpoint discover - Create load balancer and connect origin pool to expose Juice Shop application - Enable API discovery (so that we can discuss API protection and have ready examples) - Run some traffic and review request log Module 2: Setting the Stage: Analyzing Web Applications and HTTP - Overview of web application communication elements - Overview of HTTP message structure (headers and methods) - Parsing HTTP requests - Lab: Exploring the target application Module 3: Exploiting Web Application Vulnerabilities - A taxonomy of attacks: the threat landscape - Common exploits against web applications (OWASP Top 10, OWASP API) - Lab: Exploiting web application vulnerabilities - SQL injection - Cross-site scripting - Poison byte - Forceful browsing Module 4: Mitigating Threats with Web Application Firewall Policies - Defining web application firewall processing at layer 7 - Applying different protections to a load balancer - Defining violations and false positives - Reviewing RFC 2616 as it drives protocol compliance - Differentiating positive and negative security - Differentiating blocking and monitoring actions - Reviewing security event logging - Defining Threat Campaigns - Defining Attack Signatures - Lab: Create App Firewall, enable blocking mode, attach to load balancer - Lab: Launch XSS attack and observe security processing in the log - Lab: Launch SQL injection attack and observe security processing in the log - Lab: Launch poison null byte attack and observe security processing in the log Module 5: Manage Security Events with Exclusion Rules - Defining exclusion rules - Analyzing elements and contexts of exclusion rules - Lab: Create an Exclusion Rule for Two Attack Signature IDs Module 6: Mitigating Threats with Service Policies - Differentiating protections at namespace vs. load balancer levels - Exploring service policy rules, policies, and policy sets - Handling traffic flow - Enforcing layer 7 elements of HTTP processing - Lab: Practicing service policy protections for geolocation enforcement, file types enforcement, method and path enforcement, and IP address enforcement. Module 7: Bot Defense - Classifying and categorizing bots (good/suspicious/malicious) - Reviewing bot signatures - Configuring bot defense on the XC load balancer - Lab: Mitigating an attack from an automated agent (python scripts for bad traffic and credential stuffing/brute force) Module 8: Mitigate Threats using Machine Learning and Artificial Intelligence - Defining Malicious User Detection - TLS fingerprinting - JavaScript challenges/client side defense - Lab: Deploying Machine Learning Module 9: Protecting Your Public APIs - Defining an API - Defining API specifications - Defining a RESTful API - Recognizing API endpoints - Defining Shadow APIs - Defining OpenAPI 3.0 and the Swagger specification - Analyzing API routing in F5XC - Analyzing API protection in F5XC - App firewall (OWASP vulnerabilities) - CAPTCHA/JS challenges - Network firewall - API usage characterizations - User anomaly detection - API rate limiting (threshold configuration) - API Learning - Endpoint learning - Schema learning - Behavioral firewall/business logic markup - Lab: Machine Learning Lab - Review discovered APIs - Configure malicious users mitigation - Configure user identification - Configure load balancer - Test XSS (without WAF policy) Module 10: API Automation using Postman - Introduction to Postman - Defining environments - Defining collections - Reviewing variables - Lab: Use a postman collection to create a WAF policy for a namespace - Lab: Use a postman collection to create service policies for a shared namespace3 Tage2460.003630.003960.003960.003960.00