In DOD, many times implementing Web App Firewalls is limited by form-factor, mutual TLS encryption, end-to-end authentication, Security Assertion Markup Language (SAML), etc. Not to mention the various web servers (IIS, Apache, Tomcat, etc) running in DOD. This makes it difficult to implement a global web application security strategy, especially when many are appliance-based and require you to break or modify your end-to-end TLS encryption and CAC authentication. However, DISA's AppSec STIGs, and other Federal & Industry Policies, require web application security be in place for this dangerous and rapidly growing attack vector.
With Brocade's SteelApp Distributed WAF (dWAF), which is software-based, these limitations are easily addressed. SteelApp dWAF is implemented as a module in IIS, Apache, Tomcat and other web servers. It conducts web app security on the web traffic AFTER it has been authenticated, authorized and decrypted by the web server. This ensures your existing and robust end-to-end authentication and authorization isn't broken along the path, exposing other security risks. This approach also ensures horizontal & elastic scalability for massive application workloads - whether in private clouds, public clouds, or tiny tactical solutions. If a unique requirement isn't present in SteelApp dWAF don't worry, it can be extended via Python scripts, or interact with third-party systems via its REST API and other means.
These capabilities make SteelApp dWAF a great option for Government Furnished Software (GFS) for DOD web application projects. By furnishing SteelApp dWAF to contractors the US Government can increase their global control over web application security policies, reduce variability in quality in web app security across projects, and save money by offloading some of the responsibility from contractors (who aren't specialized in web app sec). A recent example, of where DOD could have leveraged this is with the ShellShock vulnerability. SteelApp dWAF had a virtual patch published to block this attack over HTTP(S), which if centrally implemented would have enabled DOD to block these attacks across protected servers - no matter where they were at in the world.
For DOD contracts, using SteelApp dWAF ensures you can deliver a standardized, repeatable and low-cost web application security capability across many projects with various types of servers (IIS, Apache, Tomcat, etc), whether they are in private clouds, public clouds or tactically deployed to the edge of the battle-space.
This cutting edge web security approach ensures consistency in policy, delivers agile global web app security capabilities without the limitations of appliances or virtual machines, saves money on application development costs and reduces administration overhead costs.
SteelApp dWAF has been successfully used in some of the largest commercial cloud applications in the world where hundreds or even thousands of active dWAFs are centrally managed by small, agile teams leveraging the power of automation, orchestration, elasticity and horizontal scale. It enables them to spin up new servers in real-time and at second #1 have robust web application security to keep the bad guys out.
The attached white paper dives into the technical details and operational requirements of doing enterprise-scale web application security in DOD - anywhere, anytime.