You might have an application that handles sensitive information like Creditcard numbers, Personal Identification numbers or even Bank account information.
HTTP responses from your application might contain such sensitive information in de clear. In that case you could set the application developers on a new task to make sure that the sensitive data does not leave the network.
But what if you have many of these web applications handling sensitive information, or what if you are dependent on a third party for updates on your application?
For those situations it’s good to know that you can protect your application with a F5 ASM web application firewall.
The feature is called “Data Guard”. And it makes sure your sensitive information does not leave the network via HTTP responses.
The feature also helps to stay PCI compliant.
ASM Data Guard can prevent sensitive data exposure in different ways.
Masking the data in the HTTP response.
Blocking the HTTP response witch contains the sensitive information.
If your web application policy is in transparent mode, it is highly recommended to use the "Masking" option of Data Guard.
Data Guard works with the following content-type headers, and examines responses for these:
When Data Guard finds any sensitive information (you’ll have to define what information is sensitive), it will block the HTTP response or mask the information in the response before it get’s send off to the user. With no definition of what sensitive information might swing by, the Data Guard module already recognizes creditcard numbers and social card numbers.
If a HTTP response contains a creditcard number, a Social Security number, or a custom pattern, then Data Guard will respond based on what the policy enforcement setting is set to.
In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
If you want the system to consider credit card numbers as sensitive data:
If you want the system to consider U.S. social security numbers (in the form nnn-nn-nnnn, where n is an integer) as sensitive data:
To specify additional sensitive data patterns that occur in the application:
Tip: You can validate the regular expression using the tool at Security > Options > Application Security > RegExp Validator.
You can add as many custom patterns as needed for the application.
For specific data patterns that is not to be considered sensitive:
Select the Exception Patterns check box.
In the New Pattern field, type a PCRE regular expression to specify the sensitive data pattern, then click Add.
Add as many custom patterns as needed for the application.
When ASM detects sensitive information in a HTTP response, it generates the following Data Guard violation: Information leakage detected. When violation is set to alarm or block If the security policy enforcement mode is set to blocking-mode and the violation is set to block, the system does not send the response to the client.