Sensitive parameter masking in service policy

Challenge:

F5’s API Security service persistently stores request and response bodies in XC’s GCE (log storage in France and Germany) without allowing customers to mask those request and response bodies at the edge before being sent to F5's infrastructure and XC log storage in France and Germany. There is limited masking functionality available for headers and query parameters that customers can configure. F5’s own compliance (privacy and security) risks are much higher than previously evaluated.


Requirement:

  1. apply masking to api access log body before storage in LMA cluster.




Original Idea from field:

The ability to mask sensitive parameters in logs is included as WAF configuration. It appears that if the service policy blocks traffic prior to WAF execution (i.e. via Malicious User Detection), the sensitive parameter masking is not run, resulting in leaking of sensitive data to logs.


The masking of sensitive parameters in logs should occur independently of the WAF.



  • Chris Triner
  • Jun 7 2024
  • Planned
  • Attach files