F5 upgrades target application security, AI

F5 is reinforcing application security with a new service for its core Distributed Cloud Service package.

Introduced in 2023, F5’s Distributed Cloud Service is a SaaS-based platform that enables application management, infrastructure management, and security services across customers’ public cloud, private cloud and edge sites. The vendor’s new API discovery and protection service is aimed at giving customers a simple way to discover API endpoints, monitor traffic for vulnerabilities, provide testing, and protect applications.

“The main idea is to protect enterprises from data exfiltration through unmonitored or poorly implemented or poorly configured APIs,” said Kara Sprague, executive vice president and chief product officer with F5. “The service provides enterprises with a much clearer view of what APIs they have exposed into the public and what kind of data those APIs are exchanging so that they can much more easily secure that data.”

The era of monolithic, traditional client-server, three-tier applications is over, Sprague said. According to F5’s 2024 State of Application Strategy research, 88% of organizations deploy their apps and APIs across hybrid environments that span on-prem and cloud locations, and nearly 40% of organizations operate apps and APIs across six different environments.

“New apps today are container, microservice-based, and those container-native and microservice-based apps are all fronted by APIs, which are effectively the doorways to modern day application logic and now the primary target of cyber attacks,” Sprague said

The F5 service makes use of recently purchased API security technology from Wib Security; the acquired technology includes code analysis, vulnerability detection and risk-assessment features that let customers watch over the application development processes to mitigate threats and spot problems, no matter where they are located before they get onto the enterprise network.

“App Security is becoming more and more important in the industry. Enterprises are being forced – through vendor interactions, supply chain considerations, and/or regulatory compliance controls – to examine and document how their applications are being used, developed and secured,” said Christopher Steffen, research director for Enterprise Management Associates.

“Enterprises are finding that many of their apps are multi-generational. Meaning that it is possible – and in some cases likely – that the apps that are being used were developed on a foundation that is many technical generations old,” Steffen said. “The technology is so antiquated that you often need a specialist to refactor the app into something more modern and usable. This is extremely expensive, and even with a refactoring, security is often a secondary or tertiary thought in the process.”

While many of the functions have existed as independent, stand-alone offerings, F5 has now combined the tools into a holistic platform, which should be interesting to both developers and managers, Steffen said. “When developers have a single tool that is designed with their processes in mind, that gives them actionable feedback instead of some vague ‘this is broken’ message, they are far more likely to use it,” Steffen said.

“As it stands today, a dev engineer needs to use a suite of loosely integrated tools to accomplish many of the same functions that the F5 solution will do for them all at once. Dev teams are looking for the best security tools that not only solve their security requirements but create the least amount of friction in their processes. I think F5 has gone a long way to accomplishing that,” Steffen said.

In addition to the API service, F5 is promising an infusion of AI for its Distributed Cloud Service.

For example, later this year, F5 plans to introduce a natural language-based AI assistant to help IT security teams more easily identify anomalies, query and generate policy configurations, and apply remediation steps, Sprague said.

“The assistant will be part of the Distributed Cloud console and will let users interrogate their datasets to get recommendations about security measures and capabilities that they should apply to their various applications and APIs, among other use cases,” Sprague said.

The AI assistant will be part of a larger AI-based service called the AI Data Fabric, which will aggregate data from the Distributed Cloud Services as well as F5’s NGINX application support system and BIG-IP networking product portfolios. From this data, the company expects to deliver reports and analytics, or even train and deploy machine learning models to run inference to better secure and optimize apps, Sprague said. “The idea behind the AI Data Fabric will be to deliver intelligent services that let enterprise customers respond to threats in real time, generate insights to help them make more informed decisions, and take quick actions such as remediation,” Sprague said.