Cortex cloud ctf bootcamp#11
Open
hankthebldr wants to merge 4 commits into
Open
Conversation
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Cortex Cloud: WaaS - Infographic</title>
<script src="https://cdn.tailwindcss.com"></script>
<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700;800&display=swap" rel="stylesheet">
<!--
Infographic Narrative & Structure Plan:
1. Hero Section: Project Title "Cortex Cloud: WaaS" & Subtitle.
2. The WaaS Imperative: Market Pain, Project Description (WaaS UP), Strategic Imperative (Runtime Security for AI).
3. Project Goals: Objectives & Intended Outcomes.
4. Key Stakeholders.
5. Core Focus Areas.
6. My Engagement Framework.
7. The 'WaaS UP' Playbook: Qualification & TRR Process.
8. Project Timeline.
9. Phased Success Metrics: Tracking 'WaaS UP' Progress & Impact.
10. Key Technologies & Assets.
11. Expected Impact.
12. WAAS & CDR Synergy.
13. NEW: The Cortex Cloud Advantage: Migration Arbitrage & Enhanced Protection
14. WaaS in the Age of AI (emphasizing runtime security).
15. Cloud-Native Firewalls & AI Infrastructure.
16. The WaaS Process Flywheel.
17. Navigating Challenges.
18. Footer & Confirmation.
Color Palette Chosen: "Energetic & Playful"
- Primary Action/Highlight: #FF6B6B (Coral Red)
- Secondary Accent/Data Point 1 (SC Focus): #FFD166 (Sunglow Yellow)
- Tertiary Accent/Data Point 2 (DC Focus & WaaS Mentions): #06D6A0 (Caribbean Green)
- Information/Data Point 3: #118AB2 (Blue NCS)
- Dark Text/Background Elements: #073B4C (Midnight Green Eagle Green)
- Light Background: #F8FAFC (Tailwind gray-50)
- Card Background: #FFFFFF (White)
Visualization Choices & Justifications (Confirming NO SVG, NO MERMAID JS):
- Playbook Section: HTML/CSS flowchart-like structure with cards and Unicode arrows. (Goal: Organize/Inform, Method: HTML/CSS)
- Phased Success Metrics: HTML/CSS cards for each phase with Unicode icons. (Goal: Inform/Organize, Method: HTML/CSS)
- Migration Arbitrage: HTML/CSS columns/cards with Unicode icons/arrows. (Goal: Compare/Inform, Method: HTML/CSS)
- Other sections maintain previous methods (Chart.js/Canvas, HTML/CSS with Unicode icons).
- NO SVG graphics will be used.
- NO Mermaid JS will be used.
-->
<style>
body {
font-family: 'Inter', sans-serif;
background-color: #F8FAFC; /* Light Background */
}
.chart-container {
position: relative;
width: 100%;
max-width: 600px; /* Default max-width */
margin-left: auto;
margin-right: auto;
height: 300px; /* Base height */
max-height: 400px; /* Max height */
}
@media (min-width: 768px) { /* md breakpoint */
.chart-container {
height: 350px;
}
}
@media (min-width: 1024px) { /* lg breakpoint */
.chart-container {
max-width: 700px;
height: 400px;
}
}
.stat-card {
background-color: #FFFFFF; /* Card Background */
border-radius: 0.5rem; /* rounded-lg */
box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1), 0 2px 4px -1px rgba(0, 0, 0, 0.06); /* shadow-md */
padding: 1.5rem; /* p-6 */
margin-bottom: 1.5rem; /* mb-6 */
/* border-left will be applied via specific classes */
}
.section-title {
color: #073B4C; /* Dark Text */
font-weight: 700; /* bold */
margin-bottom: 1rem; /* mb-4 */
}
.highlight-text {
color: #FF6B6B; /* Primary Action/Highlight */
font-weight: 600;
}
.waas-text { /* For WaaS mentions */
color: #06D6A0;
font-weight: 600;
}
.timeline-item {
position: relative;
padding-bottom: 2rem;
padding-left: 2.5rem;
}
.timeline-item::before {
content: '';
position: absolute;
left: 0.625rem; /* Adjust to center the dot on the line */
top: 0.25rem;
width: 0.75rem; /* w-3 */
height: 0.75rem; /* h-3 */
border-radius: 9999px; /* rounded-full */
background-color: #FF6B6B; /* Primary Action/Highlight */
z-index: 10;
}
.timeline-item::after {
content: '';
position: absolute;
left: 1rem; /* Center line with dot */
top: 0.25rem;
bottom: 0;
width: 2px; /* Line thickness */
background-color: #CBD5E1; /* tailwind gray-300 */
}
.timeline-item:last-child::after {
display: none; /* Remove line from last item */
}
.framework-card {
background-color: #FFFFFF;
border-radius: 0.5rem;
box-shadow: 0 4px 6px -1px rgba(0,0,0,0.1), 0 2px 4px -1px rgba(0,0,0,0.06);
padding: 1.5rem;
text-align: center;
transition: transform 0.3s ease, box-shadow 0.3s ease;
display: flex;
flex-direction: column;
justify-content: space-between;
min-height: 220px; /* Ensure cards have enough height */
}
.framework-card:hover {
transform: translateY(-5px);
box-shadow: 0 10px 15px -3px rgba(0,0,0,0.1), 0 4px 6px -2px rgba(0,0,0,0.05);
}
.framework-icon {
font-size: 2.5rem; /* text-4xl */
margin-bottom: 0.75rem; /* mb-3 */
}
.cdr-flow-step {
background-color: #FFFFFF;
border-radius: 0.375rem; /* rounded-md */
padding: 1rem; /* p-4 */
margin-bottom: 1rem; /* mb-4 */
box-shadow: 0 1px 3px rgba(0,0,0,0.1);
position: relative;
}
.cdr-arrow {
font-size: 1.5rem; /* text-2xl */
color: #073B4C; /* Dark Text */
margin: 0.5rem 0; /* my-2 */
}
.ai-impact-card {
background-color: #FFFFFF;
border-radius: 0.5rem;
box-shadow: 0 2px 4px rgba(0,0,0,0.05);
padding: 1.5rem;
margin-bottom: 1rem;
display: flex;
align-items: flex-start;
}
.ai-impact-icon {
font-size: 1.75rem; /* text-2xl */
margin-right: 1rem; /* mr-4 */
flex-shrink: 0;
width: 2rem; /* Ensure consistent icon spacing */
text-align: center;
}
.flywheel-container {
display: grid;
grid-template-areas:
". top ."
"left center right"
". bottom .";
grid-template-columns: 1fr auto 1fr;
grid-template-rows: auto auto auto;
gap: 1rem; /* Adjust gap as needed */
align-items: center;
justify-items: center;
margin-top: 2rem;
padding: 1rem;
}
.flywheel-hub {
grid-area: center;
background-color: #073B4C; /* Dark Text */
color: white;
border-radius: 50%;
width: 150px;
height: 150px;
display: flex;
flex-direction: column;
align-items: center;
justify-content: center;
text-align: center;
padding: 1rem;
box-shadow: 0 0 15px rgba(7,59,76,0.5);
font-size: 0.9rem;
line-height: 1.2;
}
.flywheel-segment {
background-color: white;
border-radius: 0.5rem;
padding: 1rem;
box-shadow: 0 4px 8px rgba(0,0,0,0.1);
text-align: center;
min-width: 200px; /* Ensure segments have some width */
max-width: 250px;
}
.flywheel-segment h4 {
font-weight: 600;
margin-bottom: 0.5rem;
}
.flywheel-segment p {
font-size: 0.8rem;
color: #4A5568; /* gray-700 */
}
.flywheel-arrow {
font-size: 1.5rem; /* text-2xl */
font-weight: bold;
position: absolute;
}
/* Specific segment positioning */
.flywheel-segment-top { grid-area: top; }
.flywheel-segment-left { grid-area: left; }
.flywheel-segment-right { grid-area: right; }
.flywheel-segment-bottom { grid-area: bottom; }
@media (max-width: 768px) { /* Stack flywheel on smaller screens */
.flywheel-container {
grid-template-areas:
"center"
"top"
"left"
"right"
"bottom";
grid-template-columns: 1fr;
grid-template-rows: auto;
justify-items: stretch; /* Make segments full width */
}
.flywheel-hub {
margin-bottom: 1rem;
width: 120px;
height: 120px;
font-size: 0.8rem;
}
.flywheel-segment {
margin-bottom: 1rem; /* Add space between stacked segments */
min-width: auto;
width: 100%;
}
}
.playbook-stage {
background-color: #FFFFFF;
border-radius: 0.5rem; /* rounded-lg */
padding: 1.5rem; /* p-6 */
margin-bottom: 1.5rem; /* mb-6 */
box-shadow: 0 4px 6px -1px rgba(0,0,0,0.1), 0 2px 4px -1px rgba(0,0,0,0.06);
}
.playbook-question-card {
background-color: #F8FAFC; /* Light Background */
border: 1px solid #E2E8F0; /* gray-200 */
border-radius: 0.375rem; /* rounded-md */
padding: 1rem; /* p-4 */
margin-top: 1rem; /* mt-4 */
}
.playbook-arrow {
font-size: 2rem; /* text-3xl */
color: #073B4C; /* Dark Text */
margin: 1rem 0; /* my-4 */
text-align: center;
}
.playbook-decision {
font-weight: 600;
padding: 0.5rem 1rem;
border-radius: 0.375rem;
display: inline-block;
margin-top: 0.5rem;
}
.metrics-phase-card {
background-color: #FFFFFF;
border-radius: 0.5rem;
box-shadow: 0 2px 4px rgba(0,0,0,0.07);
padding: 1.5rem;
margin-bottom: 1rem;
}
.metrics-phase-card h4 {
font-size: 1.125rem; /* text-lg */
font-weight: 600;
margin-bottom: 0.75rem;
}
.metrics-phase-card .metric-focus {
font-size: 0.875rem; /* text-sm */
font-weight: 500;
color: #4A5568; /* gray-700 */
margin-bottom: 0.75rem;
}
.metrics-phase-card ul {
list-style-type: none;
padding-left: 0;
}
.metrics-phase-card ul li {
font-size: 0.875rem; /* text-sm */
color: #374151; /* gray-800 */
margin-bottom: 0.25rem;
display: flex;
align-items: center;
}
.metrics-phase-card ul li .metric-icon {
margin-right: 0.5rem;
font-size: 1rem;
}
.arbitrage-card {
background-color: #FFFFFF;
border-radius: 0.5rem; /* rounded-lg */
padding: 1.5rem; /* p-6 */
box-shadow: 0 4px 6px -1px rgba(0,0,0,0.1), 0 2px 4px -1px rgba(0,0,0,0.06);
height: 100%; /* Make cards in a row same height */
display: flex;
flex-direction: column;
}
.arbitrage-icon {
font-size: 2.5rem; /* text-4xl */
margin-bottom: 0.75rem;
}
</style>
</head>
<body class="text-gray-800">
<header class="bg-gradient-to-r from-[#073B4C] to-[#118AB2] text-white py-12 sm:py-16 md:py-20 text-center">
<div class="container mx-auto px-4">
<h1 class="text-3xl sm:text-4xl md:text-5xl font-extrabold mb-3">Cortex Cloud: <span class="waas-text">WaaS</span></h1>
<p class="text-lg sm:text-xl md:text-2xl opacity-90">A Strategic Upsell & Alternative for <span class="waas-text">Runtime Security</span> in the AI Era, Maximizing Cortex Cloud <span class="waas-text">WaaS</span> Wins.</p>
</div>
</header>
<main class="container mx-auto px-4 sm:px-6 lg:px-8 py-8 sm:py-12">
<section id="challenge" class="mb-12 sm:mb-16">
<h2 class="text-3xl sm:text-4xl section-title text-center">The <span class="waas-text">WaaS</span> Imperative</h2>
<p class="text-center text-lg text-gray-600 mb-8 max-w-3xl mx-auto">
In a world of rapid AI development, securing web applications and APIs is paramount. "<span class="text-[#FF6B6B]">WaaS UP</span>" addresses this by enhancing our Cortex Cloud <span class="waas-text">WaaS</span> capabilities, offering critical <span class="waas-text">runtime security</span> that complements agent-focused strategies.
</p>
<div class="grid md:grid-cols-2 gap-6 sm:gap-8">
<div class="bg-white rounded-lg shadow-lg p-6 hover:shadow-xl transition-shadow duration-300">
<h3 class="text-2xl font-semibold mb-3 text-[#073B4C]">🛡️ Addressing Market Pains & AI Risks</h3>
<p class="text-gray-700 mb-2">The digital and AI landscape faces escalating threats. "<span class="text-[#FF6B6B]">WaaS UP</span>" directly tackles:</p>
<ul class="list-disc list-inside text-gray-600 space-y-1">
<li>Increasing OWASP Top 10 vulnerabilities targeting web apps & APIs.</li>
<li>Security gaps in AI data pipelines and AI-powered APIs.</li>
<li>Need for specialized <span class="waas-text">WaaS runtime security</span> for AI-driven services.</li>
</ul>
</div>
<div class="bg-white rounded-lg shadow-lg p-6 hover:shadow-xl transition-shadow duration-300">
<h3 class="text-2xl font-semibold mb-3 text-[#073B4C]">🎯 "<span class="text-[#FF6B6B]">WaaS UP</span>" Vision & Scope</h3>
<p class="text-gray-700 mb-2">A Domain Consultant-led initiative to create a <span class="highlight-text">secure, AI-assisted discovery, qualification, and technical execution framework</span> for Cortex Cloud <span class="waas-text">WaaS</span>.</p>
<p class="text-gray-600">This framework aims to elevate <span class="waas-text">WaaS</span> as a key upsell and <span class="waas-text">runtime security</span> solution, refining processes and providing advanced technical resources.</p>
</div>
</div>
</section>
<section id="goals" class="mb-12 sm:mb-16">
<h2 class="text-3xl sm:text-4xl section-title text-center">Driving Success: Objectives & Outcomes</h2>
<p class="text-center text-lg text-gray-600 mb-8 max-w-3xl mx-auto">
Our core objectives are designed to significantly improve both Domain Consultant (DC) effectiveness and Solution Consultant (SC) capabilities, leading to measurable positive outcomes for Cortex <span class="waas-text">WaaS</span>.
</p>
<div class="grid md:grid-cols-2 lg:grid-cols-3 gap-6 sm:gap-8">
<div class="stat-card border-l-[5px] border-[#06D6A0]">
<h3 class="text-xl font-semibold text-[#073B4C] mb-2"><span class="text-[#06D6A0]">⚙️ Enhance DC</span> Effectiveness</h3>
<p class="text-gray-600 text-sm">Equip DCs with refined processes, advanced <span class="waas-text">WaaS</span> technical resources, and OWASP-anchored validation methods.</p>
</div>
<div class="stat-card border-l-[5px] border-[#FFD166]">
<h3 class="text-xl font-semibold text-[#073B4C] mb-2"><span class="text-[#FFD166]">💡 Enable SC</span> Accuracy</h3>
<p class="text-gray-600 text-sm">Empower SCs to precisely identify and qualify <span class="waas-text">WaaS</span> opportunities using an AI-driven discovery framework.</p>
</div>
<div class="stat-card border-l-[5px] border-[#FF6B6B] md:col-span-2 lg:col-span-1">
<h3 class="text-xl font-semibold text-[#073B4C] mb-2">🚀 Strategic Impact</h3>
<p class="text-gray-600 text-sm">This project will codify <span class="waas-text">WaaS</span> best practices, accelerate adoption, and provide a competitive edge.</p>
</div>
</div>
<div class="mt-8 grid md:grid-cols-2 gap-6 sm:gap-8 items-center">
<div>
<h3 class="text-2xl font-semibold text-[#073B4C] mb-4 text-center md:text-left">Anticipated Key Outcome Improvements</h3>
<p class="text-gray-600 mb-6 text-center md:text-left">
We project significant enhancements in our <span class="waas-text">WaaS</span> sales and execution lifecycle, directly impacting our ability to win and deliver value.
</p>
<ul class="space-y-3 text-gray-700">
<li class="flex items-center"><span class="text-xl mr-2 text-[#FF6B6B]">📈</span> Increased <span class="waas-text">WaaS</span> Technical Win Rates</li>
<li class="flex items-center"><span class="text-xl mr-2 text-[#06D6A0]">⏱️</span> More Efficient DC Engagement</li>
<li class="flex items-center"><span class="text-xl mr-2 text-[#FFD166]">📄</span> Higher Fidelity Design of Records (DORs) by SCs</li>
<li class="flex items-center"><span class="text-xl mr-2 text-[#118AB2]">🔗</span> Optimized TRR Process & POV Inputs</li>
</ul>
</div>
<div class="chart-container h-[300px] md:h-[350px]">
<canvas id="outcomesChart"></canvas>
</div>
</div>
</section>
<section id="stakeholders" class="mb-12 sm:mb-16">
<h2 class="text-3xl sm:text-4xl section-title text-center">Collaborative Ecosystem: Key Stakeholders</h2>
<p class="text-center text-lg text-gray-600 mb-8 max-w-3xl mx-auto">
Success hinges on tight collaboration. This project involves strategic alignment and active participation from Upstream, Core, and Downstream teams.
</p>
<div class="grid lg:grid-cols-3 gap-6 sm:gap-8">
<div class="bg-white rounded-lg shadow-lg p-6 transform hover:scale-105 transition-transform duration-300">
<h3 class="text-xl font-semibold mb-3 text-[#118AB2]">🤝 Upstream Teams</h3>
<p class="text-sm text-gray-600 mb-2">Provide strategic guidance, product expertise, and market alignment.</p>
<ul class="list-disc list-inside text-xs text-gray-500 space-y-1">
<li>DC Executive Leadership</li>
<li>Product Management (<span class="waas-text">WaaS</span>)</li>
<li>Technical Product Engineering (<span class="waas-text">WaaS</span>)</li>
<li>Marketing & Product Marketing (<span class="waas-text">WaaS</span>)</li>
</ul>
</div>
<div class="bg-white rounded-lg shadow-lg p-6 transform hover:scale-105 transition-transform duration-300">
<h3 class="text-xl font-semibold mb-3 text-[#073B4C]">⚙️ Core Project Team</h3>
<p class="text-sm text-gray-600 mb-2">Drive execution, offer SME, pilot solutions, and champion adoption. <span class="font-semibold text-[#06D6A0]">(DC Lead)</span></p>
<ul class="list-disc list-inside text-xs text-gray-500 space-y-1">
<li>Cortex Cloud DCs (Lead & SMEs)</li>
<li>Solution Consultants (SCs)</li>
<li>SC & DC Leadership</li>
<li>IT/Sales Operations</li>
<li>Optional: <span class="waas-text">WaaS</span> "Tiger Team"</li>
</ul>
</div>
<div class="bg-white rounded-lg shadow-lg p-6 transform hover:scale-105 transition-transform duration-300">
<h3 class="text-xl font-semibold mb-3 text-[#FF6B6B]">🚀 Downstream Teams</h3>
<p class="text-sm text-gray-600 mb-2">Operationalize outputs, drive adoption, scale success, and measure impact.</p>
<ul class="list-disc list-inside text-xs text-gray-500 space-y-1">
<li>Sales Enablement Team</li>
<li>Masters Program / Learning Certs</li>
<li>GTM Strategy & Operations</li>
<li>Strategy & Operations (Broader Org)</li>
</ul>
</div>
</div>
</section>
<section id="focus-areas" class="mb-12 sm:mb-16 bg-gray-100 py-12 rounded-lg">
<h2 class="text-3xl sm:text-4xl section-title text-center">Core Focus Areas & Deliverables</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
The project concentrates on five critical areas to build a comprehensive <span class="waas-text">WaaS</span> technical selling and execution motion.
</p>
<div class="grid md:grid-cols-2 lg:grid-cols-3 gap-6 sm:gap-8">
<div class="bg-white p-6 rounded-lg shadow-md hover:shadow-lg transition-shadow">
<div class="flex items-center mb-3">
<span class="text-3xl text-[#06D6A0] mr-3">🛠️</span>
<h3 class="text-lg font-semibold text-[#073B4C]">Enhanced <span class="text-[#06D6A0]">DC</span> <span class="waas-text">WaaS</span> Execution Resources</h3>
</div>
<p class="text-sm text-gray-600">'POV-in-a-Box', Advanced Scenario Playbooks, Troubleshooting Trees.</p>
</div>
<div class="bg-white p-6 rounded-lg shadow-md hover:shadow-lg transition-shadow">
<div class="flex items-center mb-3">
<span class="text-3xl text-[#FFD166] mr-3">🤖</span>
<h3 class="text-lg font-semibold text-[#073B4C]">AI-Powered <span class="text-[#FFD166]">SC</span> <span class="waas-text">WaaS</span> Discovery Toolkit</h3>
</div>
<p class="text-sm text-gray-600">Interactive questionnaires, AI insights, Klue integration.</p>
</div>
<div class="bg-white p-6 rounded-lg shadow-md hover:shadow-lg transition-shadow">
<div class="flex items-center mb-3">
<span class="text-3xl text-[#FFD166] mr-3">📖</span>
<h3 class="text-lg font-semibold text-[#073B4C]">Standardized <span class="text-[#FFD166]">SC</span> <span class="waas-text">WaaS</span> Qualification Playbooks</h3>
</div>
<p class="text-sm text-gray-600">Asana/SFDC integrated guides for <span class="waas-text">WaaS</span> vs. CN-NGFW.</p>
</div>
<div class="bg-white p-6 rounded-lg shadow-md hover:shadow-lg transition-shadow md:col-span-2 lg:col-span-1 lg:col-start-2">
<div class="flex items-center mb-3">
<span class="text-3xl text-[#118AB2] mr-3">🔄</span>
<h3 class="text-lg font-semibold text-[#073B4C]">Streamlined <span class="text-[#FFD166]">SC</span>-to-<span class="text-[#06D6A0]">DC</span> <span class="waas-text">WaaS</span> Handover</h3>
</div>
<p class="text-sm text-gray-600">Defined outputs feeding into DC advanced discovery & POV planning.</p>
</div>
<div class="bg-white p-6 rounded-lg shadow-md hover:shadow-lg transition-shadow md:col-span-2 lg:col-span-1 lg:col-start-auto">
<div class="flex items-center mb-3">
<span class="text-3xl text-[#073B4C] mr-3">🎓</span>
<h3 class="text-lg font-semibold text-[#073B4C]">Comprehensive <span class="waas-text">WaaS</span> Enablement Program</h3>
</div>
<p class="text-sm text-gray-600">Tailored SC & DC training via PANW Learning Center.</p>
</div>
</div>
</section>
<section id="engagement-framework" class="mb-12 sm:mb-16">
<h2 class="text-3xl sm:text-4xl section-title text-center text-[#06D6A0]">My Engagement Framework: Driving "<span class="text-[#FF6B6B]">WaaS UP</span>" Success</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
My approach as a Domain Consultant to leading this initiative and ensuring its success is built upon a 5-step framework, fostering collaboration and delivering tangible results for Cortex Cloud <span class="waas-text">WaaS</span>.
</p>
<div class="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-5 gap-6">
<div class="framework-card border-t-4 border-[#FF6B6B]">
<div class="framework-icon">🎁</div>
<h3 class="text-lg font-semibold text-[#FF6B6B] mb-2">1. Incentivize</h3>
<p class="text-xs text-gray-600">Clearly define WIIFM: For <span class="font-semibold text-[#06D6A0]">DCs</span> - enhanced execution & win rates. For <span class="font-semibold text-[#FFD166]">SCs</span> - clearer qualification & impact. For Sales - increased <span class="waas-text">WaaS</span> revenue.</p>
</div>
<div class="framework-card border-t-4 border-[#FFD166]">
<div class="framework-icon">💡</div>
<h3 class="text-lg font-semibold text-[#FFD166] mb-2">2. Educate</h3>
<p class="text-xs text-gray-600">Provide targeted <span class="waas-text">WaaS</span> knowledge: Workshops for <span class="font-semibold text-[#06D6A0]">DCs</span> (validation) & <span class="font-semibold text-[#FFD166]">SCs</span> (discovery), documentation, success stories, Learning Center modules.</p>
</div>
<div class="framework-card border-t-4 border-[#06D6A0]">
<div class="framework-icon">🔗</div>
<h3 class="text-lg font-semibold text-[#06D6A0] mb-2">3. Align</h3>
<p class="text-xs text-gray-600">Ensure continuous communication and alignment with Cortex stakeholders (Upstream, Core, Downstream). Regular feedback sessions to connect project outcomes to <span class="waas-text">WaaS</span> GTM strategy.</p>
</div>
<div class="framework-card border-t-4 border-[#118AB2]">
<div class="framework-icon">🚀</div>
<h3 class="text-lg font-semibold text-[#118AB2] mb-2">4. Execute</h3>
<p class="text-xs text-gray-600">This "<span class="text-[#FF6B6B]">WaaS UP</span>" initiative, <span class="font-semibold text-[#06D6A0]">led by DCs</span>, embodies execution: diligently developing and deploying <span class="waas-text">WaaS</span> tools, resources, playbooks, and enablement programs.</p>
</div>
<div class="framework-card border-t-4 border-[#073B4C]">
<div class="framework-icon">🔄</div>
<h3 class="text-lg font-semibold text-[#073B4C] mb-2">5. Iterate</h3>
<p class="text-xs text-gray-600">Implement continuous improvement: Ongoing monitoring of <span class="waas-text">WaaS</span> metrics, gathering feedback post-launch, and refining tools & processes in the "Monitor, Optimize & Scale" phase.</p>
</div>
</div>
</section>
<section id="waas-up-playbook" class="mb-12 sm:mb-16 bg-gray-50 py-12 rounded-lg">
<h2 class="text-3xl sm:text-4xl section-title text-center">The "<span class="text-[#FF6B6B]">WaaS UP</span>" Playbook: Qualification & TRR Process</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
A clear, staged approach for Solution Consultants to qualify opportunities and engage Domain Consultant expertise effectively for <span class="waas-text">WaaS</span>.
</p>
<div class="max-w-4xl mx-auto">
<div class="playbook-stage border-l-4 border-[#FFD166]">
<h3 class="text-2xl font-semibold text-[#FFD166] mb-4">Stage 1: <span class="text-[#FFD166]">SC</span> Opportunity Qualification</h3>
<p class="text-gray-700 mb-4">Solution Consultants begin by assessing the customer's primary needs and environment to determine the optimal security approach.</p>
<div class="grid md:grid-cols-2 gap-6 mb-6">
<div class="playbook-question-card">
<h4 class="font-semibold text-lg text-[#073B4C] mb-2">❓ Key Question 1: Primary Traffic Focus?</h4>
<p class="text-sm text-gray-600">Is the main concern protecting inbound traffic to web applications and APIs, or securing broader network segments and east-west traffic within the cloud?</p>
</div>
<div class="playbook-question-card">
<h4 class="font-semibold text-lg text-[#073B4C] mb-2">❓ Key Question 2: Core Security Concern?</h4>
<p class="text-sm text-gray-600">Are they focused on OWASP Top 10, API abuse, bot mitigation, DDoS for applications (<span class="waas-text">Runtime Security</span>)? Or network segmentation, threat prevention at VPC/VNet level, container network security?</p>
</div>
</div>
<div class="text-center mb-6">
<p class="text-gray-700 mb-2 font-semibold">Based on answers, determine primary focus:</p>
<div class="flex flex-col sm:flex-row justify-center items-center gap-4">
<div class="text-center">
<p class="text-sm text-gray-600">Web App/API Traffic & <span class="waas-text">Runtime Security</span> Concerns?</p>
<div class="playbook-arrow">➡️</div>
<span class="playbook-decision bg-[#FFD166] text-[#073B4C]"><span class="waas-text">WaaS</span> Focus</span>
</div>
<p class="text-xl font-bold text-gray-400 mx-4 hidden sm:block">OR</p>
<div class="text-center">
<p class="text-sm text-gray-600">Network Segmentation & Broader Cloud Network Security?</p>
<div class="playbook-arrow">➡️</div>
<span class="playbook-decision bg-[#118AB2] text-white">Cloud-Native NGFW Focus</span>
</div>
</div>
</div>
<p class="text-sm text-gray-600 italic">Note: Some opportunities may require both. If <span class="waas-text">WaaS</span> is a significant component or complexity is high, proceed to TRR for <span class="waas-text">WaaS</span> expertise.</p>
</div>
<div class="playbook-arrow">⬇️</div>
<div class="playbook-stage border-l-4 border-[#06D6A0]">
<h3 class="text-2xl font-semibold text-[#06D6A0] mb-4">Stage 2: TRR for <span class="text-[#06D6A0]">DC</span> Engagement (<span class="waas-text">WaaS</span> Focus)</h3>
<p class="text-gray-700 mb-4">If <span class="waas-text">WaaS</span> is the primary focus or a complex component, the <span class="font-semibold text-[#FFD166]">SC</span> opens a Technical Resource Request (TRR) to engage specialized Domain Consultant expertise.</p>
<div class="bg-white p-6 rounded-lg shadow-md text-center">
<span class="text-5xl mb-3 block">📄</span>
<h4 class="text-xl font-semibold text-[#073B4C] mb-2">Open Technical Resource Request (TRR)</h4>
<p class="text-gray-600 mb-4">Detailing customer requirements, <span class="waas-text">WaaS</span> discovery findings, and specific assistance needed.</p>
<div class="flex flex-col sm:flex-row justify-center items-center gap-4">
<div class="text-center p-3 border border-dashed border-[#06D6A0] rounded-md">
<p class="font-semibold text-[#06D6A0]">Engage Cortex Domain Consultant</p>
<p class="text-xs text-gray-500">For deep <span class="waas-text">WaaS</span>, API security, and Cortex platform expertise.</p>
</div>
<p class="text-lg font-bold text-gray-400 mx-2 hidden sm:block">OR</p>
<div class="text-center p-3 border border-dashed border-[#06D6A0] rounded-md">
<p class="font-semibold text-[#06D6A0]">Engage NetSec Domain Consultant</p>
<p class="text-xs text-gray-500">If <span class="waas-text">WaaS</span> needs are intertwined with complex cloud network security.</p>
</div>
</div>
<p class="text-sm text-gray-500 mt-6 italic"><span class="font-semibold text-[#06D6A0]">DC</span> provides advanced technical validation, POV execution, and specialized solution design for <span class="waas-text">WaaS</span>.</p>
</div>
</div>
</div>
</section>
<section id="timeline" class="mb-12 sm:mb-16">
<h2 class="text-3xl sm:text-4xl section-title text-center">Project Roadmap: Phased Rollout</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
A structured, phased approach ensures effective development, piloting, and deployment of the <span class="waas-text">WaaS</span> framework.
</p>
<div class="relative">
<div class="hidden md:block absolute top-5 left-1/2 w-0.5 h-[calc(100%-2.5rem)] bg-gray-300 transform -translate-x-1/2"></div>
<div class="grid md:grid-cols-5 gap-8">
<div class="md:text-center timeline-item md:relative">
<div class="md:hidden timeline-item::before"></div> <div class="md:hidden timeline-item::after"></div> <div class="md:absolute md:left-1/2 md:transform md:-translate-x-1/2 md:-mt-3 hidden md:block">
<div class="w-6 h-6 rounded-full bg-[#FF6B6B] border-4 border-white shadow-md"></div>
</div>
<div class="bg-white p-4 rounded-lg shadow-md md:mt-8">
<h4 class="font-semibold text-sm text-[#FF6B6B] mb-1">Sprint 1 (4-6 Weeks)</h4>
<p class="text-xs text-[#073B4C] font-medium">Initiation & Planning</p>
<p class="text-xs text-gray-500 mt-1">Executive alignment, detailed scoping, pilot team setup.</p>
</div>
</div>
<div class="md:text-center timeline-item md:relative">
<div class="md:hidden timeline-item::before"></div>
<div class="md:hidden timeline-item::after"></div>
<div class="md:absolute md:left-1/2 md:transform md:-translate-x-1/2 md:-mt-3 hidden md:block">
<div class="w-6 h-6 rounded-full bg-[#FFD166] border-4 border-white shadow-md"></div>
</div>
<div class="bg-white p-4 rounded-lg shadow-md md:mt-8">
<h4 class="font-semibold text-sm text-[#FFD166] mb-1">Sprint 2 (8-10 Weeks)</h4>
<p class="text-xs text-[#073B4C] font-medium">Design & Development</p>
<p class="text-xs text-gray-500 mt-1">DC guides, SC AI tool, Playbooks, initial enablement content.</p>
</div>
</div>
<div class="md:text-center timeline-item md:relative">
<div class="md:hidden timeline-item::before"></div>
<div class="md:hidden timeline-item::after"></div>
<div class="md:absolute md:left-1/2 md:transform md:-translate-x-1/2 md:-mt-3 hidden md:block">
<div class="w-6 h-6 rounded-full bg-[#06D6A0] border-4 border-white shadow-md"></div>
</div>
<div class="bg-white p-4 rounded-lg shadow-md md:mt-8">
<h4 class="font-semibold text-sm text-[#06D6A0] mb-1">Sprint 3 (6-8 Weeks)</h4>
<p class="text-xs text-[#073B4C] font-medium">Pilot & Iterate</p>
<p class="text-xs text-gray-500 mt-1">Tiger Team pilot, feedback gathering, refinement, initial impact measurement.</p>
</div>
</div>
<div class="md:text-center timeline-item md:relative">
<div class="md:hidden timeline-item::before"></div>
<div class="md:hidden timeline-item::after"></div>
<div class="md:absolute md:left-1/2 md:transform md:-translate-x-1/2 md:-mt-3 hidden md:block">
<div class="w-6 h-6 rounded-full bg-[#118AB2] border-4 border-white shadow-md"></div>
</div>
<div class="bg-white p-4 rounded-lg shadow-md md:mt-8">
<h4 class="font-semibold text-sm text-[#118AB2] mb-1">Phase 4 (4-6 Weeks)</h4>
<p class="text-xs text-[#073B4C] font-medium">Full Launch & Enablement</p>
<p class="text-xs text-gray-500 mt-1">Broad training, system go-live, GTM operationalization.</p>
</div>
</div>
<div class="md:text-center timeline-item md:relative">
<div class="md:hidden timeline-item::before"></div>
<div class="md:absolute md:left-1/2 md:transform md:-translate-x-1/2 md:-mt-3 hidden md:block">
<div class="w-6 h-6 rounded-full bg-[#073B4C] border-4 border-white shadow-md"></div>
</div>
<div class="bg-white p-4 rounded-lg shadow-md md:mt-8">
<h4 class="font-semibold text-sm text-[#073B4C] mb-1">Phase 5 (Ongoing)</h4>
<p class="text-xs text-[#073B4C] font-medium">Monitor, Optimize & Scale</p>
<p class="text-xs text-gray-500 mt-1">Track metrics, continuous improvement, feedback loops.</p>
</div>
</div>
</div>
</div>
</section>
<section id="phased-metrics" class="mb-12 sm:mb-16 bg-gray-100 py-12 rounded-lg">
<h2 class="text-3xl sm:text-4xl section-title text-center">Phased Success Metrics: Tracking "<span class="text-[#FF6B6B]">WaaS UP</span>" Progress & Impact</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
Measuring success at each stage ensures alignment and momentum, from initial planning through to long-term business impact.
</p>
<div class="grid md:grid-cols-2 lg:grid-cols-3 gap-6">
<div class="metrics-phase-card border-t-4 border-[#FF6B6B]">
<h4 class="text-[#FF6B6B]">Sprint 1: Initiation & Planning</h4>
<p class="metric-focus">Focus: ✅ Completion & Alignment</p>
<ul>
<li><span class="metric-icon">🎯</span>Project Charter Approved: Target Y</li>
<li><span class="metric-icon">🤝</span>Stakeholder RACI Defined & Agreed: Target Y</li>
<li><span class="metric-icon">👥</span>Core Pilot Team Established: Target Y</li>
</ul>
</div>
<div class="metrics-phase-card border-t-4 border-[#FFD166]">
<h4 class="text-[#FFD166]">Sprint 2: Design & Development</h4>
<p class="metric-focus">Focus: 📄 Deliverable Quality & Readiness</p>
<ul>
<li><span class="metric-icon">🛠️</span>Draft DC <span class="waas-text">WaaS</span> Execution Guides: Target 100% Complete</li>
<li><span class="metric-icon">🤖</span>SC <span class="waas-text">WaaS</span> AI Discovery Toolkit v1.0 for Pilot: Target 100% Ready</li>
<li><span class="metric-icon">🎓</span>Initial Enablement Modules Drafted: Target 100% Complete</li>
</ul>
</div>
<div class="metrics-phase-card border-t-4 border-[#06D6A0]">
<h4 class="text-[#06D6A0]">Sprint 3: Pilot & Iterate</h4>
<p class="metric-focus">Focus: 📈 Adoption & Feedback</p>
<ul>
<li><span class="metric-icon">🙋</span>Pilot Team Active Participation Rate: Target >90%</li>
<li><span class="metric-icon">⭐</span>Positive Feedback Score (Tools/Resources): Target >4/5</li>
<li><span class="metric-icon">📝</span>'DC-ready' <span class="waas-text">WaaS</span> DORs by Pilot SCs: Target X</li>
</ul>
</div>
<div class="metrics-phase-card border-t-4 border-[#118AB2] md:col-span-1 lg:col-span-1">
<h4 class="text-[#118AB2]">Phase 4: Full Launch & Enablement</h4>
<p class="metric-focus">Focus: 🚀 Broad Proficiency & Process Adherence</p>
<ul>
<li><span class="metric-icon">🧑🏫</span>SC & DC <span class="waas-text">WaaS</span> Enablement Completion: Target >90%</li>
<li><span class="metric-icon">🔄</span><span class="waas-text">WaaS</span> Opps using new DOR/TRR Process (SFDC): Target >75%</li>
<li><span class="metric-icon">💪</span>DC Confidence Score in <span class="waas-text">WaaS</span> Execution: Target +1pt</li>
</ul>
</div>
<div class="metrics-phase-card border-t-4 border-[#073B4C] md:col-span-2 lg:col-span-2">
<h4 class="text-[#073B4C]">Phase 5: Monitor, Optimize & Scale</h4>
<p class="metric-focus">Focus: 🏆 Business Impact & ROI (SFDC Tracked)</p>
<ul>
<li><span class="metric-icon text-[#FF6B6B]">📊</span><span class="waas-text">WaaS</span> Technical Win Rate (SFDC): Target +15%</li>
<li><span class="metric-icon text-[#FFD166]">⏳</span>Median <span class="waas-text">WaaS</span> POV Duration (SFDC): Target ≤21 days</li>
<li><span class="metric-icon text-[#06D6A0]">💰</span>Associated <span class="waas-text">WaaS</span> Revenue Influenced (SFDC): Target $X M</li>
<li><span class="metric-icon text-[#118AB2]">📜</span>Quarterly Impact Reports Delivered: Target Y</li>
</ul>
</div>
</div>
</section>
<section id="tech-assets" class="mb-12 sm:mb-16">
<h2 class="text-3xl sm:text-4xl section-title text-center">Leveraging Key Technologies & Assets</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
This project will utilize and enhance our existing organizational technology stack to ensure seamless integration and adoption.
</p>
<div class="grid grid-cols-2 sm:grid-cols-3 lg:grid-cols-4 gap-4 sm:gap-6 text-center">
<div class="bg-white p-4 rounded-lg shadow-md flex flex-col items-center justify-center aspect-square hover:shadow-lg transition-shadow">
<span class="text-3xl mb-2">🎓</span>
<h4 class="font-semibold text-sm text-[#073B4C]">PANW Learning Center</h4>
</div>
<div class="bg-white p-4 rounded-lg shadow-md flex flex-col items-center justify-center aspect-square hover:shadow-lg transition-shadow">
<span class="text-3xl mb-2">📊</span>
<h4 class="font-semibold text-sm text-[#073B4C]">Salesforce (SFDC)</h4>
</div>
<div class="bg-white p-4 rounded-lg shadow-md flex flex-col items-center justify-center aspect-square hover:shadow-lg transition-shadow">
<span class="text-3xl mb-2">📄</span>
<h4 class="font-semibold text-sm text-[#073B4C]">Design of Record (DoR)</h4>
</div>
<div class="bg-white p-4 rounded-lg shadow-md flex flex-col items-center justify-center aspect-square hover:shadow-lg transition-shadow">
<span class="text-3xl mb-2">📋</span>
<h4 class="font-semibold text-sm text-[#073B4C]">Asana</h4>
</div>
<div class="bg-white p-4 rounded-lg shadow-md flex flex-col items-center justify-center aspect-square hover:shadow-lg transition-shadow">
<span class="text-3xl mb-2">💡</span>
<h4 class="font-semibold text-sm text-[#073B4C]">Klue Competitive Intel</h4>
</div>
<div class="bg-white p-4 rounded-lg shadow-md flex flex-col items-center justify-center aspect-square hover:shadow-lg transition-shadow">
<span class="text-3xl mb-2">🕹️</span>
<h4 class="font-semibold text-sm text-[#073B4C]">Demo/Validation Assets</h4>
</div>
<div class="bg-white p-4 rounded-lg shadow-md flex flex-col items-center justify-center aspect-square hover:shadow-lg transition-shadow">
<span class="text-3xl mb-2">🛡️</span>
<h4 class="font-semibold text-sm text-[#073B4C]"><span class="waas-text">WaaS</span> Proof Assets</h4>
</div>
<div class="bg-white p-4 rounded-lg shadow-md flex flex-col items-center justify-center aspect-square hover:shadow-lg transition-shadow">
<span class="text-3xl mb-2">📚</span>
<h4 class="font-semibold text-sm text-[#073B4C]">Enablement Content</h4>
</div>
</div>
</section>
<section id="impact" class="mb-12 sm:mb-16 bg-gray-100 py-12 rounded-lg">
<h2 class="text-3xl sm:text-4xl section-title text-center">Expected Impact & Success Metrics</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
This initiative is poised to deliver substantial benefits across various teams and significantly move the needle on key performance indicators for <span class="waas-text">WaaS</span>.
</p>
<div class="grid md:grid-cols-2 gap-6 sm:gap-8 items-start">
<div>
<h3 class="text-2xl font-semibold text-[#073B4C] mb-4">Benefits Across the Board:</h3>
<div class="space-y-4">
<div>
<h4 class="font-semibold text-[#06D6A0]"><span class="text-xl mr-1">⚙️</span> Domain Consultants (DCs):</h4>
<p class="text-sm text-gray-600">Enhanced capacity, superior resources, higher <span class="waas-text">WaaS</span> technical win rates, more impactful expertise utilization.</p>
</div>
<div>
<h4 class="font-semibold text-[#FFD166]"><span class="text-xl mr-1">💡</span> Solution Consultants (SCs):</h4>
<p class="text-sm text-gray-600">Clearer <span class="waas-text">WaaS</span> qualification guidance, AI-powered tools, successful handovers, improved early-funnel effectiveness.</p>
</div>
<div>
<h4 class="font-semibold text-[#FF6B6B]"><span class="text-xl mr-1">📈</span> Sales (AEs & Leadership):</h4>
<p class="text-sm text-gray-600">More reliable <span class="waas-text">WaaS</span> pipeline, faster sales cycles, increased <span class="waas-text">WaaS</span> revenue, better forecast accuracy.</p>
</div>
<div>
<h4 class="font-semibold text-[#118AB2]"><span class="text-xl mr-1">🏢</span> Organization (PANW):</h4>
<p class="text-sm text-gray-600">Enhanced <span class="waas-text">WaaS</span> adoption, improved competitive posture, scalable <span class="waas-text">WaaS</span> selling motion, stronger cloud platform story.</p>
</div>
</div>
</div>
<div class="chart-container h-[400px] md:h-[450px]">
<canvas id="metricsChart"></canvas>
</div>
</div>
<div class="mt-10 grid grid-cols-2 md:grid-cols-3 gap-4 text-center">
<div class="bg-white p-4 rounded-lg shadow-md">
<p class="text-3xl font-bold text-[#FF6B6B]">+15%</p>
<p class="text-sm text-gray-600">Target <span class="waas-text">WaaS</span> Tech Win Rate Increase</p>
</div>
<div class="bg-white p-4 rounded-lg shadow-md">
<p class="text-3xl font-bold text-[#FFD166]">≤21 Days</p>
<p class="text-sm text-gray-600">Target Median <span class="waas-text">WaaS</span> POV Duration</p>
</div>
<div class="bg-white p-4 rounded-lg shadow-md">
<p class="text-3xl font-bold text-[#06D6A0]">+25%</p>
<p class="text-sm text-gray-600">Target 'DC-Ready' <span class="waas-text">WaaS</span> DORs from SCs</p>
</div>
<div class="bg-white p-4 rounded-lg shadow-md">
<p class="text-3xl font-bold text-[#118AB2]">90%</p>
<p class="text-sm text-gray-600">Target <span class="waas-text">WaaS</span> TRRs Closed Successfully</p>
</div>
<div class="bg-white p-4 rounded-lg shadow-md">
<p class="text-3xl font-bold text-[#073B4C]">90%</p>
<p class="text-sm text-gray-600">Target <span class="waas-text">WaaS</span> Enablement Completion</p>
</div>
<div class="bg-white p-4 rounded-lg shadow-md">
<p class="text-3xl font-bold text-[#FF6B6B]">+1pt</p>
<p class="text-sm text-gray-600">Target DC Confidence Score Increase</p>
</div>
</div>
</section>
<section id="cdr-synergy" class="mb-12 sm:mb-16">
<h2 class="text-3xl sm:text-4xl section-title text-center"><span class="waas-text">WaaS</span> & CDR Synergy: Enhancing Attack Simulations</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
"<span class="text-[#FF6B6B]">WaaS UP</span>" directly strengthens our Cortex Cloud ecosystem by ensuring <span class="waas-text">Web Application and API Security</span> deployments are robustly configured. This, in turn, significantly enhances the realism and effectiveness of Cyber Defense Readiness (CDR) attack simulations.
</p>
<div class="max-w-2xl mx-auto">
<div class="cdr-flow-step border-l-4 border-[#118AB2]">
<h4 class="text-lg font-semibold text-[#118AB2] mb-1">1. "<span class="text-[#FF6B6B]">WaaS UP</span>" Foundations</h4>
<p class="text-sm text-gray-600">Improved <span class="waas-text">WaaS</span> Discovery & Qualification by <span class="font-semibold text-[#FFD166]">SCs</span> using AI tools, leading to better initial scoping.</p>
<p class="text-sm text-gray-600 mt-1">Enhanced <span class="waas-text">WaaS</span> Technical Execution & POV Validation by <span class="font-semibold text-[#06D6A0]">DCs</span> using standardized playbooks and resources.</p>
</div>
<div class="text-center cdr-arrow">⬇️</div>
<div class="cdr-flow-step border-l-4 border-[#06D6A0]">
<h4 class="text-lg font-semibold text-[#06D6A0] mb-1">2. Accurately Configured <span class="waas-text">WaaS</span> Deployments</h4>
<p class="text-sm text-gray-600">The outcome of "<span class="text-[#FF6B6B]">WaaS UP</span>" is web applications and APIs protected by Cortex <span class="waas-text">WaaS</span> that is correctly implemented, hardened, and aligned with best practices and specific customer needs.</p>
</div>
<div class="text-center cdr-arrow">⬇️</div>
<div class="cdr-flow-step border-l-4 border-[#FF6B6B]">
<h4 class="text-lg font-semibold text-[#FF6B6B] mb-1">3. More Realistic & Effective CDR Attack Simulations</h4>
<p class="text-sm text-gray-600">CDR teams can now simulate attacks against a more accurately represented and defended attack surface. This means:</p>
<ul class="list-disc list-inside text-xs text-gray-500 space-y-1 mt-1 pl-4">
<li>Simulations test true <span class="waas-text">WaaS</span> efficacy, not misconfigurations.</li>
<li>Detection and response capabilities are validated against sophisticated, relevant threats.</li>
<li>Security posture assessments are more reliable.</li>
</ul>
</div>
<div class="text-center cdr-arrow">⬇️</div>
<div class="cdr-flow-step border-l-4 border-[#073B4C]">
<h4 class="text-lg font-semibold text-[#073B4C] mb-1">4. Iterative Improvement Loop (Relates to "Iterate")</h4>
<p class="text-sm text-gray-600">Insights from CDR attack simulations (e.g., new attack vectors, <span class="waas-text">WaaS</span> bypass techniques observed) feed back into "<span class="text-[#FF6B6B]">WaaS UP</span>". This allows for:</p>
<ul class="list-disc list-inside text-xs text-gray-500 space-y-1 mt-1 pl-4">
<li>Refinement of <span class="waas-text">WaaS</span> playbooks and POV kits by <span class="font-semibold text-[#06D6A0]">DCs</span>.</li>
<li>Updates to AI discovery tools and qualification criteria for <span class="font-semibold text-[#FFD166]">SCs</span>.</li>
<li>Continuous enhancement of Cortex <span class="waas-text">WaaS</span> best practices and product features.</li>
</ul>
</div>
</div>
</section>
<section id="migration-arbitrage" class="mb-12 sm:mb-16 bg-gray-100 py-12 rounded-lg">
<h2 class="text-3xl sm:text-4xl section-title text-center">The Cortex Cloud Advantage: Migration Arbitrage & Enhanced Protection</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
Migrating to Cortex Cloud, with <span class="waas-text">WaaS</span> as a key upsell, offers a significant value arbitrage by consolidating security, increasing agent saturation, and providing superior <span class="waas-text">runtime security</span> for cloud-native and AI workloads.
</p>
<div class="grid md:grid-cols-3 gap-6 items-center">
<div class="arbitrage-card text-center">
<span class="arbitrage-icon text-gray-500">🛡️</span>
<h4 class="text-xl font-semibold text-gray-700 mb-2">Current State: Prisma Cloud Focus</h4>
<p class="text-sm text-gray-600 mb-2">Reliance on Prisma Cloud Defenders for workload protection.</p>
<div class="mt-auto">
<p class="text-lg font-medium text-gray-600">Defender Coverage</p>
<p class="text-xs text-gray-500">(Baseline Protection)</p>
</div>
</div>
<div class="text-center py-6 md:py-0">
<div class="text-5xl text-[#FF6B6B] font-bold animate-pulse">➡️</div>
<p class="text-sm font-semibold text-[#FF6B6B] mt-2">Strategic Shift & <span class="waas-text">WaaS</span> Upsell</p>
</div>
<div class="arbitrage-card text-center border-t-4 border-[#06D6A0]">
<span class="arbitrage-icon text-[#06D6A0]">🚀</span>
<h4 class="text-xl font-semibold text-[#06D6A0] mb-2">Future State: Cortex Cloud Advantage</h4>
<div class="space-y-3 mb-3">
<div>
<p class="text-lg font-medium text-[#073B4C]">📈 XDR Agent Coverage</p>
<p class="text-xs text-gray-500">(Broader, Consolidated Endpoint & Cloud Security)</p>
</div>
<div>
<p class="text-lg font-medium text-[#06D6A0]">➕ <span class="waas-text">WaaS</span> Agent Saturation (Marginal Gain)</p>
<p class="text-xs text-gray-500">(Dedicated <span class="waas-text">Runtime Security</span> for Apps & APIs)</p>
</div>
</div>
<p class="text-sm text-gray-600 mt-auto">Resulting in greater adoption, superior protection for cloud-native & AI workloads, and robust <span class="waas-text">runtime security</span>.</p>
</div>
</div>
</section>
<section id="waas-ai-importance" class="mb-12 sm:mb-16">
<h2 class="text-3xl sm:text-4xl section-title text-center"><span class="waas-text">WaaS</span> in the Age of AI: The <span class="waas-text">Runtime Security</span> Imperative</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
As AI revolutionizes industries, the web applications and APIs that expose AI models and data become prime targets. Effective <span class="waas-text">WaaS</span> provides essential <span class="highlight-text"><span class="waas-text">runtime security</span></span>, which is non-negotiable for protecting these intelligent systems and ensuring trustworthy AI innovation. "<span class="text-[#FF6B6B]">WaaS UP</span>" champions this.
</p>
<div class="grid md:grid-cols-2 gap-6">
<div class="ai-impact-card">
<span class="ai-impact-icon text-[#FF6B6B]">🛡️</span>
<div>
<h4 class="font-semibold text-lg text-[#073B4C] mb-1">Protecting AI Data & Model Integrity</h4>
<p class="text-sm text-gray-600"><span class="waas-text">WaaS</span> secures data inputs (preventing poisoning) and model outputs (preventing exfiltration/manipulation) at runtime, crucial for AI reliability.</p>
</div>
</div>
<div class="ai-impact-card">
<span class="ai-impact-icon text-[#FFD166]">🔗</span>
<div>
<h4 class="font-semibold text-lg text-[#073B4C] mb-1">Securing AI-Powered APIs at Runtime</h4>
<p class="text-sm text-gray-600">AI services are exposed via APIs. <span class="waas-text">WaaS</span> provides runtime defense against abuse, unauthorized access, DDoS, and threats targeting AI logic itself.</p>
</div>
</div>
<div class="ai-impact-card">
<span class="ai-impact-icon text-[#06D6A0]">🤺</span>
<div>
<h4 class="font-semibold text-lg text-[#073B4C] mb-1">Mitigating Sophisticated & Automated Attacks</h4>
<p class="text-sm text-gray-600">AI systems attract advanced bots. <span class="waas-text">WaaS</span> offers runtime bot mitigation and traffic filtering to counter credential stuffing, scraping, and service disruption attempts.</p>
</div>
</div>
<div class="ai-impact-card">
<span class="ai-impact-icon text-[#118AB2]">⏱️</span>
<div>
<h4 class="font-semibold text-lg text-[#073B4C] mb-1">Ensuring AI Service Availability & Performance</h4>
<p class="text-sm text-gray-600">Business-critical AI applications require constant uptime. <span class="waas-text">WaaS runtime protection</span> is key to maintaining availability by thwarting disruptive attacks.</p>
</div>
</div>
<div class="ai-impact-card md:col-span-2">
<span class="ai-impact-icon text-[#073B4C]">✅</span>
<div>
<h4 class="font-semibold text-lg text-[#073B4C] mb-1">Fostering Compliance, Trust & Ethical AI</h4>
<p class="text-sm text-gray-600">Robust <span class="waas-text">WaaS runtime security</span> is vital for user trust in AI, especially with sensitive data, and for meeting evolving AI compliance and ethical standards.</p>
</div>
</div>
</div>
</section>
<section id="cnfw-ai-importance" class="mb-12 sm:mb-16 bg-gray-100 py-12 rounded-lg">
<h2 class="text-3xl sm:text-4xl section-title text-center">Cloud-Native Firewalls: Agile Security for AI Infrastructure</h2>
<p class="text-center text-lg text-gray-600 mb-10 max-w-3xl mx-auto">
Rapid AI development thrives on dynamic cloud-native architectures. Cloud-Native Firewalls (CNFWs) provide the essential, agile security fabric to protect the underlying infrastructure that supports these AI workloads.
</p>
<div class="grid md:grid-cols-2 gap-6">
<div class="ai-impact-card">
<span class="ai-impact-icon text-[#06D6A0]">🧱</span>
<div>
<h4 class="font-semibold text-lg text-[#073B4C] mb-1">Microsegmentation for AI Workloads</h4>
<p class="text-sm text-gray-600">CNFWs enable fine-grained security policies between microservices that constitute AI applications, limiting lateral threat movement and isolating critical AI components.</p>
</div>
</div>
<div class="ai-impact-card">
<span class="ai-impact-icon text-[#118AB2]">☁️</span>
<div>
<h4 class="font-semibold text-lg text-[#073B4C] mb-1">Securing Ephemeral AI Infrastructure</h4>
<p class="text-sm text-gray-600">AI workloads often scale dynamically. CNFWs provide consistent security for these ephemeral containerized environments, adapting to rapid changes.</p>
</div>
</div>
<div class="ai-impact-card">
<span class="ai-impact-icon text-[#FF6B6B]">👁️</span>
<div>
<h4 class="font-semibold text-lg text-[#073B4C] mb-1">Visibility in Complex AI Deployments</h4>
<p class="text-sm text-gray-600">CNFWs offer deep visibility into traffic flows within Kubernetes clusters and between AI application components, crucial for threat detection and troubleshooting.</p>
</div>
</div>
<div class="ai-impact-card…
…ock files will accidentally introduce different downstream dependencies that are called with the application is created
![cortex-appsec-us[bot]](https://avatars.githubusercontent.com/in/988830?s=60&v=4){kind=small}
| location = azurerm_resource_group.example.location | ||
| version = "12.0" | ||
| administrator_login = "ariel" | ||
| administrator_login_password = "Aa12345678" |
There was a problem hiding this comment.
[Secret] Base64 High Entropy String
Rule ID: APPSEC_SECRET_6
Description
Base64 High Entropy Strings with a secret or password keyword were exposed in the source code, posing a security risk by potentially indicating the presence of sensitive information such as API keys, tokens, or passwords. Base64 High Entropy Strings are often used to encode binary data or sensitive information, which can be decoded to reveal confidential data. This exposure could lead to data breaches, unauthorized access, or misuse of sensitive information.
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_227
Description
Ensure that the AKS cluster encrypt temp disks, caches, and data flows
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure that AKS uses Azure Policies Add-on
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_116
Description
Ensure that AKS uses Azure Policies Add-on
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_172
Description
Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_168
Description
Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure ephemeral disks are used for OS disks
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_226
Description
Ensure ephemeral disks are used for OS disks
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure AKS has an API Server Authorized IP Ranges enabled
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_6
Description
This policy identifies AKS clusters configured with overly permissive API server access. In Kubernetes, the API server receives requests to perform actions in the cluster such as to create resources or scale the number of nodes. To enhance cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges. These IP ranges allow defined IP address ranges to communicate with the API server. A request made to the API server from an IP address that is not part of these authorized IP ranges is blocked. It is recommended to configure AKS cluster with defined IP address ranges to communicate with the API server.
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure Kubernetes Dashboard is disabled
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_8
Description
Ensure Kube Dashboard is disabled
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure that only critical system pods run on system nodes
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_232
Description
Ensure that only critical system pods run on system nodes
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure RBAC is enabled on AKS clusters
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_5
Description
To provide granular filtering of the actions that users can perform, Kubernetes uses role-based access controls (RBAC). This control mechanism lets you assign users, or groups of users, permission to do things like create or modify resources, or view logs from running application workloads. These permissions can be scoped to a single namespace, or granted across the entire AKS cluster. This policy checks your AKS cluster RBAC setting and alerts if disabled.
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure AKS logging to Azure Monitoring is Configured
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_4
Description
Azure Monitor for containers is a feature designed to monitor the performance of container workloads deployed to either Azure Container Instances or managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS). Monitoring your containers is critical, especially when you're running a production cluster, at scale, with multiple applications. This policy checks your AKS cluster monitoring add-on setting and alerts if no configuration is found, or monitoring is disabled.
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure that AKS use the Paid Sku for its SLA
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_170
Description
Ensure that AKS use the Paid Sku for its SLA
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure that AKS enables private clusters
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_115
Description
Ensure that AKS enables private clusters
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure that AKS uses disk encryption set
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_117
Description
This policy identifies AKS clusters that are not configured with disk encryption set. Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of an Azure key vault as a secrets store with an Azure Kubernetes Service (AKS) cluster via a CSI volume. It is recommended to enable secret store CSI driver for your Kubernetes clusters.
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure AKS cluster has Network Policy configured
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_7
Description
Ensure AKS cluster has Network Policy configured
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure AKS cluster upgrade channel is chosen
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_171
Description
Ensure AKS cluster upgrade channel is chosen
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure AKS local admin account is disabled
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC_AZURE_141
Description
Ensure AKS local admin account is disabled
| } | ||
| } | ||
|
|
||
| resource azurerm_app_service "app-service1" { |
There was a problem hiding this comment.
[IaC] Ensure that 'HTTP Version' is the latest if used to run the web app
Asset: /iac-files/azure-iac.tf:azurerm_app_service.app-service1 | Rule ID: APPSEC_AZURE_18
Description
HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.
| } | ||
| } | ||
|
|
||
| resource azurerm_app_service "app-service1" { |
There was a problem hiding this comment.
[IaC] Ensure that App service enables detailed error messages
Asset: /iac-files/azure-iac.tf:azurerm_app_service.app-service1 | Rule ID: APPSEC_AZURE_65
Description
Ensure that App service enables detailed error messages
| } | ||
| } | ||
|
|
||
| resource azurerm_app_service "app-service1" { |
There was a problem hiding this comment.
[IaC] Ensure that app services use Azure Files
Asset: /iac-files/azure-iac.tf:azurerm_app_service.app-service1 | Rule ID: APPSEC_AZURE_88
Description
Ensure that app services use Azure Files
| } | ||
| } | ||
|
|
||
| resource azurerm_app_service "app-service1" { |
There was a problem hiding this comment.
[IaC] Ensure FTP deployments are disabled
Asset: /iac-files/azure-iac.tf:azurerm_app_service.app-service1 | Rule ID: APPSEC_AZURE_78
Description
This policy identifies Azure App Services which has FTP deployment setting as All allowed. Attacker could listen to wifi traffic and get the login credentials to a FTP deployments which could be in plain text and get full control of the code base of the app or service. It is highly recommend to use FTPS if FTP deployment for workflow is essential else disable the FTP deployment for Azure App Services.
| } | ||
| } | ||
|
|
||
| resource azurerm_app_service "app-service1" { |
There was a problem hiding this comment.
[IaC] Ensure the web app has 'Client Certificates (Incoming client certificates)' set
Asset: /iac-files/azure-iac.tf:azurerm_app_service.app-service1 | Rule ID: APPSEC_AZURE_17
Description
This policy identifies Azure web apps which are not set with client certificate. Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.
| } | ||
| } | ||
|
|
||
| resource azurerm_app_service "app-service1" { |
There was a problem hiding this comment.
[IaC] Ensure web app is using the latest version of TLS encryption
Asset: /iac-files/azure-iac.tf:azurerm_app_service.app-service1 | Rule ID: APPSEC_AZURE_15
Description
This policy identifies Azure web apps that are not configured with the latest version of TLS encryption. Azure Web Apps provide a platform to host and manage web applications securely. Using the latest TLS version is crucial for maintaining secure connections. Older versions of TLS, such as 1.0 and 1.1, have known vulnerabilities that can be exploited by attackers. Upgrading to newer versions like TLS 1.2 or 1.3 ensures that the web app is better protected against modern security threats. It is highly recommended to use the latest TLS version (greater than 1.1) for secure web app connections.
| } | ||
| } | ||
|
|
||
| resource azurerm_app_service "app-service1" { |
There was a problem hiding this comment.
[IaC] Ensure that Register with Azure Active Directory is enabled on App Service
Asset: /iac-files/azure-iac.tf:azurerm_app_service.app-service1 | Rule ID: APPSEC_AZURE_16
Description
Ensure that Register with Azure Active Directory is enabled on App Service
| } | ||
| } | ||
|
|
||
| resource azurerm_app_service "app-service1" { |
There was a problem hiding this comment.
[IaC] Ensure that Managed identity provider is enabled for app services
Asset: /iac-files/azure-iac.tf:azurerm_app_service.app-service1 | Rule ID: APPSEC_AZURE_71
Description
This policy identifies Azure App Services that are not configured with managed service identity. Managed Service Identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need for username and passwords.
| } | ||
| } | ||
|
|
||
| resource azurerm_app_service "app-service1" { |
There was a problem hiding this comment.
[IaC] Ensure App Service Authentication is set on Azure App Service
Asset: /iac-files/azure-iac.tf:azurerm_app_service.app-service1 | Rule ID: APPSEC_AZURE_13
Description
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
| retention_days = 20 | ||
| } | ||
|
|
||
| resource "azurerm_mysql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
Asset: /iac-files/azure-iac.tf:azurerm_mysql_server.example | Rule ID: APPSEC_AZURE_28
Description
This policy identifies Azure MYSQL database server for which the SSL connection is disabled. SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and application.
| retention_days = 20 | ||
| } | ||
|
|
||
| resource "azurerm_mysql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure 'public network access enabled' is set to 'False' for mySQL servers
Asset: /iac-files/azure-iac.tf:azurerm_mysql_server.example | Rule ID: APPSEC_AZURE_53
Description
Ensure 'public network access enabled' is set to 'False' for mySQL servers
| retention_days = 20 | ||
| } | ||
|
|
||
| resource "azurerm_mysql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that My SQL server enables Threat detection policy
Asset: /iac-files/azure-iac.tf:azurerm_mysql_server.example | Rule ID: APPSEC_AZURE_127
Description
Ensure that My SQL server enables Threat detection policy
| } | ||
| } | ||
|
|
||
| resource "azurerm_postgresql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure PostgreSQL is using the latest version of TLS encryption
Asset: /iac-files/azure-iac.tf:azurerm_postgresql_server.example | Rule ID: APPSEC_AZURE_147
Description
Ensure PostgreSQL is using the latest version of TLS encryption
| } | ||
| } | ||
|
|
||
| resource "azurerm_postgresql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that PostgreSQL server enables Threat detection policy
Asset: /iac-files/azure-iac.tf:azurerm_postgresql_server.example | Rule ID: APPSEC_AZURE_128
Description
Ensure that PostgreSQL server enables Threat detection policy
| } | ||
| } | ||
|
|
||
| resource "azurerm_postgresql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Asset: /iac-files/azure-iac.tf:azurerm_postgresql_server.example | Rule ID: APPSEC_AZURE_29
Description
This policy identifies PostgreSQL database servers for which SSL enforce status is disabled. SSL connectivity helps to provide a new layer of security, by connecting database server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between database server and client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and application.
| } | ||
| } | ||
|
|
||
| resource "azurerm_postgresql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that PostgreSQL server disables public network access
Asset: /iac-files/azure-iac.tf:azurerm_postgresql_server.example | Rule ID: APPSEC_AZURE_68
Description
Ensure that PostgreSQL server disables public network access
| } | ||
| } | ||
|
|
||
| resource "azurerm_postgresql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that PostgreSQL server enables geo-redundant backups
Asset: /iac-files/azure-iac.tf:azurerm_postgresql_server.example | Rule ID: APPSEC_AZURE_102
Description
Ensure that PostgreSQL server enables geo-redundant backups
| } | ||
| } | ||
|
|
||
| resource "azurerm_postgresql_configuration" "thrtottling_config" { |
There was a problem hiding this comment.
[IaC] Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Asset: /iac-files/azure-iac.tf:azurerm_postgresql_configuration.thrtottling_config | Rule ID: APPSEC_AZURE_32
Description
This policy identifies PostgreSQL database servers for which server parameter is not set for connection throttling. Enabling connection_throttling helps the PostgreSQL Database to Set the verbosity of logged messages which in turn generates query and error logs with respect to concurrent connections, that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.
| value = "off" | ||
| } | ||
|
|
||
| resource "azurerm_postgresql_configuration" "example" { |
There was a problem hiding this comment.
[IaC] Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Asset: /iac-files/azure-iac.tf:azurerm_postgresql_configuration.example | Rule ID: APPSEC_AZURE_30
Description
This policy identifies PostgreSQL database servers for which server parameter is not set for log checkpoints. Enabling log_checkpoints helps the PostgreSQL Database to Log each checkpoint in turn generates query and error logs. However, access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.
| description = "Must be all lowercase letters or numbers" | ||
| } | ||
|
|
||
| resource "azurerm_managed_disk" "example" { |
There was a problem hiding this comment.
[IaC] Ensure Azure managed disk has encryption enabled
Asset: /iac-files/azure-iac.tf:azurerm_managed_disk.example | Rule ID: APPSEC_AZURE_2
Description
Ensure Azure managed disk has encryption enabled
| description = "Must be all lowercase letters or numbers" | ||
| } | ||
|
|
||
| resource "azurerm_managed_disk" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption
Asset: /iac-files/azure-iac.tf:azurerm_managed_disk.example | Rule ID: APPSEC_AZURE_93
Description
Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption
| } | ||
| } | ||
|
|
||
| resource "azurerm_storage_account" "example" { |
There was a problem hiding this comment.
[IaC] Ensure Storage logging is enabled for Queue service for read, write and delete requests
Asset: /iac-files/azure-iac.tf:azurerm_storage_account.example | Rule ID: APPSEC_AZURE_33
Description
Ensure Storage logging is enabled for Queue service for read, write and delete requests
| } | ||
| } | ||
|
|
||
| resource "azurerm_storage_account" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that Storage accounts disallow public access
Asset: /iac-files/azure-iac.tf:azurerm_storage_account.example | Rule ID: APPSEC_AZURE_59
Description
Ensure that Storage accounts disallow public access
| } | ||
| } | ||
|
|
||
| resource "azurerm_storage_account" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that Storage blobs restrict public access
Asset: /iac-files/azure-iac.tf:azurerm_storage_account.example | Rule ID: APPSEC_AZURE_190
Description
This policy identifies blob containers within an Azure storage account that allow anonymous/public access ('CONTAINER' or 'BLOB'). As a best practice, do not allow anonymous/public access to blob containers unless you have a very good reason. Instead, you should consider using a shared access signature token for providing controlled and time-limited access to blob containers. 'Public access level' allows you to grant anonymous/public read access to a container and the blobs within Azure blob storage. By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature.
| } | ||
| } | ||
|
|
||
| resource "azurerm_storage_account" "example" { |
There was a problem hiding this comment.
[IaC] Ensure Storage Account is using the latest version of TLS encryption
Asset: /iac-files/azure-iac.tf:azurerm_storage_account.example | Rule ID: APPSEC_AZURE_44
Description
This policy identifies Azure Storage Account which is using insecure TLS version. Azure Storage Account uses Transport Layer Security (TLS) from communication with client applications. As a best security practice, use newer TLS version as the minimum TLS version for Azure Storage Account. Currently, Azure Storage Account supports TLS 1.2 version which resolves the security gap from its preceding versions. https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal
| } | ||
| } | ||
|
|
||
| resource "azurerm_storage_account_network_rules" "test" { |
There was a problem hiding this comment.
[IaC] Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
Asset: /iac-files/azure-iac.tf:azurerm_storage_account_network_rules.test | Rule ID: APPSEC_AZURE_36
Description
This policy identifies Storage Accounts which have 'Trusted Microsoft Services' access not enabled. Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account. It is recommended to enable Trusted Microsoft Services on storage account instead of leveraging network rules.
| retention_days = 20 | ||
| } | ||
|
|
||
| resource "azurerm_mysql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that MySQL server enables customer-managed key for encryption
Asset: /iac-files/azure-iac.tf:azurerm_mysql_server.example | Rule ID: APPSEC2_AZURE_16
Description
Ensure that MySQL server enables customer-managed key for encryption
| } | ||
| } | ||
|
|
||
| resource "azurerm_storage_account" "example" { |
There was a problem hiding this comment.
[IaC] Ensure storage account is not configured with Shared Key authorization
Asset: /iac-files/azure-iac.tf:azurerm_storage_account.example | Rule ID: APPSEC2_AZURE_40
Description
This policy identifies Azure Storage accounts configured with Shared Key authorization. Azure Storage accounts authorized with Shared Key authorization via Shared Access Signature (SAS) tokens pose a security risk, as they allow sharing information with external unidentified identities. It is highly recommended to disable Shared Key authorization and Use Azure AD authorization as it provides superior security and ease of use over Shared Key. For more details: https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent
| retention_days = 20 | ||
| } | ||
|
|
||
| resource "azurerm_mysql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure Azure MySQL server is configured with private endpoint
Asset: /iac-files/azure-iac.tf:azurerm_mysql_server.example | Rule ID: APPSEC2_AZURE_44
Description
This policy identifies Azure MySQL database servers that are not configured with private endpoint. Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configuring a private endpoint enables access to traffic coming from only known networks and prevents access from malicious or unknown IP addresses which includes IP addresses within Azure. It is recommended to create private endpoint for secure communication for your Azure MySQL database.
| } | ||
| } | ||
|
|
||
| resource "azurerm_storage_account" "example" { |
There was a problem hiding this comment.
[IaC] Ensure storage account is configured with SAS expiration policy
Asset: /iac-files/azure-iac.tf:azurerm_storage_account.example | Rule ID: APPSEC2_AZURE_41
Description
This policy identifies Azure Storage accounts not configured with SAS expiration policy. A Shared Access Signature (SAS) expiration policy specifies a recommended interval over which the SAS is valid. SAS expiration policies apply to a service SAS or an account SAS. When a user generates service SAS or an account SAS with a validity interval that is larger than the recommended interval, they'll see a warning. If Azure Storage logging with Azure Monitor is enabled, then an entry is written to the Azure Storage logs. It is recommended that you limit the interval for a SAS in case it is compromised. For more details: https://learn.microsoft.com/en-us/azure/storage/common/sas-expiration-policy
| end_ip_address = "10.0.17.62" | ||
| } | ||
|
|
||
| resource "azurerm_sql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that Azure Active Directory Admin is configured
Asset: /iac-files/azure-iac.tf:azurerm_sql_server.example | Rule ID: APPSEC2_AZURE_7
Description
Ensure that Azure Active Directory Admin is configured
| end_ip_address = "10.0.17.62" | ||
| } | ||
|
|
||
| resource "azurerm_sql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers
Asset: /iac-files/azure-iac.tf:azurerm_sql_server.example | Rule ID: APPSEC_AZURE_24
Description
Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers
| } | ||
| } | ||
|
|
||
| resource "azurerm_postgresql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure Azure PostgreSQL server is configured with private endpoint
Asset: /iac-files/azure-iac.tf:azurerm_postgresql_server.example | Rule ID: APPSEC2_AZURE_42
Description
This policy identifies Azure PostgreSQL database servers that are not configured with private endpoint. Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configuring a private endpoint enables access to traffic coming from only known networks and prevents access from malicious or unknown IP addresses which includes IP addresses within Azure. It is recommended to create private endpoint for secure communication for your Azure PostgreSQL database.
| } | ||
| } | ||
|
|
||
| resource "azurerm_storage_account" "example" { |
There was a problem hiding this comment.
[IaC] Ensure soft-delete is enabled on Azure storage account
Asset: /iac-files/azure-iac.tf:azurerm_storage_account.example | Rule ID: APPSEC2_AZURE_38
Description
This policy identifies Azure Storage accounts which has soft delete disabled. Azure Storage contains important access logs, financial data, personal and other secret information which is accidentally deleted by a user or application could cause data loss or data unavailability. It is recommended to enable soft delete setting in Azure Storage accounts.
| } | ||
| } | ||
|
|
||
| resource "azurerm_storage_account" "example" { |
There was a problem hiding this comment.
[IaC] Ensure storage account is configured with private endpoint
Asset: /iac-files/azure-iac.tf:azurerm_storage_account.example | Rule ID: APPSEC2_AZURE_33
Description
This policy identifies Storage accounts that are not configured with a private endpoint connection. Azure Storage account private endpoints can be configured using Azure Private Link. Private Link allows users to access an Azure Storage account from within the virtual network or from any peered virtual network. When Private Link is combined with restricted NSG policies, it helps reduce the risk of data exfiltration. It is recommended to configure Private Endpoint Connection to Storage account.
| } | ||
| } | ||
|
|
||
| resource "azurerm_storage_account" "example" { |
There was a problem hiding this comment.
[IaC] Ensure storage for critical data are encrypted with Customer Managed Key
Asset: /iac-files/azure-iac.tf:azurerm_storage_account.example | Rule ID: APPSEC2_AZURE_1
Description
Ensure storage for critical data are encrypted with Customer Managed Key
| } | ||
| } | ||
|
|
||
| resource "azurerm_application_gateway" "network" { |
There was a problem hiding this comment.
[IaC] Ensure that Application Gateway enables WAF
Asset: /iac-files/azure-iac.tf:azurerm_application_gateway.network | Rule ID: APPSEC_AZURE_120
Description
Ensure that Application Gateway enables WAF
| @@ -0,0 +1,362 @@ | |||
| resource azurerm_kubernetes_cluster "k8s_cluster" { | |||
There was a problem hiding this comment.
[IaC] Ensure AKS cluster has Azure CNI networking enabled
Asset: /iac-files/azure-iac.tf:azurerm_kubernetes_cluster.k8s_cluster | Rule ID: APPSEC2_AZURE_29
Description
Azure CNI provides the following features over kubenet networking: - Every pod in the cluster is assigned an IP address in the virtual network. The pods can directly communicate with other pods in the cluster, and other nodes in the virtual network. - Pods in a subnet that have service endpoints enabled can securely connect to Azure services, such as Azure Storage and SQL DB. - You can create user-defined routes (UDR) to route traffic from pods to a Network Virtual Appliance. - Support for Network Policies securing communication between pods. This policy checks your AKS cluster for the Azure CNI network plugin and generates an alert if not found.
| end_ip_address = "10.0.17.62" | ||
| } | ||
|
|
||
| resource "azurerm_sql_server" "example" { |
There was a problem hiding this comment.
[IaC] Ensure that 'Auditing' is set to 'On' for SQL servers
Asset: /iac-files/azure-iac.tf:azurerm_sql_server.example | Rule ID: APPSEC_AZURE_23
Description
Ensure that 'Auditing' is set to 'On' for SQL servers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.