Applications running in our clusters on the Google Cloud Platform are protected by Google's enterprise edge network security solution, Google Cloud Armor. The solution provides DDoS (Distributed Denial-of-Service) protection, WAF (Web Application Firewall) services, and more.
Cloud Armor builds upon preconfigured WAF rule sets to help mitigate the OWASP Top 10 web application security vulnerabilities. The rule sets are based on the OWASP ModSecurity Core Rule Set Version 3 to protect against some of the most common web application security risks, such as cross-site scripting (XSS), SQL injection, and more.
The security policies in Cloud Armor can also be configured with custom expressions, which allows matching against requests from a certain IP address or IP range, requests from a certain region, or headers that contains a specific value.
The platform has enabled a number of the available rule sets. Most of these rules are at sensitivity level 1, though we may adjust this as needed in the future.
Each ModSecurity rule has a paranoia level (referred to as sensitivity levels in Cloud Armor) setting which allows us to choose the desired level of rule checks.
A lower sensitivity level indicates a higher confidence signature, which is less likely to generate a false positive. Conversely, a higher sensitivity level increases security, along with the probability of generating false positives.
Most rules with sensitivity level 1 should generally not trigger false positives, though they may still occur depending on the request and applications that are involved.
Troubleshooting false positives
If you need additional information about what particular rules that are triggered, or you suspect that some requests are erroneously blocked by something outside your application, check out the Cloud Armor Kibana dashboard or contact us on Slack.