Today is an exciting day for Imperva
(and for me) as we are launching what I consider to be an extremely valuable
offering that ties two distinct markets into an integrated solution. I am
talking about putting together penetration testing (aka black box testing) and
web application firewalls. While this concept has been tossed around
recently in a few places - Gartner is quoted in Dark Reading and Rich Mogull wrote about it at Securosis.com - the actual integration and idea
goes beyond the run-of-the-mill "lets reuse results" approach of
other integrations like this. Let me explain.
Imperva is allowing
customers to take decisions on what and when to fix vulnerabilities in their
web applications on their own schedule. While that part is not
necessarily new, what is new is that Imperva is opening up the web application
firewall as a platform so penetration testing tools from more than one vendor
can integrate with it. And, here is the really different part, Imperva is
also allowing these partners to take data from the web application firewall and
improve the scanning process. This "feedback" loop allows
scanners to narrow the scope of the scan to just what has changed in the
application, focus in on the areas of the application that handle sensitive
data (e.g. credit card information) and provide additional insight into those
parts of the application that are typically inaccessible to automated tools (e.g.
those that require writing to the database or are accessed by completing
transactions only).
This concept of improving the
behavior of web application firewalls by taking ContentIn and giving
relevant InformationOut is new and lends itself to other technologies,
all aimed at improving the security of the infrastructure - did someone say
Adaptive Security?
-- Rohit Gupta, VP Business Development, Imperva
Good for you guys. This is the right idea. Now we can actually solve people's real problems.
The concept, however, isn't new. I've been talking to the WAF vendors about this since maybe 2005, and so has Dinis Cruz. None of them wanted to listen back then, but I used Imperva anyway. :)
The bi-directional dialog is the black-box holy grail. We want to achieve a parity mapping between what you see flow through a notion of a session, and what a scanner sees flow *around* that session (e.g. external cached content, 3rd party nodes & content fetched by the browser, etc. etc.)
That parity mapping can be powerful, and IF combined with attack heuristics would finally allow someone to have an intelligent priority-based decision-making platform for web app vuln mitigation.
Out of all the WAFs -- I always thought you guys were best poised to be an NBAD.
With this approach if you combine attack metrics and flow measurement, and also a Black Box notion of grossly exposed attack surface and risk (customer asset valuation) we can combine the two and now you have both an NBAD and a smart, highly reactive, mitigation platform.
I can't wait to see you guys move forward with this. "Find and Fix" is our motto at WhiteHat. So far we've been the only ones helping people do this in a turnkey fashion...so welcome aboard.