Rohit's enthusiastic post regarding scanner integration did not include too many details on the approach chosen by Imperva to integrate scanners within the SecureSphere Web Application Firewall. Let me shade some more light on what we've been doing in the past few months.
To begin with, we did not fancy the paradigm of serving as a copy-paste gateway between a scanner (or a scanner service) and a WAF nor did we want to miraculously turn random scanner output into WAF rules. Rather, we were interested in integrating the scanner as part of the WAF vulnerability management cycle. The idea is to load the vulnerability information into the Web Application Firewall and have the user manage the vulnerability up to the mitigation stage. Accordingly, we did not want to incorporate a single scanner, rather to build a framework based on our OpenSphere initiative to accomodate various scanners and scanning services. This would require the gathering of vulnerability information from different sources, in particular from different Web Application scanners and from Web Application security services.
We faced quite a few challenges when designing this capability...
- The first was to translate vulnerability reports (file, database, etc.) of different scanners from their native format to a single uniform language. We were fortunate enough to have some of our partners to help us in this effort.
- The next challenge was creating a platform to support a constant update mechanism for new vulnerabilities being discovered by the different sources (namely, the scanners). This is where the "ADC Update", an integral feature of SecureSphere, came in handy as we were able to actually leverage this existing platform.
- In order to provide the tools for vulnerability management, we combined the information gathered from the external sources into SecureSphere's powerful and flexible built-in reporting engine. This allows the creation of reports with different levels of granularity according to those discovered vulnerabilities.
- Finally, we have provided an easy integration path to create security policies that would mitigate the vulnerabilities, keeping track of which vulnerabilities are being mitigated by which rules.
You can guess by the tone that I'm also excited about this new addition to the SecureSphere set of capabilities as it extends our support for the enterprise security life cycle even further.