We just came back from a partner event in Germany where a partner did a live demo of SecureSphere integrated with a web vulnerability scanner.
It looks like a growing number of Imperva partners are using SecureSphere integration with web vulnerability scanners to demonstrate not just the value of the SecureSphere WAF, but also to provide a complete Web Vulnerability Management solution. It's easy, simple and works just great.
During the demo, they scan the web site without SecureSphere protection. Then they integrate the results into the policy manager and then they scan again. Very simple and straight forward process.
The current shipping version of SecureSphere provides out-of-the box integration with the latest releases of IBM AppScan (7.x) and HP WebInspect (7.7) and can be easily extended to other scanners. After a scanner has completed its task, scan results are received and SecureSphere automatically creates user-editable security policies that mitigate detected vulnerabilities. The mitigated vulnerabilities are saved in a database and the user can generate various reports about them.
One can employ different strategies to mitigate Web application vulnerabilities: the user can mitigate new vulnerabilities that were identified in the last scan or mitigate all the unhanded vulnerabilities identified in all previous scans or mitigate all the vulnerabilities that were identified in all previous scans whether these were already handled or not). SecureSphere also allows you to apply the policies manually or automatically and provides the option to exclude specific vulnerabilities from mitigation.
Depending upon the selected strategy, SecureSphere will create policies under the "Web Service Custom" branch of the Web -> Service Level policies.
It's interesting to note that neither SCUBA nor any other of imperva's scanners do this. if it's indeed as easy as you claim it to be, why do i have to shell money for additional products to do that?
(in particular when i already have to enter server details, users and passwords for some assessment features...)
Hi,
SecureSphere Web Application Firewall Enterprise Edition (http://www.imperva.com/products/waf.html) builds >= 6302 provides integration with Web Vulnerability scanners as described in this blog post (this build also provides the screen shots used).
Scuba by Imperva (http://www.imperva.com/products/scuba.html) is a free database scanning solution which does not target Web vulnerabilities. At this time we do not plan to add Web vulnerability management capabilities to scuba, though I heard about customized integrations in which Scuba users integrated Scuba reports with other free tools.