In a recent Dark Reading article titled Integrating WAFs and Vulnerability Scanners multiple views were shared on this topic, however, we didn't get a chance to chime in - so we're chiming now.

In August of 2009 Niel MacDonald from Gartner published the following blog entry titled "Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls"  This is an interesting blog entry which brings together a concept that Imperva is a huge proponent of - WAF and VA integration to effectively and efficiently mitigate risks.

Bottom line, Web application vulnerabilities abound. Organizations are either aware or unaware of the vulnerabilities but their reactions are too often:  do nothing - at least for long periods of time.  This is often because of several "good" reasons.

• It involves custom code and they need to find, bring back, hire the developer that wrote it to fix it
• It involves commercial code but the vendor hasn't released a patch yet
• A patch exists but it has to be fully tested before being moved into production, it breaks other features, etc
• The organization is ready to do the fix, but it has to be scheduled, it can't be done during a peak season, they are open to accepting the security risk in favor of negatively impacting business operations, etc

This last point is really key. Risk is risk regardless of it being a security vulnerability, or general business risk such as operating business on-line, expanding internationally, bringing on new partners and the like. This type of risk is managed everyday by business professionals. Security issues aren't singularities they are part of this broader risk. Talk to any fraud professional - they opt to let fraudulent transactions go through over preventing legitimate activity; however, it doesn't need to be that binary:  enter WAF + VA.

By bringing these solutions together - vulnerabilities can be discovered. Virtual patches can be applied at the WAF giving the organization more time to address the bullet points above. Actual patching should always be done, but in the real world, it can't always be done in the time frame desired.

The virtual patches on the WAF can them be reviewed by the VA solution to ensure they the system is indeed virtually patched.  Best of all, this can all be done in an automated work flow where assessment, patch, re-assessment confirmation, reporting and the like all happens automatically and the operators simply need to review the updates and choose to accept or reject the changes - i.e. a couple mouse clicks. Some organizations may even to choose to do this in a 100% automated solution with no human intervention - this really depends on the risk tolerance of the organization.

For this to work effectively the output of the VA must be highly accurate and dependable. It must then be formatted in a way that allows the WAF to convert the VA results into policies - i.e. rules that can be leveraged to alert, block, etc events related to said vulnerability. Further, the integration between the WAF and the VA solution must be such at the operator knows exactly what is being virtually patched and how, and can enable or disable as needed. All that to say this - integration of WAF and VA isn't as basic as simply sending alerts and log files around; it's bidirectional and finely tuned. 

You can view a Webcast from SuccessFactors (an Imperva and Whitehat Security customer) illustrating the value add of bringing these solutions together to address real-life security issues in a production enviornment.

If you would like to hear more about WAF+VA, we also have a Podcast on that subject with Jeremiah Grossman - Founder and CTO of Whitehat security, and a Video on YouTube from when Jeremiah and I were talking at RSA 2009 in San Francisco.