Integrating WAFs And Vulnerability Scanners
Sharing vulnerability scanning data with a WAF could expedite shielding Web apps from newly discovered flaws, but it also opens the door for false positives
October 15, 2009
An industry effort to integrate Web application firewalls (WAFs) with vulnerability scanning tools never got off the ground when it was first launched five years ago, but today the idea of blending the two tools is generating interest -- and debate -- once again. More mature vulnerability scanners that are less false-positive prone and more advanced WAFs, along with PCI compliance pressures and increasing Web threats, have prompted some security experts and enterprises to consider how the tools could better share information about -- and mitigate -- attacks and risks to their Web applications.
"We're starting to see vendors talking about levels of integration," says Neil MacDonald, vice president and Gartner fellow.
Art of Defence, Breach Security, and WhiteHat Security, for example, are among the security vendors offering some early form of WAF-application scanning integration. Art of Defence, for instance, allows users to plug vulnerability scan data into its Hyperguard WAF and automatically generate new rule sets, while WhiteHat uses a mix of vulnerability scanning, WAF tools, and manpower with its vulnerability management service offerings.
Blending vulnerability scanning and WAFs works well for service providers like WhiteHat Security, according to MacDonald, because they employ both tools and people to handle vulnerability assessments and fixes. "The reason this model is working well for some customers is because WhiteHat uses humans and automation to find vulnerabilities," MacDonald says. "By the time the vulnerabilities are determined, they are highly specific and less prone to false positives because they have the human element on the back-end of the testing services.
"That's why WhiteHat is pioneering [this]. It's not an application scanning tool, but a service using a combination of tools and humans to create very specific vulnerability information."
WAFs traditionally have been used for identifying and blocking attacks, as well as alerting the appropriate IT staff and vulnerability scanners, to find vulnerabilities and flaws in the Web apps. "They are mainly looking for two different things," says Ryan Barnett, director of application research at Breach Security, which integrates its WAF with WhiteHat's vulnerability management services. "There is a little overlap...[Breach's WAF] looks at application integrity or defects and misconfigurations," he says.
The main advantage of importing vulnerability scan data into a WAF is it gives the organization more information and insight about when and where to block Web traffic, he says.
But not everyone is sold on integrating WAFs and vulnerability scanners -- especially if it means automating their interactions. "Combining them doesn't help you identify more problems or reduce false positives. It just provides you with the ammo to get from the, 'I identified a problem' stage to the, 'I am no longer vulnerable' stage," says Arshan Dabirsiaghi, director of research for Aspect Security and developer of the ESAPI WAF, a new open-source Web application firewall. "Making this process automatic would be quite dangerous since tools unfortunately find lots of vulnerabilities where there are none, and this would mean a ton of 'patches' to nonexistent vulnerabilities, which would then create some seriously unpredictable behavior."
Georg Hess, founder and CEO of Art of Defence, says his customers are asking for the two tools to be integrated. The company's Hyperguard WAF lets users plug vulnerability scanner findings into it to automatically create new rule sets and defenses. Hyperguard is also integrated with Virtual Forge's SAP vulnerability scanner.
"The decision to not build scanning right into Hyperguard was on purpose. We didn't want to force customers into a vendor-lock situation by integrating vulnerability scanning into our dWAF. We've found that most customers have their own scanners, and they are comfortable with them and would rather not change," he says. "We do have a scanner module as an optional solution if a customer needs one, but most already have one in place and would prefer not to change."
With the long-defunct effort by OASIS to establish a standard for WAFs and application vulnerability scanners to share data, it likely will come down to each of the vendors sharing APIs. Another hurdle to getting WAFs and scanners to work together is the fact that the two tools are typically purchased and run by different groups within an enterprise. "Vulnerability scanners are usually with the infosec team, and WAFs with the operations/network security team," Breach's Barnett says.
Breach's WebDefend has a feature called Change Detection that's a precursor to this type of cooperation. When a Web application gets a new feature, such as a Feedback page, for instance, the team doing vulnerability scanning may not know. "We can flag that and do a policy that emails the infosec team to know an app changed if they want to kick off a scan," he says."This would be more targeted...the idea of sharing between the tools makes things more efficient."
And integrating vulnerability scanning data with a WAF would narrow the window between finding vulnerability and creating a so-called virtual patch for the application, or a "shield," experts say.
Gartner's MacDonald says his clients are asking about integration when they evaluate WAFs and vulnerability scanners. But it's not something widely available at this point that they can buy, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like