This allows you to import results from a variety of static and dynamic scanning tools and auto-generate IDS/IPS/WAF rules. You can also upload logs from the IDS/IPS/WAFs and it will parse out the events associated with the generated rules so you can see which vulnerabilities are under attack.

Blog post on the initial release with more info is here:
http://blog.denimgroup.com/denim_group/2010/01/technology-preview-release-of-vulnerability-manager-now-available.html

–Dan
@danielcornell

GamaSec identifies application vulnerabilities ( e.g. Cross Site Scripting (XSS), SQL injection, Code Inclusion etc.. ) as well as site exposure risk, ranks threat priority, produces highly graphical, intuitive HTML reports, and indicates site security posture by vulnerabilities and threat exposure.

We were very satisfy with the report and the technical part of the report providing clear recommendation to closed the finding vulnerabilities also the price of the annual servie and the on demand scan schedular was a good add value to the service of http://www.gamasec.com

Foundational security using black, white and grey listings for application requests and responses must be possible. To make sure pre-set policy enforcements are not activated or deactivated without approval from an administrator, deployment and policy refinement through establishing rulesets must be possible in a shadow monitoring or detection only mode. Once the shadow monitoring ruleset is stable, only then should it be allowed to deploy in an enforcement mode on the WAF. This allows complete transparency for the administrator into the real-world effect of this ruleset, while at the same time allowing layered rulesets to be tested without compromising existing policy enforcement. Avoiding false positives and relaxed established defenses are essential for a real-world, usable WAF in a cloud.

More here:
http://tinyurl.com/koraum

http://infosecplace.com/blog/2009/09/03/an-information-security-place-podcast-episode-24/

http://jeremiahgrossman.blogspot.com/2008/06/ultimate-scanner-accuracy-test.html

I’m with Nate that unverified scanner results fed into a WAF is doomed to fail, that is why we verify findings first. This also gives us the ability to identify/block more than just the basic-scanner-found-stuff. We’re actively R&Ding with the WAF guys on how to block more and more vulnerability classes using the intelligence provided by VA. Im confident many types of business logic flaws can be tackled. Not asking you to believe, we aim to prove.

Also remember, the industry is just as Phase 1 of VA+WAF. Soon WAFs will be able to tell scanners specifically what to test and when, since they can see the traffic and app changes.

I think WAFs have a long way to go before they are worthy of being employed in production environments… I’ve just found too many attacks that get around them, and too many attacks against them. Considering the additional performance hit that you face by bottlenecking traffic for all of your apps through one device, I can’t envision anything but a very few scenarios in which using a WAF is sane.

That all said, I don’t see linking them up with scanning tools as a realistic fix to their problems, even if logically they seem to be puzzle pieces that match up.

-Nate

You raise a good point. If a DAST tool found a vulnerability (scanning without a WAF in place), I’d try to exploit it first with the WAF in place. The WAF may shield the vulnerability from attack in its existing configuration.

If it didn’t provide protection, then the DAST-to-WAF linkage could be used to generate the specific rule. Then, I’d test again.

Your concern is that we will protect false positives, thus creating problems for legitimate functionality. This is certainly a problem with WAFs, however, I fail to see how your solution truly helps, and, perhaps the bigger issue that you are missing is that the scanning tool may not catch all of the vulnerabilities, and by not applying protections given what the scanning tool finds, you’re could be neutering the WAF.

Again, I should point out, I don’t believe WAFs to be a great solution except in very, very specific cases, but further, I don’t believe having a scanning tool neuter its capabilities further is a good idea either.

Simply put, I think people will have to come to the conclusion that you can’t “automagically” secure anything, no matter what tools you are using.

-Nate