Application Security Manager (ASM) integrates with services, such as IBM
Rational
AppScan, Cenzic
Hailstorm, QualysGuard, HP WebInspect, and
WhiteHat Sentinel, that perform vulnerability assessments of web applications. ASM also integrates with other vulnerability assessment tools by means of a generic
scanner. Vulnerability assessment services identify, classify, and report potential security
holes or weaknesses in the code of your web site.
You can use the vulnerability assessment deployment scenario to create a baseline
security policy that is integrated with a vulnerability assessment tool. By using vulnerability
assessment tool output, the system suggests updates to the security policy that can protect
against the vulnerabilities that the tool found. You can choose which of the vulnerabilities you
want the security policy to handle, retest to be sure that the security policy protects against
the vulnerabilities, then enforce the security policy when you are ready.
If you have an existing security policy that was created using a different deployment scenario,
you can also incorporate use of a vulnerability assessment tool with that policy.
Task summary
About using Policy Builder with scanner policies
When you develop a security policy using third party vulnerability assessment tool or scanner
output, you have the option of enabling automatic policy building. If you enable automatic policy
building, the system turns on the Real Traffic Policy Builder. The system
then automatically builds the policy based on what it learns from your web application traffic,
and uses logic to prevent false positives. You also use external scanning tools (WhiteHat
Sentinel, QualysGuard, IBM AppScan, Cenzic Hailstorm, and others) to suggest how to build your
policy to protect against vulnerabilities. You can then import the vulnerabilities detected by
the scanner, then choose whether or not to update the security policy for each problem found.
It is possible that in some cases Policy Builder decisions might conflict with and override the
scanner results. Here are some examples:
- The Policy Builder might remove a URL that the scanner added to the list of CSRF-protected
URLs.
- The Policy Builder might allow file upload of executable files on a parameter after the
scanner disallowed it.
- The Policy Builder might add an allowed method after the scanner disallowed it.
- The Policy Builder might disable attack signatures on parameters, cookies, and at the policy
level after the scanner enabled them.
If you do not enable the Policy Builder when creating the security policy, you can turn it on
after you have imported the vulnerabilities. The Real Traffic Policy Builder can be enabled (or
disabled) on the Policy Building Settings screen.
Creating a security policy using vulnerability assessment tool output
In order to integrate vulnerability assessment tool output with Application Security Manager (ASM), you need recent scanner output for the web
application you want to protect in the form of an XML file (except if using WhiteHat or
Cenzic tools which allow you to download output directly).
Before you can create a
security policy using ASM, you need to complete the basic BIG-IP system configuration tasks including creating a VLAN, a
self IP address, and other tasks, according to the needs of your networking
environment.
You can create a baseline security policy to protect against the potential problems
that a vulnerability assessment tool scan finds.
-
On the Main tab, click .
The Active Policies screen opens.
-
Click the Create button.
The Deployment wizard opens to the Select Local Traffic Deployment
Scenario screen.
-
For the Local Traffic Deployment Scenario setting,
specify a virtual server to use for the security policy.
- To secure an existing virtual server that has no security policy
associated with it, select Existing Virtual Server
and click Next.
- To create a new virtual server and pool with basic configuration
settings, select New Virtual Server and click
Next.
- To create an active but unused security policy, select Do not
associate with Virtual Server and click
Next. No traffic will go through this security
policy until you associate it with a virtual server. The Policy Builder
cannot begin automatically creating a policy until traffic is going to ASM
through the virtual server.
The virtual server represents the web application you want to protect.
The Configure Local Traffic Settings screen opens if you are adding a
virtual server. Otherwise, the Select Deployment Scenario screen
opens.
-
If adding a virtual server, configure the new or existing virtual server, and
click Next.
- If creating a new virtual server, specify the protocol, name, virtual
server destination address and port, and pool member IP address and port.
- If using an existing virtual server, it must have an HTTP profile and
cannot be associated with a local traffic policy.
- If you selected Do not associate with Virtual
Server, you will have to manually associate the security
policy with a virtual server at a later time. On the policy properties
screen, you need to specify a name for the security policy.
The name of the virtual server becomes the name of the security policy.
The Select Deployment Scenario screen opens.
-
For Deployment Scenario, select Create a
policy using third party vulnerability assessment tool output
and click Next.
-
From the Application Language list, select the language
encoding of the application, then click Next.
Important: You cannot change this setting after you have created the
security policy.
-
For Enforcement Mode specify whether or not the system
blocks traffic that violates the security policy.
- Leave the value set to Transparent, the default
value, if you want to review and fine-tune the security policy before
placing it in Blocking mode.
- If you want the system to enforce the security policy immediately,
select Blocking.
-
If the application is case-sensitive, select the Security Policy is
case sensitive check box. Otherwise, leave it cleared.
Important: You cannot change this setting after you have created the
security policy.
-
If you do not want the security policy to distinguish between HTTP and HTTPS
URLs, clear the Differentiate between HTTP and HTTPS URLs
check box. Otherwise, leave it selected.
-
Click Next.
The Vulnerability Assessments Settings screen opens.
-
From the Vulnerability Assessment Tool list, select the
vulnerability assessment tool that you use to scan your web application for
problems.
Tip: If your tool is not listed, select Generic
Scanner.
-
In the Configure exceptions for the scanner IP Address
setting, specify any IP addresses that you want the security policy to allow
(for example, the IP address of the vulnerability assessment tool), and how to
deal with them.
-
Type the IP address and netmask of the vulnerability assessment
tool.
You can add %n after an IP address to specify
a route domain, where n is the route domain
identification number.
-
Select the appropriate check boxes for learning suggestions, logging,
and blocking traffic from this IP address.
-
If you want to use automatic policy building, leave the Real Traffic
Policy Builder check box selected.
Note: In some cases, running the Real Traffic
Policy Builder may overwrite some of the security policy changes
suggested by the vulnerability assessment tool. For example, to prevent
false positives, the Policy Builder might adjust some of the entities in the
security policy based on examining the traffic.
If selected, the system runs the Policy Builder when you finish creating
the policy.
-
Click Next.
The Security Policy Configuration Summary screen opens.
-
Review the settings for the security policy. When you are satisfied with the
security policy configuration, click Finish.
The system creates the security policy and opens the vulnerability
assessment settings screen specific to the tool you are using. For most tools,
you can import the results of a vulnerabilities scan in an XML file.
-
If using the Cenzic Hailstorm or WhiteHat Sentinel, you can connect with these
tools on the Vulnerabilities Assessments Settings screen that opens. If you have
an account, click Connect.
If you do not have an account, you can open a trial account and run a free
scan to find and resolve vulnerabilities.
-
If using the Generic Scanner, click Download Generic
Schema to download the generic_scanner.xsd
file.
The system creates a baseline security policy for your web application, but it does
not yet protect against the vulnerabilities or enforce the policy. The policy type is
Vulnerability Assessment.
Next, you need to import, review, and resolve vulnerabilities on the
Vulnerabilities screen so that the security policy protects against them.
Associating a vulnerability assessment tool with an existing security policy
In order to integrate vulnerability assessment tool output with Application Security Manager (ASM), you need recent scanner output for the web
application you want to protect in the form of an XML file.
If you have already created a security policy that does not use vulnerability
assessment, you can import vulnerability assessment tool output into that security
policy.
-
On the Main tab, click .
The Vulnerabilities Assessments: Settings screen opens.
-
In the Current edited policy list near the top of the screen,
verify that the edited security policy is the one you want to work on.
-
From the Vulnerability Assessment Tool list, select the
vulnerability assessment tool that you use to scan your web application for
problems, or select Generic Scanner if your tool is not
listed.
Important: You cannot change the vulnerability assessment tool for a
security policy after you import vulnerabilities.
A popup screen informs you that the Policy Type will be changed to
Vulnerability Assessment and asks if you want to continue.
-
To associate the selected vulnerability assessment tool with the security
policy, click OK.
-
If using the Generic Scanner, click Download Generic
Schema to download the generic_scanner.xsd
file.
-
In the editing context area, click Apply Policy to
immediately put the changes into effect.
The system associates the vulnerability assessment tool with the security policy.
Next, you need to import, review, and resolve vulnerabilities on the
Vulnerabilities screen so that the security policy protects against them.
Configuring system-wide Cenzic settings
Before you can connect to Cenzic Hailstorm or Cenzic Cloud, the system needs to have
an Internet connection and have DNS configured. If you have an account with Cenzic, you
need the user name and password.
If you want to use Cenzic Hailstorm as your vulnerability assessment tool, you can
configure system-wide Cenzic settings. This is useful if you want to use a Cenzic
account to import vulnerabilities for multiple security policies because you only have
to set it up once. If you do not have an account with Cenzic, you can open a trial
account and run a free scan to find and resolve vulnerabilities in your web application.
-
On the Main tab, click .
-
If you have an account with Cenzic Cloud, connect to Cenzic as follows:
-
For Connection Status, click
Connect.
The Connect with Cenzic Cloud popup screen opens.
-
Type the User Name and
Password, then click
Submit.
The system sets up a system-wide connection with Cenzic
Cloud.
-
If you want to open a trial account with Cenzic Cloud, connect as
follows:
-
For Connection Status, click the Open
Cenzic Cloud Trial Account link.
The Open Cenzic Cloud Trial Account popup screen
opens.
-
Register with Cenzic by typing your customer information and setting up
an account.
The system sets up a system-wide connection with Cenzic
Cloud.
-
To establish a connection to a Cenzic ARC Server instead of Cenzic Cloud, in
the Cenzic ARC Server address field, type the local
Cenzic ARC server IP address or fully qualified domain name.
Note: If you configure a local Cenzic ARC Server IP address, you
will not have the option to share the site mapping with the Cenzic tool.
-
Click Save to save your settings.
If you have existing security policies that are configured to use the Cenzic
vulnerability assessment tool, those security policies will automatically connect to
this Cenzic account. The system warns you that configuring system-wide Cenzic account
settings replaces existing security policy-specific Cenzic connections. If you create
new security policies that use the Cenzic vulnerability assessment tool, they will use
the system-wide Cenzic account settings.
If you configure a Cenzic ARC server IP
address, you will not have the option to open a trial account in the Cenzic Cloud,
and all communications are made with your local Cenzic server.
Importing vulnerability assessment tool output
In order to import vulnerability assessment tool output into a security policy, you
need to have configured the policy to use a vulnerability assessment tool. You also
need recent scanner output (in XML format) for the web application you want to protect.
You can import vulnerability assessment tool output into a security
policy.
-
On the Main tab, click .
The Vulnerabilities screen opens.
-
In the Current edited policy list near the top of the screen,
verify that the edited security policy is the one you want to work on.
-
To import the recent scanner output from the vulnerabilities tool, click
Import.
-
In the import popup screen, for the Import previously saved
vulnerabilities file field, specify the XML file output from the
vulnerabilities assessment tool that you associated with the security policy,
then click Import.
If using the Cenzic or WhiteHat vulnerability assessment tools, additional
settings allow you to connect to an existing account, create a trial account,
and request a new scan. Refer to the online help for details about the
settings.
The system verifies the file and if vulnerabilities for more than one
domain are discovered, on the popup screen you can select the domain names for
which to include the vulnerabilities.
The system imports the vulnerabilities that the vulnerabilities assessment tool
found on your web application.
Next, you need to review and resolve vulnerabilities on the Vulnerabilities screen
so that the security policy protects against them.
Resolving vulnerabilities
Before you can resolve vulnerabilities for a security policy, the security policy
must be associated with a vulnerability assessment tool, and have the vulnerabilities
file imported to it.
When you resolve vulnerabilities discovered by a scanner, the security policy
protects against them. Application Security Manager (ASM) can
resolve some vulnerabilities automatically. Others require some manual intervention on
your part, and ASM provides guidance on what to do.
-
On the Main tab, click .
The Vulnerabilities screen opens and lists the vulnerabilities that the
vulnerability assessment scan discovered.
-
In the Vulnerabilities Found and Verified area, you can filter the
vulnerabilities that are displayed using the View and
Vulnerabilities with lists.
View option |
Description |
All |
Displays all vulnerabilities found by the scanner. |
Resolvable |
Displays all vulnerabilities that are resolvable either
automatically or manually. |
Resolvable (Automatically) |
Displays vulnerabilities that ASM can resolve. |
Resolvable (Manually) |
Displays vulnerabilities that can be resolved with some manual
intervention. |
Not Resolvable |
Displays vulnerabilities that are not resolvable in any
straightforward way. |
Vulnerabilities with option |
Description |
Any |
Displays vulnerabilities in any state. |
Ignored |
Displays vulnerabilities that you decided to ignore by selecting and
clicking Ignore. |
Mitigated |
Displays vulnerabilities that ASM has mitigated, or those which have
been fixed and marked as mitigated.. |
Pending |
Displays vulnerabilities that need to be dealt with. |
Mitigated (In Staging) |
Displays vulnerabilities that were resolved by adding a parameter or
cookie (in staging) to the security policy. |
-
Review the vulnerabilities that the assessment tool has detected and verified.
-
Click a row in the table to display details about the
vulnerability.
Below the Vulnerabilities Found table, a list of the specific
vulnerabilities is displayed.
-
To add notes about the vulnerability, click the pencil icon in the ASM
Status column.
The Vulnerability Notes popup opens where you can add
notes.
-
For the vulnerabilities that are shown as Resolvable
(Automatically), select the vulnerabilities you want the system
to resolve (or ignore), and click the appropriate button.
Option |
Description |
Resolve and Stage |
Updates the security policy to protect against the vulnerability,
and puts parameters in staging. Entities in staging do not cause
violations, and this allows you to fine-tune their settings without
causing false positives. |
Resolve |
Updates the security policy to protect against the
vulnerability. |
Ignore |
Changes the ASM Status of the selected vulnerability from
Pending to Ignore. If
later you decide to protect against this vulnerability, you can select
it and click Cancel Ignore. |
ASM reviews the prerequisites and then displays a list of the changes it
will make to fix the vulnerability.
-
If you agree with the changes, click Resolve.
ASM modifies the security policy to protect against the vulnerabilities
for which you clicked Resolve and ignores the rest. In
the Vulnerabilities list, the ASM Status column for the vulnerability changes to
Mitigated or Mitigated (In Staging), if appropriate.
-
For the vulnerabilities that are shown as Resolvable
(Manually), select the vulnerability you want to work on, and
click the appropriate button.
Option |
Description |
Show Resolution |
Opens a popup that describes the vulnerability and its possible
impact, shows the steps required to manually fix the vulnerability, and
describes any risks that might result from making the changes.. |
Change ASM Status to Mitigated |
Changes the status of the vulnerability to say
Mitigated. Recommended after you manually fix
vulnerabilities. |
Ignore |
Changes the ASM Status of the selected vulnerability from
Pending to Ignore. If
later you decide to protect against this vulnerability, you can select
it and click Cancel Ignore. |
-
Click Apply Policy to save the changes to the security
policy.
The system updates the security policy to prevent the handled
vulnerabilities from reoccurring.
-
If using WhiteHat Sentinel, select all of the vulnerabilities you dealt with
and click Retest to have the WhiteHat Sentinel service
verify that the vulnerability has been dealt with.
The security policy for your web application protects against the vulnerabilities
that the vulnerability assessment tool discovered and which you resolved manually or
automatically. The ASM Status of vulnerabilities that have been dealt with is set to
Mitigated.
You can periodically rescan your system to check for additional vulnerabilities
that need to be resolved.
Enforcing a security policy
You only need to enforce a security policy if it was created manually (not using the
automatic policy builder), and it is operating in transparent mode. Traffic should be
moving through Application Security Manager, allowing users to
access the web application for which you set up the security policy.
When you enforce a security policy, the system blocks requests that cause
violations that are set to block.
-
On the Main tab, click .
The Settings screen opens.
-
In the Current edited policy list near the top of the screen,
verify that the edited security policy is the one you want to work on.
-
For the Enforcement Mode setting, select
Blocking.
-
For each violation, review the settings so you understand how the security policy handles
requests that cause the violation, and adjust if necessary.
Option |
Description |
Learn |
If selected, the system generates learning suggestions for requests that trigger the
violation. |
Alarm |
If selected, the system records requests that trigger the violation in the Charts
screen, the system log (/var/log/asm), and possibly in local or remote
logs (depending on the settings of the logging profile). |
Block |
If selected (and the enforcement mode is set to Blocking), the
system blocks requests that trigger the violation. |
Tip: Click the information icon preceding a violation for a description of
it.
-
Click Save to save your settings.
-
On the Main tab, click .
The Active Policies screen opens.
-
Click the name of the security policy you want to work on.
The Properties screen opens.
-
To change the number of days the security policy remains in staging, change the
value in the Enforcement Readiness Period field.
The security policy does not block traffic during the Enforcement Readiness
Period even if violations occur.
-
If you want to block traffic that causes violations, you need to enforce
violations. One way to do this is:
-
Set the Enforcement Readiness Period to
0.
-
Click Save.
-
On the Main tab, click .
-
Click Enforce Ready.
-
To put the security policy changes into effect immediately, click Apply
Policy.
-
For a quick summary of system activity, look at the Overview screen ().
The Summary screen displays statistical information about Application
Security traffic.
After the enforcement readiness period is over and the enforcement mode is set to
blocking, the security policy no longer allows requests that cause violations set to
block to reach the back-end resources. Instead, the security policy blocks the request,
and sends the blocking response page to the client.