Applies To:
Show VersionsBIG-IP ASM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Overview: Integrating WhiteHat Sentinel with ASM
Application Security Manager (ASM) integrates with WhiteHat Sentinel to perform vulnerability assessments of web applications. WhiteHat identifies, classifies, and reports potential security holes or weaknesses in the code of your web site.
You can use the vulnerability assessment deployment scenario to create a baseline security policy that is integrated with WhiteHat Sentinel. By using Sentinel scan output, the system suggests updates to the security policy that can protect against the vulnerabilities that WhiteHat Sentinel found. You can choose which of the vulnerabilities you want the security policy to handle, resolve them automatically or manually, retest to be sure that the security policy protects against the vulnerabilities, then enforce the security policy when you are ready.
Task summary
Creating a security policy integrated with WhiteHat Sentinel
- Up-to-date WhiteHat Sentinel subscription and valid login credentials (sentinel.whitehatsec.com)
- WhiteHat Sentinel Web API key for your account
- Site name (as defined in your WhiteHat account)
- Recent Sentinel scan of the web application you want to protect
If you do not have a WhiteHat account, you will have the opportunity to get a free assessment of your website from WhiteHat Sentinel.
The ASM system needs to be able to access the WhiteHat web site to download the results of the vulnerability scan and to perform retests after updating the security. If the BIG-IP system does not have Internet access, you can run the vulnerability scan from a system that does have access, then save the results of the scan as an XML file on that system and import the vulnerabilities file manually onto the BIG-IP system.
You need to complete the basic BIG-IP system configuration tasks including creating a VLAN, a self IP address, and other tasks according to the needs of your networking environment. You also need to configure a DNS address (go to
.ASM identifies requests sent by WhiteHat Sentinel using the published source IP of the WhiteHat Sentinel service. However, ASM does not see the original source IP address of requests if the BIG-IP system is behind a NAT (or NAT firewall), or if you are using a WhiteHat Satellite box. In these configurations, vulnerabilities that ASM protects against are not shown as mitigated in WhiteHat Sentinel.
To resolve this issue, set one or more of the WhiteHatIP system variables to the redirected source IP addresses or subnets. ASM then treats the address as one of the WhiteHat addresses, and sends WhiteHat information on vulnerabilities that ASM has mitigated.
Creating a vulnerability file
- Up-to-date WhiteHat Sentinel subscription and valid login credentials (sentinel.whitehatsec.com)
- WhiteHat Sentinel Web API key for your account
- Site name (as defined in your WhiteHat account)
- Computer with Internet access
Resolving vulnerabilities when using WhiteHat Sentinel
Fine-tuning a security policy
After you create a security policy, the system provides learning suggestions concerning additions to the security policy based on the traffic that is accessing the application. For example, you can have users or testers browse the web application. By analyzing the traffic to and from the application, Application Security Manager generates learning suggestions or ways to fine-tune the security policy to better suit the traffic and secure the application.