Applies To:

Show Versions Show Versions

Manual Chapter: Using Vulnerability Assessment for a Security Policy
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Vulnerability assessment policy building

Application Security Manager™ (ASM) integrates with services, such as WhiteHat Sentinel, that perform vulnerability assessments of web applications. Vulnerability assessment services identify, classify, and report potential security holes or weaknesses in the code of your web site.

You can use the vulnerability assessment deployment scenario to create a baseline security policy that is integrated with WhiteHat Sentinel. By communicating with the vulnerability assessment service, the system suggests updates to the security policy that can protect against the vulnerabilities. You can choose which of the vulnerabilities you want the security policy to handle, retest to be sure that the security policy protects against the vulnerability, and then enforce the security policy when you are ready.

When integrating with WhiteHat Sentinel, Application Security Manager has to recognize whether a request is coming from the WhiteHat server. This allows BIG-IP® ASM™ to return header information to WhiteHat Sentinel so it can mark the vulnerability as Mitigated by WAF. ASM identifies requests sent by WhiteHat Sentinel using the published source IP of the WhiteHat Sentinel service. However, ASM does not see the original source IP address of requests if ASM is behind a NAT (or NAT firewall), or if you are using a WhiteHat Satellite box. In these configurations, vulnerabilities that ASM protects against are not shown as mitigated in WhiteHat Sentinel.

If you want to resolve this issue, from the command line set the internal parameter WhiteHatTestIP<n> (where <n> is 1, 2, or 3) to the redirected source IP address. ASM then treats the address as one of the WhiteHat addresses, and sends WhiteHat information on vulnerabilities that have been mitigated.

Creating a security policy integrated with WhiteHat Sentinel

Before you can integrate WhiteHat Sentinel with Application Security Manager™ (ASM), you need the following:
  • Up-to-date WhiteHat Sentinel subscription and valid login credentials (
  • WhiteHat Sentinel Web API key for your account
  • Web application name or URI of the site you want to scan
  • Recent Sentinel scan of the web application you want to protect
The BIG-IP® ASM™ system needs to be able to access the WhiteHat site to download the results of the vulnerability scan and to perform retests after updating the security. If the BIG-IP system does not have Internet access, you can run the vulnerability scan on a system that does have access, then save the results of the scan as an XML file.

You need to complete the basic BIG-IP system configuration tasks including defining a VLAN, a self IP address, a local traffic pool, an application security class, and a virtual server, according to the needs of your networking environment. You also need to configure a DNS address ( System > Configuration > Device > DNS), and restart ASM (at the command line, type bigstart restart asm).

The WhiteHat Sentinel service assesses web applications for vulnerabilities. You can create a baseline security policy to protect against the potential problems that a Sentinel scan finds.
  1. On the Main tab, click Application Security > Web Applications.
  2. Locate the web application you want to protect, and click the Configure Security Policy link next to it.
    Tip: If you do not see the web application, first create an application security class.
    The Deployment wizard opens the Select Deployment Scenario screen.
  3. For Deployment Scenario, select Create a policy using third party vulnerability assessment tool output and click Next.
  4. From the Application Language list, select the language encoding of the application and click Next.
    Important: You cannot change this setting after you have created the security policy.
    The Vulnerability Assessments Settings screen opens with WhiteHat Sentinel selected as the vulnerability scanner.
  5. For Sentinel Web API Key, type the key generated by WhiteHat Sentinel for your account.
  6. Click Refresh Sentinel Site Names List to populate the Sentinel Site Name list with the names of web applications configured under the Sentinel Web API key. If this BIG-IP system does not have an Internet connection, type the URI or name of the application web site in the Custom Sentinel Site Name box. The system puts the name of the site in the Sentinel Site Name field.
  7. Click Next. The Import Vulnerabilities screen opens.
  8. For Import Method, select how to import a vulnerability report from the Sentinel server:
    Option Description
    Download vulnerabilities directly from WhiteHat Sentinel Download the vulnerability file from the Sentinel server directly to the Application Security Manager.
    Upload file with vulnerabilities Upload a previously downloaded vulnerability file to the Application Security Manager. Type the name of the file, or click Browse to search for it.
  9. Click Import. The system imports the vulnerabilities it discovered during the last scan of the application.
The system creates a baseline WhiteHat security policy for your web application but does not yet enforce it.
Now you need to review and resolve vulnerabilities on the Vulnerabilities screen so that the security policy protects against them.

Resolving and retesting vulnerabilities

You can resolve vulnerabilities only on a security policy that was created using the Vulnerabilities Assessments deployment scenario.
When you resolve vulnerabilities, Application Security Manager™ (ASM) configures the security policy to protect against the vulnerability.
  1. On the Main tab, click Application Security > Policies List.
  2. Click the name of the WhiteHat baseline security policy. The security policy Properties screen opens.
  3. From the Vulnerability Assessments menu, click Vulnerabilities. The Vulnerabilities screen opens and lists the vulnerabilities that the WhiteHat Sentinel scan discovered.
  4. On the Automatically Resolvable Vulnerabilities tab, review the vulnerabilities that WhiteHat has detected.
    Tip: Click the icon next to a vulnerability to display details about the URLs, parameters, or parameter values that revealed the vulnerability.
  5. Select the vulnerabilities you want the system to resolve (or ignore), and click Resolve (or Ignore). BIG-IP® ASM modifies the security policy to protect against the vulnerabilities for which you clicked Resolve and ignores the rest. On the Automatically Resolvable Vulnerabilities tab, the ASM Status column for each vulnerability changes to Handled (or Ignored), as appropriate.
  6. Click Apply Policy to save the changes to the security policy. The system updates the security policy to prevent the handled vulnerabilities from reoccurring.
  7. Select all of the vulnerabilities you dealt with and click Retest. On the Automatically Resolvable Vulnerabilities tab, the Sentinel Status column of all handled vulnerabilities states Mitigated by WAF.
The security policy for your web application protects against the vulnerabilities that WhiteHat Sentinel discovered and which you resolved.
You can also review vulnerabilities on the Manually Resolvable Vulnerabilities tab, and update the security policy to protect against them. This task that requires manual configuration of the security policy.

Enforcing a security policy

To enforce a security policy, you change the enforcement mode from transparent to blocking.
  1. On the Main tab, expand Application Security and click Policy.
  2. In the editing context area near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. From the Blocking menu, choose Settings.
  4. For the Enforcement Mode setting, select Blocking.
  5. Select or clear the Block check boxes for the violations, as required (or use the default settings).
  6. Click Save.
  7. In the editing context area, click Apply Policy to immediately put the changes into effect.
When the enforcement mode is set to blocking and the violations you want to enforce are set to block, the security policy no longer allows requests that cause these violations to reach the back-end resources. Instead, the security policy blocks the request, and sends the blocking response page to the client.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)