Bi-directional Integration of Web Application Firewall with Leading Vulnerability Scanners Creates Continuous Security Improvement for In-Production Applications

Redwood Shores, CA, June 18, 2008 – Imperva®, the leader in application data security, today announced the industry’s first closed loop solution for managing the Web application security lifecycle on production systems. The Imperva SecureSphere Web Application Firewall (WAF), through bi-directional integration with vulnerability scanning tools from Cenzic, HP, IBM, and NT Objectives, addresses application security from quality assurance/testing into production. This combination meets the most stringent requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) which mandates that organizations deploy a WAF or perform an application code review by June 30.

To more accurately and efficiently identify and mitigate application level threats to production systems, SecureSphere accepts vulnerability updates from application scanning tools. In addition, SecureSphere’s patent-pending Dynamic Profiling technology automatically detects and documents application changes in live applications and forwards this information to scanners. This unique capability extends the scope of application security life cycle management by enabling the continuous scanning and assessment of large scale applications in production environments.

“It’s increasingly clear that no matter how good we are at secure programming (SDLC) , and no matter how effective our code scanning and vulnerability analysis tools are, neither approach can ‘solve’ our web application security problem,” said Rich Mogull, founder of Securosis, L.L.C. an independent security consulting practice. “We also need to change how we view Web Application Firewalls. They can no longer be merely external boxes protecting against generic vulnerabilities; they need tighter integration into our applications”.

“Imperva’s customers are leaders in virtually every industry segment, including e-commerce, financial services and healthcare,” said Shlomo Kramer, president and CEO of Imperva. “The bi-directional integration of vulnerability scanning products with Imperva’s SecureSphere Web Application Firewall provides organizations with the industry’s first true implementation of application security lifecycle management for production systems.”

Web Application Security Lifecycle Integration

The turnkey integration of SecureSphere with Cenzic, HP, IBM, and NT Objectives will allow joint customers to more effectively detect and protect against web application vulnerabilities and threats. The following products are being integrated with SecureSphere:

  • Cenzic: Hailstorm enterprise vulnerability testing and management software
  • HP/SPI:  WebInspect web application security testing software
  • IBM/Watchfire:Watchfire® AppScan® Web application security testing suite
  • NT Objectives: NTOSpider web application vulnerability assessment tool

In addition to these product specific technical integrations, Imperva will deliver a set of open interfaces via the OpenSphere data security eco-system program.  These APIs will allow other technology vendors to take advantage of the ability to merge SecureSphere’s production security and monitoring capabilities with other parts of the security life cycle.

This new Imperva solution enables organizations to:

  1. Create granular security policies within SecureSphere WAF based on vulnerability information from application scanning results.  These policies can be used to deliver virtual patching for production applications while underlying vulnerabilities are fixed in source code.
  2. Eliminate the need to re-scan an entire application each time it is modified, since SecureSphere’s Dynamic Profiling detects and delivers updates to application scanning tools as applications change.  This allows for continuous scanning of large-scale production applications.
  3. Enforce application scanning policies by ensuring that any new application modules detected by SecureSphere have been scanned by the appropriate vulnerability analysis tools.

PCI DSS Clarification

According to the PCI Security Standards Council recently published Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified, the use of automated web application security vulnerability assessment (scanning) tools or implementation of a WAF will satisfy Requirement 6.6. The Supplement goes on to say that the intent is to ensure web applications exposed to the public Internet are protected, and that proper use of multiple options would provide the best defense.  Today’s announcement creates a pre-integrated solution that allows organizations to deploy application vulnerability scanning and an application firewall in a complementary and integrated fashion.

“This new integrated offering by Imperva gives customers a much more cost effective solution for remediating web application vulnerabilities. While application developers are fixing, testing, and patching the application source code, and all of the expense and difficulty that involves, customers can protect themselves from harmful attacks immediately,” said JD Glaser, CEO of NT OBJECTives, Inc. “It puts control back in the hands of network administrators, and gives them a powerful tool for protecting their infrastructure.”

Availability

Integration between Imperva SecureSphere and Cenzic Hailstorm, HP/SPIWebInspect, IBM/Watchfire AppScan, and NT Objectives NTOSpider is expected in August 2008.

About SecureSphere

Imperva SecureSphere award-winning products deliver activity monitoring, audit and security for business applications and databases. SecureSphere products offer proven, automated capabilities for achieving, maintaining and documenting regulatory compliance. SecureSphere is the industry’s only complete business-critical data security and compliance solution that provides full visibility into data usage by the end-user, through the application and into the database. Automated feeds from the security and compliance experts at the Imperva Application Defense Center (ADC) ensure that SecureSphere is always armed with the latest defenses against new threats, and the most recent regulatory compliance best practices.

About Imperva

Imperva is the leader in application data security and compliance. Leading enterprise and government organizations worldwide rely on Imperva to prevent data theft and abuse, and ensure data integrity. The company’s SecureSphere products provide data governance and protection solutions that monitor, audit and secure business applications and databases. For more information, visit www.imperva.com

# # #

Imperva and SecureSphere are trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders.

Editorial Contact

Marc Gendron
(781) 237-0341
marc@mqpr.net