Automagic Vulnerability Scanner Integration: Cenzic Style!

Welcome to the future! Hoverboards for all, new clear cola, skateboarding monkeys, and integrated WAF scanners!

Ok, so clear cola was kind of a flop, the monkey’s have advanced to writing TCL, and I am still waiting on my hoverboard… But, at least I have my Cenzic integration. As of ASM 11.2, you can kick off and import scanner results directly from the ASM gui.

Who is Cenzic? (www.cenzic.com)

”Founded in 2000, Cenzic provides application security to continuously assess Cloud, Mobile and Web vulnerabilities. Cenzic's solutions scale from a single application to enterprise-level deployments with pricing models that enable testing of all applications at optimal levels. Cenzic helps brands of all sizes protect their reputation and manage security risk in the face of malicious attacks. Cenzic's solutions are used in all parts of the software development lifecycle (SLDC), and most importantly in production, to protect against new threats throughout the life of applications.”

Translation: They are a groovy vulnerability scanning tool that can assist in building a solid security model.

The best part, using it is easy as can be AND Cenzic is offering 3 free scans. Woot!

The nitty gritty:

1. First step is to create the new policy. While creating it, you are asked how you want to build the policy. To use the Cenzic integration, you choose: ”Create a policy using third party vulnerability assessment tool output”
2. Configure your security policy properties, then click onward to Vulnerability Assessment Settings. Here we are going to choose ”Cenzic Hailstorm” Hailstorm… cool name eh?!
3. Take a look at your settings, make sure they are a-ok, and click finish.
4. Now the fun begins. We want to connect to the Cenzic Cloud Scanner. Click on Connect and you’ll see the login prompt. If you don’t have an account yet, you can use the trial account link to open one.
5. Login with your account and request a scan for your site. This will kick off the scan from the Cenzic cloud.
You can log in to the Cenzic cloud control center (check the registration email you get for the login details)
6. Once the scan is complete, we get to see exactly how bad of a shape we’re in and what we can do about it. It looks like we are in trouble.. Cross-site Scripting, SQL issues, HTTP… ut oh. But lookie here, it tells us what we can mitigate right on the ASM!
7. I click on Cross-Site Scripting , take a look at the vulns, select what I want to fix and hit resolve. (Resolve and stage will put the signatures into staging)
8. Now for the usual warnings, before it puts the vulnerabilities into the policy.
9. Now if you take a look at the policy, it will have new items put in it, based on the vulnerability scan.