Can one add WhiteHat to existing, already in production, ASM policies?
Or does one have to start from scratch, and create a new policy?
The only documentation I found does not seem to mention the existing policies use case!
The docs excerpt:
ASM can apply vulnerability assessment outputs to all policies, regardless of how they were created initially.
If the Vulnerabilities tab is accessed when the currently edited policy is not scanner-originated, users will see a warning message, asking them to choose a vulnerability assessment tool. The you can append the White Hat output to your existing policy.
That is exactly my understanding, after playing with the product for a bit....
The problem is that our sales person claimed that policies must be created afresh and will be fully managed by WhiteHat... You cannot customize them before you add WhiteHat, and you cannot modify/tune them afterwards. WhiteHat fully managed the policies, or you do. You cannot mix.
That is very wrong understanding, right?
You are correct. You can indeed amend an existing policy, not created afresh, and not created by a 3rd-party vulnerability scanner such as WhiteHat. To be clear: WhiteHat will not "fully manage" the policy. WhiteHat will provide you with an XML file that contains a vulnerability assessment. You can import this file into any security policy--after you select WhiteHat as the vulnerability assessment tool. Then you can use ASM to resolve vulnerabilities reported by WhiteHat. I think the misunderstanding may be that once you select the vulnerability assessment tool, you cannot change it later--you can't mix multiple scanner outputs such as WhiteHat, Qualys, WebInspect, etc. within the same policy. Make sense?
Makes sense. Thanks a lot Erik!