Creating WAF Rules

Veracode Getting Started Guide

Veracode works with you to build custom rules for web application firewalls (WAF) to block potential attacks against your web application. Based on the results of your DynamicDS scans, Veracode helps you to create robust rules for each level of flaws that you find in your application scan details. WAF rules enable your application layer firewall to automatically remediate vulnerabilities as soon as they are detected.

Web application firewalls are a common part of the web application security landscape. A core challenge when using a WAF is properly configuring the WAF rules; a firewall is only as good as its rules. Veracode assists you in creating rules using either ModSecurity or Imperva.



Creating ModSecurity WAF Rules

Veracode ModSecurity rules attempt to block vulnerabilities identified by DynamicDS scans. These rules are not guaranteed nor designed to fix every vulnerability discovered. Veracode recommends an in-depth defense strategy that also may require code-level remediation. You must have the Security Lead role to be able to create WAF rules.

After uploading these rules to your WAF, verify their effectiveness by performing another DynamicDS scan.

To create ModSecurity rules:
  1. From the DynamicDS scan status page, click WAF Integration.
  2. Enter the ID for the first rule. ModSecurity rules have identification (ID) numbers. The First Rule ID field specifies the ID of the first rule we include in the ModSecurity rules file.The ID value increments with successive issues.It is important to generate rules with identifiers that do not conflict with IDs already in use.
  3. Select the severity of the security rule from the dropdown menu. The default is 4 - Warning.
  4. Click Generate.

    Veracode generates a text file containing the ModSecurity rules that you can upload to the your WAF.



Creating Imperva WAF Rules

The Veracode Imperva integration exports the vulnerabilities found in DynamicDS scan results for import into the Imperva SecureSphere management console. This console converts the vulnerabilities to rules and uploads them to the WAF. These rules are not guaranteed nor designed to fix every vulnerability discovered. Veracode recommends an in-depth defense strategy that also may require code-level remediation.

To create Imperva rules:
  1. From the DynamicDS scan status page, click WAF Integration in the left navigation pane.
  2. Select Imperva in the Format field.
  3. Click Generate.Veracode generates a text file containing the Imperva rules that you can upload to the your WAF.