This section discusses the steps to integrate DAST

The following are the steps to integrate DAST:

  1. Run a scan against a web application not protected by WAF.

  2. If you find any issues, the avi-iwaf-vpatch.py uses the output of the scan to generate WAF Policy rules. Enable WAF.

  3. Scan again. The subsequent scans will not report issues for problems handled by WAF Policy.

The avi-iwaf-vpatch.py generates NSX Advanced Load Balancer WAF Policy Positive Security rules. It creates a WAF Policy Positive Security group containing all the rules covering DAST scan issues. The avi-iwaf-vpatch.py automatically creates Positive Security locations for each vulnerable URL reported by the scanner, and Positive Security rules for each supported issue.

Note:

The avi-iwaf-vpatch.py does not generate rules to protect from all the potential issues found. The script will generate rules related to parameter security, for instance, URL parameters, HTML form fields and XML or JSON attributes.

The script is delivered as part of NSX SDK, available on NSX Advanced Load Balance Controller in the DAST directory.