WhiteHat and ASM existing policies

You are correct. You can indeed amend an existing policy, not created afresh, and not created by a 3rd-party vulnerability scanner such as WhiteHat. To be clear: WhiteHat will not "fully manage" the policy. WhiteHat will provide you with an XML file that contains a vulnerability assessment. You can import this file into any security policy--after you select WhiteHat as the vulnerability assessment tool. Then you can use ASM to resolve vulnerabilities reported by WhiteHat. I think the misunderstanding may be that once you select the vulnerability assessment tool, you cannot change it later--you can't mix multiple scanner outputs such as WhiteHat, Qualys, WebInspect, etc. within the same policy. Make sense?

The docs excerpt:

1. On the Main tab, click Security > Application Security > Security Policies. The Active Policies screen opens.
2. Click the Create button. The Deployment wizard opens to the Select Local Traffic Deployment Scenario screen.
3. For the Local Traffic Deployment Scenario setting, specify a virtual server to use for the security policy.

• To secure an existing virtual server that has no security policy associated with it, select Existing Virtual Server and click Next.
  • To create a new virtual server and pool with basic configuration settings, select New Virtual Server and click Next.
  • To create an active but unused security policy, select Do not associate with Virtual Server and click Next. No traffic will go through this security policy until you associate it with a virtual server. The Policy Builder cannot begin automatically creating a policy until traffic is going to ASM through the virtual server.

1. The virtual server represents the web application you want to protect. The Configure Local Traffic Settings screen opens if you are adding a virtual server. Otherwise, the Select Deployment Scenario screen opens.

ASM can apply vulnerability assessment outputs to all policies, regardless of how they were created initially.

If the Vulnerabilities tab is accessed when the currently edited policy is not scanner-originated, users will see a warning message, asking them to choose a vulnerability assessment tool. The you can append the White Hat output to your existing policy.

Thanks Erik!

That is exactly my understanding, after playing with the product for a bit....

The problem is that our sales person claimed that policies must be created afresh and will be fully managed by WhiteHat... You cannot customize them before you add WhiteHat, and you cannot modify/tune them afterwards. WhiteHat fully managed the policies, or you do. You cannot mix.

That is very wrong understanding, right?