Managing your WAF can be a complicated task. Custom policies, signatures, application profiles, gateway plugins… there’s a good reason ours is considered the best in the world.
Back when security teams were in charge of just a handful of WAF stacks and a few dozen applications, things were relatively manageable. Today, however, with the shift to cloud and microservices, organizations have to deal with securing thousands of web endpoints that change on a daily basis.
I recently met with an Imperva AWS customer with a strict rehydration policy – every 60 days they tear down their entire environment and bring it up from scratch. Everything not source controlled and automated has to go, including their security products and configurations. This poses a unique challenge to security professionals, but we’ve got a solution.
We recently launched the Imperva GitHub, where our global community (we get around) can access tools, code repositories and other neat resources that’ll aid collaboration and streamline development.
To that effect, we developedimperva-sdk, an open source project hosted on our GitHub. ‘Impervians’ around the world can now contribute to the SDK and more projects that are on their way. This new collaboration between Imperva professionals and experienced Imperva customers will bring greater knowledge-sharing and faster deliveries. Securing thousands of web endpoints doesn’t sound so scary anymore.
For a long time now Imperva Securesphere has been providing automated deployment support and extended management REST API coverage. Still, administrators had to work hard writing their own wrappers and integrations for the granular APIs.
In this blog post I’ll be introducing imperva-sdk – A Python SDK for Imperva SecureSphere Open API. We’ll see how the SDK can be used to automate your SecureSphere management operations, migrate different environments, source control your configuration, and generally switch to a more SecOps mindset. imperva-sdk is easy to use, changes to the Python objects are propagated immediately to SecureSphere:
The SDK objects are hierarchal and aware of the different connections between resource types:
Standard Python documentation for the SDK is available, including module references and examples to get you started:
Figure 3: imperva-sdk documentation
imperva-sdk objects can be converted to dictionaries and saved as JSON. This allows you to use Python capabilities for advanced automation:
Figure 4: Create a new custom policy from JSON
One of the strongest features imperva-sdk has to offer is the ability to export the entire configuration of your SecureSphere management server to JSON (Note: only APIs that are implemented in the SDK are exported and imported). This gives you the ability to copy configurations between management servers, source control your WAF configuration, and easily incorporate your WAF settings in your CI/CD process.
In the next example we migrate the configuration from a staging management server to production, and in the process replace any reference to “staging” to “v1”:
Figure 5: Copy configuration between management servers
The ability to control the entire configuration from JSON frees users from the need to know Python. We have imperva-sdk wrappers for Jenkins and AWS Lambda, allowing end-users to simply provide management credentials and a JSON configuration file without writing a line of code:
Figure 6: imperva-sdk Jenkins job
The launch of the Imperva GitHub and imperva-sdk allows us even more flexibility and responsiveness when it comes to mitigating threats and extends those benefits to our larger community.