Imperva Cyber Community

Expand all | Collapse all

How long Imperva will update a signature on ADC since a CVE is published?

  • 1.  How long Imperva will update a signature on ADC since a CVE is published?

    Posted 02-04-2020 09:02

    How long Imperva will update a signature on ADC since a CVE is published in order to patch vulnerabilities?


    Cong Le

  • 2.  RE: How long Imperva will update a signature on ADC since a CVE is published?

    Posted 02-06-2020 05:53
    Here is an article from knowledgebase regarding ADC updates. Hope it helps:

    The Imperva Application Defense Center (ADC) is a premier research organization that provides security analysis, vulnerability discovery, and compliance expertise. ADC research combines extensive lab work with hands-on testing in real world environments to ensure that Imperva products, through advanced data security technology, deliver up-to-date threat protection and unparalleled compliance automation.

    The Imperva ADC develops mitigations based on CVE (Common Vulnerabilities and Exposures) found within the Mitre CVE database. The Imperva ADC continuously monitor all new CVEs and evaluate mitigation for any CVE that is relevant to web applications. Specific policies or signatures are created immediately to mitigate newly found CVEs and an update is pushed to SecureSphere deployments at regular intervals. If a CVE is mitigated out of the box (through SQL injection or XSS correlation engines, for example), the ADC may decide not to address the CVE with an additional signature or policy. These decisions are made after extensive analysis and testing. To summarize, if a vulnerability in ANY application is published through the CVE process, the ADC will ensure that it is mitigated by SecureSphere WAF (assuming of course that it is a web application vulnerability and not a client side issue or an internal infrastructure issue).

    Setting a security rule to block or to only detect is a matter of balancing the damage and probability of a successful attack and the damage and probability of a false detection. For instance, if the ADC can detect the attack in a precise manner, the security rule is set to block; this is the case for the vast majority of newly added rules. If the CVE relates to some esoteric system and the attack vector cannot be clearly identified and maybe considered as a legitimate input in certain cases, then the ADC will set the rule to detect only. The customer is offered the ablity to promote or demote a rule action to block or detect based on their specific needs.

    We currently issue an ADC update every 2 weeks. There is an internal release process that includes extensive QA which adds another week. Hence, from the time of vulnerability release to the time of content release you will have on average 3 week delay. When critical vulnerabilities that have a dramatic effect are discovered the ADC will issue a manual mitigation guidance. In addition, for critical vulnerabilities that affect extremely large populations, they are able to issue emergency updates.


    Sabajete Elezaj
    SNT Albania