No correlation is interesting too. Part 1: WI is not configured right

With the introduction of Web Inspect Real Time, we improved our correlation mechanism for the third time. Obviously, everybody wants to see correlation when running the suite on their application. However, no correlation may be a good indicator that not everything is set up right...

No correlation means something is off. In a perfect world, each issue found by product A has to have 1 or more correlated issue found by product B. If the issue is only found by product A, then

the issue found by product A is a FP or

product B is not configured right

One user case that I saw a couple of times now, was SCA pointing out multiple "Parse Double Precision" issues in the code while WebInspect(WI) (and consequently SecurityScope) fails to report such issues. The reason why WI was not finding these issues was simply WI misconfiguration. As the Double Precision problem leads to a DoS, the check for it is not part of the default policy. Only when the "Assault Policy" or the "All Check Policy" is chosen in WI, the Denial of Service attacks are sent out. You can also manually add the Parse Double attack to the policy by choosing: Policy manager: Logical Attacks -> Denial of Service: (end of the list) Java (or PHP) Double-Precision Parsing Denial of Service. (On a side note, please hit SmartUpdate as we've added more attack patterns to the WI check Java/PHP Double-precision Parsing Denial of Service)

UPDATE Oct 24:
When making this policy manually, it's important to switch on the necessary Audit Engines. This can be done by going to the Policy Manager and clicking on "Threat Classes" and go to "Attack Groups". Choose: Audit Engines -> Adaptive Agents