Sorry for the delayed response.
Right now ThreadFix can import attack data in the form of the logs for Snort and mod_security sensors. ThreadFix can identify the alerts that were based on rules that it (ThreadFix) generated and maps those back to the original vulnerabilities. So we are not really importing generalized WAF attack data - rather we are importing the WAF attack data that is relevant to vulnerabilities that have been identified.
ThreadFix -could- be extended to import generalized WAF attack data as well as attack data from AppSensor, but we would need to think about exactly what structure that data would be imported into. How would you want to see that work and what sort of reporting would you like to be able to extract from it?
Generalized WAF imports might be a little tricky because ThreadFix's asset management is application-based whereas WAF sensor logs would be network-based (with more than one application on an IP address) so we'd need to figure a way to split up the logs to point to the specific apps targeted by each alert (we can do that right now because we track the ID of the rules we generated and can just extract only the alerts from the rules we created).
Importing AppSensor data would be more straightforward because AppSensor also has an application-based asset model (at least for the stuff I've looked at).
In general I like the idea of getting some operations data on applications and rolling that up alongside the vulnerability data that ThreadFix is great at tracking. I especially think that would be helpful to organizations trying to make remediation prioritization decisions - if apps are under active attack with specific vulnerability classes or parts of the application as the focus then certain vulnerabilities probably need to get fixed more quickly. My concerns about this would be creating something universal enough that it would be generally usable and not trying to re-implement an entire WAF reporting console because the level of effort to do this could quickly spiral out of control.
Thoughts?
Thanks,
Dan