FAQs: Web application security

Organizations have made strides in recent years to lock down networks' perimeters. But even agencies with the tightest network defenses may find another technology layer open to attack: applications.

Web applications are an especially inviting target. A March report from Symantec, a security vendor, notes an increase in attacks against such applications. The report states that about 48 percent of the 1,403 new vulnerabilities documented between July 1 and Dec. 31, 2004, fell into the Web application category.

A relatively new class of products that focus on application security are now available, although they remain a bit of a mystery to many technology managers. What follows is a rundown of how these products work, who sells them and how much they cost.

FAQ: Why are Web applications vulnerable?

Software that works with a Web browser has become the largest application category, according to some industry executives. But customers have left the Web application door open to intruders.

"A lot of organizations realize this is an area they have ignored but must pay attention to now," said David Grant, director of product marketing at Watchfire. "As applications go online ...you have more access points into the organization."

Jeff Platon, vice president of product technology marketing and security at Cisco Systems, said organizations have done a good job on perimeter security but have "left the internal applications, users and processes pretty wide open."

Traditional firewalls, virtual private networks and intrusion-detection systems help secure networks, but they provide inadequate application security, some observers say. Problems arise when perimeter security products can't distinguish between legitimate and illegitimate requests coming through a browser.

"If, through a Web browser, I can get my account information, I can get to your account information," said Andrew Stern, director of security product marketing at F5 Networks. "Those two requests look exactly the same to a traditional security system."

What can you buy to secure Web applications?

No single product can solve the entire problem.

"Application security is not a single-button push," said John Weinschenk, president and chief executive officer of Cenzic.

"Too many people rely on a single tool," said Oscar Fuster, a vice president at iGov, an IT consulting firm that specializes in security.

Instead, Fuster and other industry executives advocate a layered approach using a combination of products. Those products include Web application vulnerabilityassessment tools, code scanners and Web application firewalls.

Organizations can also select tools to secure underlying databases in addition to Web applications. Database security solutions from companies such as Application Security fall into this category.

What role do vulnerability assessment tools play?

Web vulnerability assessment tools essentially simulate the work of hackers as they test applications for security vulnerabilities. Such tools can help organizations refine their application-layer defenses, according to a state government manager who requested anonymity.

"We knew we did everything we could at the lower layers of the OSI [Reference Model], but there were a lot of vulnerabilities at the application layer," the manager said. "We didn't want to live with that unknown."

Traditionally, manual penetration tests were used to assess vulnerability. But vendors say their products can do the job much more quickly.

Weinschenk said manual testing may take three to six weeks per application, which can lead to backlogs. "We know a customer who has 80 applications waiting in information security for testing to be put live," he said.

Cenzic's Hailstorm takes about seven seconds to test a Web page when only one attack is simulated. Simulating multiple attacks or different types of attacks can take a few minutes, according to company officials. Manual testing takes about 10 to 12 hours per page, they added.

Cost is another factor with manual testing. Mandeep Khera, vice president of marketing at Cenzic, said hiring a consultant to test Web applications can cost $100,000 to $125,000 for a Web application with 100 to 150 pages. Vendors say their products can test software for a fraction of that cost.

Web vulnerability-assessment tools may be used to assess the security of applications before the applications go into production and to conduct periodic security audits. Products that do this include Cenzic's Hailstorm, Kavado's ScanDo, SPI Dynamics' WebInspect and Watchfire's AppScan.

Brian Cohen, CEO of SPI Dynamics, said the company sells to federal agencies through large resellers. He said agencies have made small purchases of WebInspect over the past few years but now seek to push budgets through for more substantial licensing arrangements.

Code scanners represent a variant of Web application-testing tools, said Bob Walters, president and CEO of Teros. Code scanners assess source code and are purely a tool for developers, he said. But application-testing products may be used by developers and information security personnel, he added.

How does a Web application firewall work?

Web application firewalls address the security gaps that traditional firewalls aren't designed to handle. For example, firewalls leave open TCP Port 80, through which HTTP traffic flows. Port 443, which permits secure transactions via Secure Sockets Layer-encrypted HTTP, also often remains open.

Attackers can use those open ports to attack applications, because the "firewall is going to pass everything as legitimate," said Jeff Oliveto, senior manager of engineering at iGov.

Web application firewalls reside between the conventional firewall and the Web application. They sit directly in the data path to snuff out attacks. While network firewalls look at packets on the wire, Web application firewalls stop Web traffic and allow content inspection, Stern said.

When Pacific Northwest National Laboratory (PNNL) installed a Web application firewall, the results were nearly instantaneous. The firewall blocked an attack four minutes after the lab deployed a test Web site, said Mark Hadley, a research scientist at PNNL and a member of the lab's cybersecurity group.

The lab uses NetContinuum's NC-1000G firewall, which has been in production for more than a year.

Most Web application firewalls follow a positive security model, which means that they rely on a definition of acceptable user behavior. The firewalls block user input that fall outside the model.

Firewalls use different techniques to create security policies for Web applications. Oliveto said Imperva's application firewall product is an example of a self-learning, behavior-based firewall. Because firewalls may be onerous to configure, a self-learning product is particularly useful in Web application environments subject to frequent changes, he added.

Web application firewalls may be used in conjunction with vulnerability-assessment tools. Once a tool discovers a security hole, the firewall provides protection until an application patch can be deployed.

"Most often, the customers ...aren't able to apply the patch immediately," said Pete Abrams, vice president of marketing at NetContinuum. Depending on the operational situation in the data center, the lag may last for months, he added.

Products in the Web application firewall space include F5 Network's TrafficShield, Imperva's SecureSphere, Kavado's InterDo, NetContinuum's NC-1000, Teros' 100/200 and FireLine, and Watchfire's AppShield.

Teros' Walters said the government market penetration of Web application firewalls trails vulnerability scanners' progress by about one year. "But I don't think either has widely penetrated yet," he said.

How do I protect Web services?

Web application security products mostly concern themselves with browser-based applications. Web services firewalls, however, focus on the server-to-server nature of communications based on Web services standards. Those products handle tasks such as filtering Extensible Markup Language and Simple Object Access Protocol traffic.

Some evidence suggests that Web application firewalls and Web services firewalls will converge. For example, NetContinuum embeds Forum Systems' XWall Web services firewall in its NC-1000 Application Security Gateway Web Services Edition, said Wes Swenson, CEO of Forum Systems.

The Web services firewalls have made some headway in government. NetContinuum counts the Navy among its customers. DataPower, which markets the XS30 XML Security Gateway, has government users in the defense and intelligence sectors.

Eugene Kuznetsov, DataPower's chairman and chief technology officer, said government pilot projects that have commenced during the past two years now are turning into fully funded initiatives.

How much is this going to cost?

Enterprise versions of Web application vulnerability-assessment tools generally cost $15,000 to $40,000.

A Web application firewall deployment, which typically involves installing two units for redundancy, may cost $60,000 to $100,000.

As for Web services firewalls, Swenson said a customer can purchase XWall software for a simple deployment, spending about $5,000. A more typical deployment of firewall appliances costs $100,000 to $250,000.