The Webification of App Security

Web applications are growing in popularity, and with this increasing ubiquity of Web apps, security is more than ever becoming the No. 1 challenge for enterprises. Traditional network component vendors are under pressure to solve security challenges. However, developing this capability on their own is complex, expensive and requires new skills.

Enter the cooperative spirit. Zeus Technology, a load balancing solutions provider, has partnered with Web security firm Art of Defence to supply Web application security technology through an OEM deal .

"A wide range of Web apps exist for the payment card industry and e-commerce," David Day, CTO for Zeus Technology, told the E-Commerce Times. "These organizations are under increasing pressure to meet regulations for security."

Day's company provides software that enables organizations to visualize and manipulate the flow of traffic to their Web-enabled applications. Web security firm Art of Defence's flagship solution, Hyperguard, is a scalable distributed Web application firewall (dWAF) that defends against Web app attacks. It has the capability of being deployed in multiple instances.

In May, Art of Defence signed a partnership deal with Zeus that furthered its plan to partner with Web infrastructure component, network security and cloud application providers serving the U.S. market.

Web of Need

Improved Web application security, in the eyes of Zeus Technology CEO Paul Brennan, is critical for online services. The combination of products covered by this partnership provides a way for companies to customize their infrastructure security and thus protect against malicious attacks deployed on any physical, virtual or cloud platform.

Of particular concern is compliance for PCI DSS. Online payment systems have become expected services in most industries, according Georg Hess, founder and CEO of Art of Defence. The demand for cloud computing is growing beyond a simple fallback for overloaded existing infrastructure. It is pushing Web applications out of the classical enterprise network perimeter.

"The need is to meet the challenge of authentication. Firewalls are no longer doing a good job. E-commerce businesses make it easier for hackers to get into software code," Hess told the E-Commerce Times.

Browser Brute

One of the major differences in prepping for better security with Web apps over locally installed software is the total reliance on the Web browser, noted Hess. It is now a common business tool.

"We've seen in the last three or four years the growth of vulnerabilities. Applications need to open port 80, so we need e-commerce protection. Firewalls can only handle pattern matching. They lack an understanding for things beyond virus recognition," Hess said.

The early functionality of firewalls was essential to security. Clearly, they were a good first step. However, firewalls are limited to pattern matching, and the industry needs more than that for top security today, he explained.

Threat Frameworks

Obstacles to Web app security include complexity and expense. Five to 10 different frameworks are in use, and each different solution targets some individual focus, according to Hess.

"Companies customize their solution. Security is not about opening or closing ports or identifying channels. It becomes very different for each banking system, for instance," he said.

That level of security did not exist 10 years ago. Neither did the added security risk associated with today's external partners.

"Now all that is changed. The code has become public," said Hess.

Securing the Clouds

Traditional firewall approaches do not work with today's cloud and Web app technology. Rather than dumping volumes of data into the clouds, they should be used just for overflow storage, suggested Zeus Technology's Day.

"This is the cornerstone of cloud security," he said. "I'm seeing an increasing level of interest for an appliance layer solution. We set out looking for a vendor solution to work with ours," he added in explaining what led to the partnership on security.

Day wants to see the typical security solution providing additional hardware-based firewall solutions. That, combined with complementary proactive security factors, is a vital component, he said.

"Security added by workers makes another protective fence. This makes it harder for attackers. And so does penetration testing," Day said.

Lots of Layers

A good approach for securing Web applications is a strong defensive depth chart, Hess noted. Protection that is based on one layer of security is not good enough.

"This is one difference in how Software as a Service (SaaS) and ISPs (Internet service providers) approach security," Hess said. "Webification of security is needed for baseline security coverage," he added.

Software auditing is not always enforced -- it's too expensive for many users. For the online services world, it becomes a pricing issue.

Fancy Smancy

Both Hess and Day are convinced that in today's world of Web app security, too many providers are trying to do too much in terms of interface features and functionality. Often, the development of these complex Web apps actually weakens security because they take up more development time, which comes off product testing time.

"The industry does have to go beyond what we have now. We don't always need fancy. But whatever is used needs to be reliable and effective," said Hess.

Day sees many service providers who regard security as a key delivery issue. They use layers of security. Still, security is not equally effective in all delivery environments.

"You will find different levels of security for networks, cloud and hosted environments," said Day.

Gaming 101

Will Web-based applications ever be truly secure? Hess thinks not, and Day does not dispute that view.

"The industry will never get rid of the cat and mouse game regarding security. The industry needs faster fixes," said Hess.