Web applications are growing in popularity, and with this increasing ubiquity of Web apps,security is more than ever becoming the No. 1 challenge forenterprises. Traditional network component vendors are under pressureto solve security challenges. However, developing this capability ontheir own is complex, expensive and requires new skills.
“A wide range of Web apps exist for the payment card industry ande-commerce,” David Day, CTO for Zeus Technology, toldthe E-Commerce Times. “These organizations are under increasing pressure to meetregulations for security.”
Day’s company provides software that enables organizations tovisualize and manipulate the flow of traffic to their Web-enabledapplications. Web security firm Art of Defence’s flagship solution,Hyperguard, is a scalable distributed Web application firewall (dWAF)that defends against Web app attacks. It has the capability of being deployed inmultiple instances.
In May, Art of Defence signed a partnership deal with Zeusthat furthered its plan to partner with Web infrastructure component,network security and cloud application providers serving the U.S.market.
Web of Need
ImprovedWeb application security, in the eyes of Zeus Technology CEO Paul Brennan, is critical for onlineservices. The combination of products covered by this partnershipprovides a way for companies to customize their infrastructuresecurity and thus protect against malicious attacks deployed on anyphysical, virtual or cloud platform.
Of particular concern is compliance for PCI DSS. Online paymentsystems have become expected services in most industries, according GeorgHess, founder and CEO of Art of Defence. The demand for cloudcomputing is growing beyond a simple fallback for overloaded existinginfrastructure. It is pushing Web applications out of the classicalenterprise network perimeter.
“The need is to meet the challenge of authentication. Firewalls areno longer doing a good job. E-commerce businesses make it easier forhackers to get into software code,” Hess told the E-Commerce Times.
One of the major differences in prepping for better security with Webapps over locally installed software is the total reliance on the Webbrowser, noted Hess. It is now a common business tool.
“We’ve seen in the last three or four years the growth ofvulnerabilities. Applications need to open port 80, so we neede-commerce protection. Firewalls can only handle pattern matching. Theylack an understanding for things beyond virus recognition,” Hess said.
The early functionality of firewalls was essential to security.Clearly, they were a good first step. However, firewalls are limited topattern matching, and the industry needs more than that for top securitytoday, he explained.
Obstacles to Web app security include complexity and expense. Five to 10 different frameworks are in use, and each differentsolution targets some individual focus, according to Hess.
“Companies customize their solution. Security is not about opening orclosing ports or identifying channels. It becomes very different foreach banking system, for instance,” he said.
That level of security did not exist 10 years ago. Neither did theadded security risk associated with today’s external partners.
“Now all that is changed. The code has become public,” said Hess.
Securing the Clouds
Traditional firewall approaches do not work with today’s cloud and Webapp technology. Rather than dumping volumes of data into the clouds,they should be used just for overflow storage, suggested ZeusTechnology’s Day.
“This is the cornerstone of cloud security,” he said. “I’m seeingan increasing level of interest for an appliance layer solution. We setout looking for a vendor solution to work with ours,” he added inexplaining what led to the partnership on security.
Day wants to see the typical security solution providing additionalhardware-based firewall solutions. That, combined with complementaryproactive security factors, is a vital component, he said.
“Security added by workers makes another protective fence. This makesit harder for attackers. And so does penetration testing,” Day said.
Lots of Layers
A good approach for securing Web applications is a strong defensive depth chart,Hess noted. Protection that is based on one layer of security is notgood enough.
“This is one difference in how Software as a Service (SaaS) and ISPs (Internet service providers)approach security,” Hess said. “Webification of security is needed forbaseline security coverage,” he added.
Software auditing is not always enforced — it’s too expensive for manyusers. For the online services world, it becomes a pricing issue.
Both Hess and Day are convinced that in today’s world of Web appsecurity, too many providers are trying to do too much in terms of interface features and functionality. Often, the development of these complex Web apps actually weakens security because they take up more development time, which comes offproduct testing time.
“The industry does have to go beyond what we have now. We don’talways need fancy. But whatever is used needs to be reliable andeffective,” said Hess.
Day sees many service providers who regard security as a key deliveryissue. They use layers of security. Still, security is not equallyeffective in all delivery environments.
“You will find different levels of security for networks, cloud andhosted environments,” said Day.
Will Web-based applications ever be truly secure? Hess thinks not, andDay does not dispute that view.
“The industry will never get rid of the cat and mouse game regardingsecurity. The industry needs faster fixes,” said Hess.