This article can also be found in the Premium Editorial Download "Information Security magazine: Mission critical: Securing the critical national infrastructure."
Download it now to read this article plus other related content.
Last month's acquisition of Web security vendor Sanctum by Watchfire has all the markings of a fire sale. On paper, the deal allows Watchfire to complement its suite of Web developer tools with Sanctum's Web security solutions, creating a well-rounded Web application testing suite.
Behind the scenes, however, unconfirmed reports of Sanctum's sub-$50 million fetching price demonstrates just how soft the Web application security market is. It also serves as a warning to other security companies and their backers.
Sanctum invented the Web app security space in the mid-'90s with its firewall, AppShield, and scanner, AppScan, foreseeing the need for better application-layer security for Web environments. But the market has been mediocre at best, even with the entrance of competitors such as Teros, Kavado and SPI Dynamics.
This isn't to say that Web app security risks aren't real. The attack techniques are well-documented: SQL injection, cookie poisoning and hidden form-field manipulation, to name a few. The Internet is littered with horror stories of data thefts, privacy breaches and other Web app compromises, and we're not just talking about the defacement of a home page.
The lesson to take away is that security products fail for any number of reasons, not just because there's no risk to guard against. These are the primary weaknesses of the Web app security market:
Architecture and performance. Putting a security device (a Web app firewall) inline, behind a security device (a network firewall), just feels wrong to network admins, mostly because it creates a performance bottleneck. For public Web sites, this is a huge problem. (Perhaps this is something the network-based intrusion prevention vendors should think about.)
Multiple constituencies. Responsibility for Web app security is distributed among and shared between security professionals, Web admins, e-commerce business teams, network folks and developers. Shared responsibility for security leads to gaps in coverage, finger pointing and consensus purchasing that takes forever to close. This makes the "do nothing" excuse much easier to accept.
- Alternatives. As is often the case with security, there are many ways to approach the Web app security problem. All or part of app security risks may be addressed through better coding during the development process or through the addition of protocol rules on a network firewall.
Given the obvious need for Web security in a world where application-layer attacks are commonplace, Sanctum's primary failure seems to be that it recognized the nature of the threats too early. Bottom line: There's still a lot of hope for Web app security products and their vendors. Let's hope the technology doesn't wither before we actually need it.
About the author: Pete Lindstrom, CISSP, is a research director at Spire Security.
This was first published in September 2004