GOLD | IBM WebSphere DataPower XML Security Gateway XS40
They say you never get fired for buying IBM. Information Security readers are in line with that thinking when it comes to securing applications running in a service-oriented architecture or Web services applications.
They made IBM's WebSphere DataPower XML Security Gateway XS40 their top choice in the application security category.
Further validating the hype over service-oriented architecture (SOA) and the standards-based XML applications around it, readers said the XS40 appliance did better than counterparts at detecting, reporting and preventing known and unknown attacks. It also scored well in integration with other security tools for remediation and reporting, and ease of installation, configuration and administration.
IBM, in 2005, acquired DataPower and its trio of products, which also includes an XML accelerator and an integration appliance. As with any SOA or Web services product, standardization is critical. In addition to the WS-* family of standards, the DataPower appliances support a new breed, including XACML, which is a standard for uniformly expressing fine-grained authentication and authorization rules. This is key with SOA applications, whose machine-to-machine interactions must properly exchange credentials to ensure a secure transaction. XACML enables companies to move authorization rules from one enforcement point to another.
"CISOs are looking at SOA in two ways--one, if the security piece isn't done right, this is a huge liability, exposing the back end to new threats and unauthorized access," says Eugene Kuznetsov, founder of DataPower. "The other part is, if you do this right, your security and compliance improve at the same time."
The DataPower appliance acts as an XML proxy that can parse and validate XML schema, encrypt XML message flows and verify digital signatures. Enterprises can use it as an enforcement point for XML and Web services interactions, providing not only encryption, but firewall filtering and digital signatures.
Some of the country's leading banks have deployed the appliance to process mortgage applications using XML or Web services, validating messages and making calls to authentication systems. It's also present in the Department of Defense for internal security between different tiers of applications and filtering messages between classified networks and applications.
"Customers are increasingly recognizing that to make applications scalable to make the business agile, you can't have security architecture teams go into every application, audit and modify it to make sure it's secure," Kuznetsov says. "There is a trend of figuring how to move security to hardware or other tiers, abstracted out of applications."
SILVER | SPI Dynamics WebInspect
BRONZE | Citrix Application Firewall
Citrix's Application Firewall models application behavior, then applies policy against the baseline; any application straying from the baseline is treated as malicious and blocked. In earning the bronze medal, the product scored well on preventing known attacks and vulnerabilities, as well as detecting and reporting them. It also scored consistently well in support and installation, and most respondents in this category said they were satisfied with their investment ROI. Citrix touts the product's ability to learn application behavior and generate policy recommendations. Citrix says it can be deployed as a standalone firewall or in tandem with the Citrix NetScaler Application Delivery Systems.
In the trenches
Necessary integration: security and development
Application security woes must be addressed in development.
Security managers are quickly adjusting to the fact that the woes plaguing today's dynamic Web applications cannot be repaired with a regularly scheduled deployment of patches from the Pacific Northwest.
The root of these problems lies in a place of integrated development environments (IDEs) and where features and functionality take precedence over security. The cure: integrating security tools and best practices into development lifecycles.
Steve Zimmerman, a former CISO for a top 10 financial institution, recalls many a pen test and vulnerability scan on homegrown Internet-facing apps delivering disturbing--but fixable--results.
"What we found is that we had excellent programmers, but a lot of them dealt with rolling out internal applications, where there's no need for the same level of security as those facing the Net," Zimmerman says. "We were finding too many errors that should have been corrected in the development lifecycle."
Zimmerman realized it was imperative to integrate security into development, something contrary to the nature of a coder. Initially, it was a bumpy road. Projects hit hurdles that extended release dates. Quickly security became a hindrance rather than an enabler.
The trick, Zimmerman says, was to approach development teams from a partnership perspective. Rather than issue mandates about their practices, Zimmerman's teams provided guidance about current threats and tools to bring security checks to the coders' efforts.
"We try to help during the process, rather than go through it at the end and fix problems," Zimmerman says. "We're not here to tell you how to create naming conventions or variables, we're here to give advice on what we see in security on the Net. We provided them with a white paper and security solutions."
Web applications are rapidly becoming a hacker's playground--most e-commerce apps connect to databases holding customer data, making them rich targets. Programming flaws like input validation errors and buffer overflows are as old as the first coding textbooks, yet those bugs often yield hackers the greatest bounty.
Scanners have come a long way. Zimmerman, whose bank ran SPI Dynamics' WebInspect on its Web applications, says false positives have been dramatically reduced.
"When these products first hit the market, we were seeing 50 percent of returns being false positives. With the latest, we're seeing just a handful," Zimmerman says. "We were cutting pen tests down by 50 percent because we didn't have to go through as many issues as before."