This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
HTTP is rapidly becoming the default transport for any and all business logic. With the advent of Web services and service-oriented architecture, XML has become the glue that holds disparate applications and data types together. Web portals, content management systems, and even corporate blogs and wikis are becoming preferred communication channels.
But defending Web applications is an uphill battle. Traditional network security defenses have concentrated on the first four OSI layers, but, by definition, most Web app exploits are valid HTTP traffic, passed through proxies and firewalls.
What to do? You can certainly buy a commercial Web app firewall product, but perhaps you can't (or won't) add another yearly license renewal to your budget. The alternative is building a Web app firewall using freely available open-source tools to parse, rewrite and filter HTTP traffic to defend against application attacks. You won't get all the functionality of a commercial solution (See "Open-Source vs. Commercial Web Application Firewalls," at right). But, you'll add a much needed layer of protection in front of Internet-facing Web services and apps.
This was first published in September 2006