Is speed the answer for patching Web applications?
Of course security managers can rush every new critical fix into production. Too often, however, they're stymied by events beyond their control, including business resistance and insufficient testing time.
While a vulnerability management program can speed patching, such an approach often encounters roadblocks, said Jim Slaby, a senior analyst at the Yankee Group, a Boston-based research firm. "For example, security and IT say, 'Look, we're going to need to take the application offline to administer a patch.' And the line-of-business people say, Absolutely not, it's end of quarter, my sales people need access' -- that sort of thing."
The need to surmount this problem, he says, "is driving interest in application gateways." Available from such vendors as Kavado, Imperva and Teros, these sit between the application and the rest of the network, and mimic patches to prevent exploits, dropping suspect packets before they reach the application. While a temporary solution, this approach "allows IT and security to head off the most pressing threats in a way that isn't disruptive," Slaby said.
To block attacks, the gateway learns typical Web application behavior. Then "we enforce correct application behavior; all application actions falling outside the correctness model are blocked," said Greg Smith, senior director of product marketing for Teros in Santa Clara, Calif. This signature-free approach also protects against previously unknown, zero-day vulnerabilities.
In short, organizations get virtual patches. "This gives them the time to do it the right way, as opposed to the crash way, where you're implementing patches and hoping like hell it doesn't break something," said Jon Greene, vice president of marketing at Kavado, in Stamford, Conn.
That need for breathing room -- and a way to convince customers its Microsoft servers were secure -- drove Baker Hill, a financial services industry software vendor and application service provider, to adopt the technology. "It's a huge burden on our QA group to have to do service-pack or hot-fix testing, especially when you take a month like October when you had 10 [Microsoft] patches, seven of which were deemed critical. And it's not like you can just go into a test environment and apply all seven at once, because if something goes wrong, which one of those seven was at fault?" said Eric Beasley, Baker Hill's senior network administrator. Today, using Web application gateways as cover, Baker Hill typically only patches quarterly, as part of its normal development and testing cycle.
Application gateway vendors are also expanding their appliances to cover Web services. "A lot of the same vulnerabilities that are part of normal SSL Web-based applications are there for your Web services as well," Beasley said. With his company moving toward increased Web services use, Beasley plans to put the updated technology into production soon.