Protecting Web applications a paradox for security professionals

By Edward Hurley, News Writer 08 Aug 2002 | SearchSecurity

Digg This!     StumbleUpon     Del.icio.us

IT security used to be an issue of keeping the doors to the computer room locked.

FOR MORE INFORMATION Best Web Links on securing the Internet" SearchSecurity news exclusive: "Application-layer security and the virus fight" Tips for preventing common vulnerabilities Feedback on this story? Send your comments to News Writer Edward Hurley

Then securing networks and systems became an issue.

The next shift in security will be preventing the intrusion of Web-based applications, according to Charles Kolodgy, research manager, Internet security software at IDC. Kolodgy recently wrote a report on the subject, "Web Intrusion Protection: Defending Web Servers and Applications."

To back that contention up, IDC is estimating the market for Web intrusion prevention products to expand from $65 million last year to $690 million by 2006. These products specifically protect Web-based applications.

Web applications pose a paradoxical challenge for security. These applications are hosted on servers but are available to remote users via the hypertext transport protocol (HTTP). By definition, these applications have to be accessible. Proper security requires allowing just the right amount of openness.

Attackers, meanwhile, have a host of arrows in their quiver to attack applications. Exploiting buffer overflows vulnerabilities in applications can allow them to gain control of the system. Another way is cookie poisoning, which can allow an attacker to get information from a server by modifying the session's cookie.

Attacks on Web applications lead to defacement of Web sites or using Web apps as a way to gain backend access to systems, Kolodgy said. For example, an attacker could use a Web application as a way to break into the system. He could then change price information in the back end database so he could buy a lot of goods inexpensively.

Web defacements are more a nuisance than a danger. "There is not a lot of cost associated with them per se but there is potential damage to the brand and having to take the Web site down," he said.

"The real issue is how to be out there but securely," Kolodgy said.

IDC has identified several categories of Web intrusion prevention applications including:

• secured operating systems
• hosted IDS
• intrusion prevention
• application shields
• vulnerability assessment scanning

Many aspects of Web intrusion prevention are pretty self-explanatory. Application shields (sometimes called application firewalls) are a newer technology. Essentially, they protect Web based applications.

Currently, no vendor offers a product that includes every facet of Web intrusion prevention, Kolodgy said. However some are bundling a couple aspects of it such as application shields with vulnerability assessment.

The whole issue of Web intrusion prevention begs a question: Why aren't Web developers more security conscious in the first place? The truth is developers are more focused on creating the functionality that customers want rather than the security of the products, Kolodgy said.

Kolodgy sees some parallels between Web intrusion prevention and antivirus protection. It used to be that companies slapped antivirus at one point in the network and thought they were safe. Now, companies have antivirus at the desktop, gateway and server levels. "They realized security is much more specific," he said.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary