Published: 17 Jul 2008
| Shield Your Enterprise
VA scanning works with Web app firewalls to thwart assaults.
The attacks, initially compromising hundreds of thousands of websites and counting, underscored the prevalence of vulnerable older sites that aren't likely to get fixed any time soon, if ever. Code review and/or Web application firewalls may satisfy section 6.6 of the PCI requirements, but that doesn't mean your applications, and the data to which they offer access, are secure.
Recent partnerships between code scanning service provider WhiteHat Security and Web application firewall vendors F5 and Breach Security unite the two requirements by linking vulnerabilities and filtering rules to remediate them.
Developers are too busy with their day jobs--getting applications and functional modifications into production--to find, much less deal with, code vulnerabilities. Some high-end Web app firewalls use some sort of dynamic learning technologies that assess traffic over time and attempt to distinguish between normal and attack traffic. However, it's not clear how many of these types of the mass, shotgun-style attacks we've been seeing they can stop, or how well they can match possible attacks against actual vulnerabilities. Nor are they easy to manage.
"Most companies are having problems with installing a Web application firewall, because they can't just drop it into the network and forget about it," says Chenxi Wang, principal analyst at Forrester Research. "There's a lot of operational overhead--that's an ongoing headache they have to deal with."
The problem, says Wang, is that even the best filtering rules are only as good as the last iteration of the application. The developers who make changes don't necessarily communicate with the people responsible for the Web application firewall. The result can be unprotected holes or neutered filtering rules.
"Website vulnerabilities take a long time to get fixed," says Jeremiah Grossman, WhiteHat CTO. "The security guy has to ask the developer, who's on a different mission. We rapidly identify vulnerabilities and push a fix to the perimeter, a virtual patch. That gives the security guy some control and some time."
When its scans uncover a vulnerability, WhiteHat sends a dynamic filtering rule for either F5's BIG-IP Application Security Manager or Breach's ModSecurity firewalls, a "snippet of code" the security admin can paste into the affected app and test before going live. As a service, WhiteHat doesn't rely solely on automated scanning, adding human review and analysis.
The ModSecurity partnership applies to both the commercial product and the popular open source version. The latter is used by estimated 15,000 businesses, says Sanjay Mehta, Breach's senior vice president, sales and marketing.
"Open source ModSecurity is widely adopted," says Forrester's Wang. "Adding this capability would really have a fairly significant impact in the market than [would] a high-end Web application firewall in a couple of hundred companies."