Tip

Protecting Web applications a paradox for security professionals

IT security used to be an issue of keeping the doors to the computer room locked. Then securing networks and systems became an issue.

The next shift in security will be preventing the intrusion of Web-based applications, according to Charles Kolodgy, research manager, Internet security software at IDC. Kolodgy recently wrote a report on the subject, "Web Intrusion Protection: Defending Web Servers and Applications."

To back that contention up, IDC is estimating the market for Web intrusion prevention products to expand from $65 million last year to $690 million by 2006. These products specifically protect Web-based applications.

Web applications pose a paradoxical challenge for security. These applications are hosted on servers but are available to remote users via the hypertext transport protocol (HTTP). By definition, these applications have to be accessible. Proper security requires allowing just the right amount of openness.

Attackers, meanwhile, have a host of arrows in their quiver to attack applications. Exploiting buffer overflows vulnerabilities in applications can allow them to gain control of the system. Another way is

    Requires Free Membership to View

cookie poisoning, which can allow an attacker to get information from a server by modifying the session's cookie.

Application security fundamentals
Basics of application security 

How things break: Securing your software 

Web application firewalls critical piece of the app security puzzle

Attacks on Web applications lead to defacement of Web sites or using Web apps as a way to gain backend access to systems, Kolodgy said. For example, an attacker could use a Web application as a way to break into the system. He could then change price information in the back end database so he could buy a lot of goods inexpensively.

Web defacements are more a nuisance than a danger. "There is not a lot of cost associated with them per se but there is potential damage to the brand and having to take the Web site down," he said.

"The real issue is how to be out there but securely," Kolodgy said.

IDC has identified several categories of Web intrusion prevention applications including:

Many aspects of Web intrusion prevention are pretty self-explanatory. Application shields (sometimes called application firewalls) are a newer technology. Essentially, they protect Web based applications.

Currently, no vendor offers a product that includes every facet of Web intrusion prevention, Kolodgy said. However some are bundling a couple aspects of it such as application shields with vulnerability assessment.

The whole issue of Web intrusion prevention begs a question: Why aren't Web developers more security conscious in the first place? The truth is developers are more focused on creating the functionality that customers want rather than the security of the products, Kolodgy said.

Kolodgy sees some parallels between Web intrusion prevention and antivirus protection. It used to be that companies slapped antivirus at one point in the network and thought they were safe. Now, companies have antivirus at the desktop, gateway and server levels. "They realized security is much more specific," he said.

This tip originally appeared on SearchSecurity.com

This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.