This past year was a fascinating year for the application security industry. The hacker community continued to devise new and more sophisticated ways to compromise end-user applications, and security managers continued to struggle with strategies that might prove successful in warding off these application attacks. The ever-present zero-day attack moved aggressively to the forefront of application security concerns as hackers targeted previously unreported vulnerabilities in popular applications such as Microsoft Word, Internet Explorer and Mozilla's Firefox.
At the same time, vendors of those products scrambled to patch these vulnerabilities before the applications and, consequently, the systems that were running them, were compromised. Atop it all, Microsoft's Vista, to be released in January 2007, loomed like a shadow over the IT industry, poised to usher in a whole new host of security issues, for good or ill.
But now that security managers have successfully survived 2006, it's time to look towards 2007 and determine the key trends that will demand application security managers' attention in the coming 12 months. The coming year will see, among other things, the aforementioned introduction of MS Vista, a continuing increase in sophistication among the hacker community (and, as a result, more sophisticated attacks). And, as usual, we will see a wave of security products and services from leading vendors, all more likely than not to tout complete, impenetrable security for all application networks.
This leads us to the first trend the application security market will see in 2007: the continued consolidation of vendors providing security technologies that promise to protect against application-level attacks. As evidenced by Juniper Networks' recent partnership with Symantec (which some have speculated may lead to a merger down the line) and IBM's purchase of Internet Security Systems, technology vendors are clearly looking for a best-of-breed approach to more advanced security problems with combined efforts that look to complete the companies' respective security solutions. There is an evident consolidation that points to the need for application providers, network providers and security providers to join forces to design application networks with complete protection and application understanding in mind.
The next trend that application security managers should plan for in the coming year is probably the most critical, as well as the most obvious. This will be the continued trend of the hacker community -- launching attacks that directly target applications, rather than the network and/or services running them. Certainly, hackers will continue launching attacks at the network infrastructure – this is a given – and focusing on exploits that are well known in network hardware from established vendors. But more than this, hackers will continue to construct increasingly intelligent bots that will attempt to manipulate applications by behaving like a legitimate user. This year will see applications and the services needed to sustain them grow more and more complex. As a result, attacks against these applications will consequently become smarter, deadlier and more difficult to detect.
The app sec manager's challenge
The challenge then for the application security manager is to learn these applications inside and out -- to the point where state management is second nature and any suspicious activity pertaining to the application can be identified quickly and without compromise to the application. This has been, and will be, a difficult but necessary problem, as organizations often have hundreds of applications of increasing complexity all running on the network, often simultaneously. As such, tools will need to be much more sophisticated from this level of application understanding and need to be able to detect this suspicious activity on-the-fly as attacks adapt to evade security protocols.
There are two ways in which this can be done. The first is in a deterministic approach, i.e. the manual identification of suspicious activity through close monitoring of application traffic on the network and reporting of any anomalies. The second, however, will finally see a real emergence in 2007 as more companies realize the counter productivity inherent in the deterministic approach due to the high cost in man hours and enormous amount of time used in sifting through false positives, etc. That is why 2007 will be the year when behavioral analysis will emerge as the weapon of choice for security managers in the fight against application attacks.
I've spoken about behavioral-based analysis in this space previously, so there's no need to rehash the technology. But while the technology was first introduced in early 2006, 2007 will be the year when it becomes the standard in intrusion prevention. This will allow network security managers to focus their sights on the application attacks that can compromise entire application networks, rather than those that are harmless and merely take up valuable time. Thanks to the emergence of behavioral analysis, security managers will now be able to quantifiably gauge the return on their investment in security technology and calculate it via the time saved in no longer sifting through false positives and manually detecting the danger presented by each individual application attack.
Perhaps most important, behavioral intrusion prevention technology will allow security managers to upgrade their application networks based purely on the operational needs of their applications, rather than overloading them with redundant, bandwidth-hogging devices that don't serve the applications. This should be the goal for all security managers in 2007 – providing end-users with quick access to applications, while keeping these applications as secure as possible from malicious, business-crippling attacks.
About the author: Amir Peles is chief technical officer at Radware.