|Anurag Agarwal, CISSP, senior application security consultant|
RSA Expo is over, and it was good to see a lot of Web application security products being showcased there. The awareness about Web application security is increasing, and a lot of companies are coming out with new products to protect Web applications. Such products include network and Web application firewalls, identity management, auditing tools, Web application security tools and encryption tools. If there's a way your company can be hacked, there was a product to protect it.
Let's talk about Web application security products for a minute. Between the different products for different problems, I think the message has gotten lost. Really -- I mean, if you are a customer looking for a solution and do not understand the Web application security space, you will come out more confused then you were when you went in. Everyone will try to sell you their product and will give you hundreds of reason why their product is better then their competitor's. Some companies had a suite of products, whereas some didn't. Between the myriad of various products, the poor customer wishes if there is an easy solution to his Web application security issues.
Here's a typical experience for someone looking for Web application security solutions:
Customer -- I'm looking for a solution to protect our Web application.
Vendor -- We have a vulnerability assessment tool that can scan your Web application and identify vulnerabilities in your application.
Customer -- Will it integrate with my bug tracking system?
Vendor -- There is a QA version that can integrate with major bug tracking systems.
Customer -- Do we need to train our developers?
Vendor -- We have a tool that integrates with major IDEs to prevent developers from making coding mistakes.
Customer -- What about reporting?
Vendor -- There is an enterprise/reporting module that consolidates all the data and provides Web-based reporting for your auditors and management.
Customer -- But what about the existing code base?
Vendor -- There is a tool to do a source code audit to detect potential security vulnerabilities in the code.
Customer -- What about support?
Vendor -- We charge xx% for annual maintenance contract where we provide support and updates.
Customer -- Is that all I need?
Vendor -- Well, you may need a Web application firewall. After all that's the first line of defense.
And the customer gets sucked into purchasing a database monitoring tool, a log monitoring tool, auditing tools, and so on.
After spending hundreds of thousands of dollars, the customer is still wondering what to do with the tools he just bought. Do they solve the problem? No. Why? These products are a part of the solution and not the complete solution. You need skilled Web application security professionals to operate them. And since the technology is quickly changing and new exploits are identified every day, you need someone to monitor various mailing lists, Web sites, etc. to stay on top of the latest vulnerabilities and exploits. Sure, the products get updated, but the turnaround time is a lot longer than you can afford to leave your Web sites vulnerable.
Don't get me wrong. I'm not against products. They do serve a purpose, but there are tradeoffs in choosing a product over a solution. Since solutions are integrated, they're a lot easier to use. They also cost you less because you are not hiring a skilled Web application security professional (which itself would cost you more then the products). Outsourcing your Web application security issues to an external company to provide total solutions is easier and less expensive. You don't have to worry about retaining skilled employees, staying on top of new exploits and security updates, understanding the field, assessing various products, or training employees.
In my perfect world, I would like to hire a company that can do the following:
- Conduct vulnerability assessments
- Integrate with my bug tracking system
- Recommend remediation/mitigation strategies for vulnerabilities identified
- Stay current with the latest exploits and alert me if my Web application is vulnerable to those exploits
- Suggest Web application firewall solutions and create rules for them
- Provide reporting solutions for the auditors or management
- Recommend a product for in house development and provide training
In short, I would rather go with one company that can provide total solutions rather than buying various off-the-shelf products from several companies. It's worth it.
About the author: Anurag Agarwal, CISSP, is a senior application security consultant providing expertise on secure development lifecycle and vulnerability assessment. He also manages attacklabs.com and myappsecurity.com.
Reader Feedback: Share your comments on this article