Search FCW

Advanced Search
Subscribe Now!
Table of Contents
Sprint
Business
BPM
CXOs
Columns
Columnists
Defense
E-Government
Elections 2008
Enterprise Architecture
Funding
Homeland Security
Health IT
IPv6
LOB
Management
Procurement
Privacy
Policy
Program Management
State and Local
Security
Technology
Telework
Training and Certification
Workforce

More Topics
resourcecenter
Home
Letters to the Editor
Current Issue/Download
Print/Online Archives
Editorial Calendar
researchstore
resourcecenter
Communications for Continuity Operations

Oracle Resource Center
NEW! Transforming Data Center
Managed Services
Service Oriented Architecture
Training & Simulation
Networking Communications
Security Directives and Compliance
Data Center Virtualization
Air Force ELSG Contract Guide

More >>



Latest News
ADVERTISEMENT




 

FAQs: Web application security

Defending the application layer

By John Moore
Published on May 16, 2005

Comment

Click here to comment on this article

Related story links

Application protection

Seven Security Technologies To Watch

Newsletters

You might also be interested in these FCW newsletters:

Daily

To learn more, click here.

Organizations have made strides in recent years to lock down networks' perimeters. But even agencies with the tightest network defenses may find another technology layer open to attack: applications.

Web applications are an especially inviting target. A March report from Symantec, a security vendor, notes an increase in attacks against such applications. The report states that about 48 percent of the 1,403 new vulnerabilities documented between July 1 and Dec. 31, 2004, fell into the Web application category.

A relatively new class of products that focus on application security are now available, although they remain a bit of a mystery to many technology managers. What follows is a rundown of how these products work, who sells them and how much they cost.

FAQ: Why are Web applications vulnerable?

Software that works with a Web browser has become the largest application category, according to some industry executives. But customers have left the Web application door open to intruders.

"A lot of organizations realize this is an area they have ignored but must pay attention to now," said David Grant, director of product marketing at Watchfire. "As applications go online ...you have more access points into the organization."

Jeff Platon, vice president of product technology marketing and security at Cisco Systems, said organizations have done a good job on perimeter security but have "left the internal applications, users and processes pretty wide open."

Traditional firewalls, virtual private networks and intrusion-detection systems help secure networks, but they provide inadequate application security, some observers say. Problems arise when perimeter security products can't distinguish between legitimate and illegitimate requests coming through a browser.

"If, through a Web browser, I can get my account information, I can get to your account information," said Andrew Stern, director of security product marketing at F5 Networks. "Those two requests look exactly the same to a traditional security system."

What can you buy to secure Web applications?

No single product can solve the entire problem.

"Application security is not a single-button push," said John Weinschenk, president and chief executive officer of Cenzic.

"Too many people rely on a single tool," said Oscar Fuster, a vice president at iGov, an IT consulting firm that specializes in security.

upcoming event

Green Computing Summit, Ronald Reagan Building, Washington, DC
December 2 - December 3, 2008

Trusted Internet Connection and the Comprehensive National Cyber Security Initiative, The Willard Intercontinental Hotel, Washington, DC
December 4, 2008


 

head
fcw
issue
First Name State
Last Name Zip
Title Email
     

Home | About | Contact | Customer Help | Privacy Policy | Editorial Info | Advertise | Link policy / Reprints | Site Map


1105 Media, Inc.

© 1996-2008 1105 Media, Inc. All Rights Reserved.