With influencers and vendors selling on fear and multi-billion dollar loss statistics, it's not unreasonable for enterprises to believe that Internet security might always be a relative term, never absolute enough to allow the kind of business applications enterprises are counting on to reduce their costs over the next decade.
While this is great rhetoric and certainly fills the seats at Internet security conferences, assuming that securing web applications is a pipe dream is just plain wrong. Just as solutions for mainframe security and network security have been standardized upon over the last 15 years, a similar solution for protecting e-commerce applications, reliably and in real-time, will be in place in the near future.
For it is a concept that must happen, and soon; the number of web applications being deployed is increasing dramatically, known web and software vulnerabilities are doubling every year, and easy-to-use downloadable hacking tools are lowering the skills required to hack to the "point and click" level. Already the first products to address the matter of securing web applications in real time are beginning to hit the market now. For enterprises eager to begin setting in place controls to protect critical web applications and web sites, a detailed evaluation is certainly justified. In this article I will outline some key considerations for selecting a web application protection system.
Defining Web Application Protection
As is often the case with new technology, terminology is the first hurdle that needs to be addressed. Unlike firewalls or intrusion detection systems, the market has not yet settled on a generic term for describing the new web application security solutions. Between analysts and vendors some of the names currently in use include application protection system (APS), intrusion prevention device, web application firewall and others.
Regardless of what these solutions are called, they all work in basically the same way; each solution sits in the data path and actively monitors and protects web sites or applications by ensuring that users (inside and outside the firewall) are only able to conduct activity within predetermined boundaries, depending on the specific application or site.
Radically different to past "scan and fix" methods of securing applications, these new solutions provide a comprehensive, proactive, real-time barrier to attacks against web sites. They protect against both known and unknown attacks, and, when deployed properly, prevent hacks like theft of confidential data, fraudulent transactions and web site defacement.
Key Considerations for Web Application Protection
While all of these new web application protection devices provide some similar functionality, the differences at this point in the market life cycle are extensive. So, for this article I will focus on the most critical criteria for evaluating web application protection solutions. These considerations can be roughly grouped into four main categories: performance, protection, deployment, and administration. Finally we will consider the pros and cons of appliance-based solutions versus software based solutions.
Speed and Performance
Without a doubt, performance is still the single most important question for anyone considering deploying a web application protection solution. In the very early days of this market anyone who wanted to provide a shield for their web applications had to accept significant lag times and minimal data throughput in order for the data to all be scanned and approved. Even today, the performance difference between products on the market is often double or even triple, depending on the parsing technology embedded in the product. More importantly, the product should scale along two vectors: first, protect the maximum number of servers per device; second, scale upwards seamlessly along with load balancers into high volume deployments.
All of the vendors should be able to provide performance numbers that have been validated by third-party testers, though it is important to realize that since there isn't yet a standard for evaluating performance, looking at the performance numbers alone isn't enough, as test methodology can differ markedly between vendors.
In addition to evaluating performance numbers, it is critical to select a vendor that has a solution for high availability and hot-failover configurations, especially if you are considering protecting more than one web application from a single web application protection solution.
A Rich Protection Feature Set
The level of protection that can be expected from the different vendors in this space varies significantly. While any web application protection system should continually examine traffic to and from your web site and block any traffic that doesn't match typical browser behavior, many products come only with a predefined internal rule set, similar to a set of virus definitions within an anti-virus product. These solutions will only be able to protect applications from known vulnerabilities. As an alternative, the most advanced application protection solutions are being built with intelligent, active learning engines which can build new rules on an ongoing basis by monitoring web activity.
Some of the specific threats that should be protected by any web application security solution include:
- cookie tampering
- forceful browsing
- form mismatches
- HTML header tampering
- hidden field manipulation
- buffer overflow attempts
- user session hijacking.
While these threats are fairly representative of the broad spectrum of web vulnerabilities, it's important to note that the non-profit Mitre Corporation (http://cve.mitre.org/cve/) estimates there are currently over 2,000 separate "verified" vulnerabilities today, with another 1,600 being evaluated for classification over the next year. The ability of your web application protection system to stop threats without using patterns, signatures or any knowledge of the attack structure is vital.
In addition to examining incoming requests to your web site, an application protection system should examine your web site's responses to determine if the web site has been modified by an attacker or malicious code. It should examine the site for specific words or phrases commonly used when defacing a web page, and also for specific words or phrases that should always appear on the web page. For example, if it spots an obscenity, or does not spot your copyright notice, it should block access to the page and notify a system administrator immediately.
Deploying an application protection system can vary significantly based on whether the product is distributed as an appliance or as server side code. With server side solutions each web server will need to have an implementation of the software added to the server, customized and managed. A solution that is distributed as a security appliance should not require much, if any, customization, and should be deployable in a much shorter time frame. In addition, the stronger the learning engine embedded in the solution, the less time it should require to deploy a solution.
A typical deployment or pilot life cycle should begin with the actual hardware or software installation and some minor configuration, all of which should require no more than a few hours. Following that is a two to three day learning period during which the product is placed into observation mode and suggests rules based on site activity. An administrator should then spend a few hours evaluating the suggested rules and determine which should be implemented; following that the solution can be placed into blocking mode and it should begin blocking unacceptable activity immediately.
Rich But Intuitive Administration
From an administrative perspective the key considerations for evaluating an application protection system should be the number and depth of reports that can be generated by the device, the ease of use of the interface, and whether a single interface can be used to manage multiple application protection devices.
One additional administrative consideration should be how easy the product is to remove or deactivate if for some reason it fails or crashes. Any solution should be able to be placed in bypass mode from the user interface. An advantage of security appliance based solutions is that, in a worst-case scenario they can be physically removed from the network quickly.
Security Appliance vs. Server-side Software
One final thing to consider when looking at application protection systems is whether an appliance based solution or a solution that includes server-side software is appropriate for your company. Each approach has its pros and cons, and should be evaluated based on your specific needs.
Solutions that incorporate server-side software must be installed on each web server, and each one must be configured separately. This means that a deployment is both more time consuming and potentially less secure, because the chances of human error increase with multiple deployments. By implementing server-side software, companies can save on hardware costs if they only have a few web servers to protect, but performance will be adversely affected. In addition, if the software does crash, it will take the web server down with it. Because of the time and cost disadvantages of deploying server-side software, it is probably best suited only for small businesses or single-site deployment.
Appliance based servers are quick to deploy and offer performance and management benefits. For enterprise and departmental use, an appliance-based solution will probably provide the greatest ROI. In addition, from a security perspective, a single appliance can protect multiple web servers once it has been configured. Though appliances do add another component in the data path, by having a separate piece of hardware, if the solution does fail, it will not take down the web server, and traffic can be rerouted quickly.
With more than 70 percent of information security breaches coming through web sites and web applications, according to research firm Gartner, there is no question that finding a solution to secure web applications must be high on any security manager's agenda. With the steady increase in the performance and protection provided by web application protection systems, they should be under consideration at any security conscious organization.
Abishek Chauhan is CTO and co-founder, Stratum8 Networks (www.stratum8.com).