This morning at the Midsize Enterprise Summit (MES) I met with the Gartner analyst who is the research area lead for the Gartner Small and Midsize Businesses (SMB) vertical, Jim Browning. We discussed the low success rate of enterprise IT vendors who try and move down-horizontal, and how few “get” SMB IT. I always learn a lot from him, so I encourage you to contact Jim or his colleagues if you want a cross-horizontal view of what issues the SMBs face, including information about the vendors and the channel dynamics.
During my advisory sessions with midsize CIOs today the topic of Web Security came up frequently. Aside from the increased interest due to PCI requirements, web applications are the flavor-du-jour for attackers and companies are struggling with how to protect themselves. Web applicatons are right now the weakest link, since Off the Shelf products have the backing of vulnerability management techniques such as vulnerability scanning and or the shielding of IPS. But when it comes to your web applications your bad coding practice chickens are coming home to roost and are dropping SQL-injected eggs, and you are on your own.
You have really only two choices – check your applications before deployment using a code scanner, or shield them post-deployment using a web application firewall. I have a recent research note on the web application firewall products, which provides an overview of the major web application firewall vendors I have been tracking, as well as some explanations of some of the complex and confusing deployment and technical issues (including the 6 operating modes such as reverse proxy, out-of-band, etc.).
2 responses so far ↓
1 Naithan // Mar 27, 2009 at 5:08 pm
Greg,
I love your blog but I have a very very quick comment. Code scanning tools are very very ineffective at providing a picture of true “acceptable risk” ayt the application layer. As we have seen numerous times, some of the most egregious injection, session theft, and parameter hacks have come at the expense of AD teams that coddled themselves with a false sense of security that a code scanner told them all they need to know. In fact scanners are a jumping off point for surface level issues.
As web hacking becomes the prominent form of bypassing enterprise DMZ’s to get to the goodies, the logic used in the application development process is oft times not able to be detected as a flaw or vulnerability by a mere scanner. What has to happen is that early in the SDLC practices have to be implemented.
The wrong culture in AD says that, “oh we have an app going live in two weeks, is it secure? I dunno, I guess we should run a scan and patch”. Then version two of that app comes out six months later and guess what? The same vulnerabilities are back. Why is that? Because developers by and large don’t view application security as a part of SDLC, its just something we have to do that slows us down.
The same applies for web app firewalls. Great tools, but they simply cannot replace secure development practices as a part of the SDLC from beginning to end. Web apps should be assessed with sound methodologies ( I am biased on this obviously but I believe it) and practices should be honed away from poor logic, unnecessary information, black lists, and “patch and go” approaches etc.
again, my humble opinion
2 Greg Young // Apr 4, 2009 at 1:15 pm
I couldn’t agree more – avoiding vulnerabilities in the first place avoids all these band-aids.
Leave a Comment