Greg Young

A member of the Gartner Blog Network

Greg Young
Research VP
6 years at Gartner
22 years IT security

Greg Young is a research vice president in Gartner and the lead analyst for network security. Mr. Young has experience in IT security in product companies, and in both the private and public sectors. He spent his military career in technology security… Read Full Bio

Coverage Areas:

Web Application Firewalls

by Greg Young  |  October 22, 2008  |  4 Comments

Custom web applications represent a weak link that attackers are going after.  Because they are custom, they are only as secure as our own organizations’ ability to code them securely, and the vulnerabilities are fairly unique even if the exploits are not.  Attacks like SQL injection and cross-site scripting mean custom web application exploits.  The safeguards boil down to removing vulnerabilities or shielding them.

In cooperation with my colleagues Neil McDonald and John Pescatore, we have developed a brief decision framework for deciding on when code-scanning is appropriate (removing), when you should get a web application firewall (web application firewalling), or when you should get both (spend spend secure secure).

The web application firewall market is still on the early side of the hype cycle, so rather than a Magic Quadrant (which is reserved for larger or more established markets) , I produced a research note covering both the capabilities and features of the market, and a description of the offerings from each vendor.  As the market grows and matures we’ll move ahead into a Market Scope or Magic Quadrant, but until then I’ll continue to track this market closely and provide research via similar market notes. 

image

4 Comments »

Category: Uncategorized     Tags:

4 responses so far ↓

  • 1 Lori MacVittie   October 23, 2008 at 8:31 am

    Greg,

    You mention you’ve developed a decision framework…will that be available to the public or only to clients/customers of Gartner?

    Thanks,
    Lori MacVittie

  • 2 Greg Young   October 23, 2008 at 8:46 am

    Hi Lori –

    It was part of the presentation we gave at the June Gartner Security Summit in Washinton, so it is available to Gartner customers and those that attended the event.

    Greg

  • 3 Sharon Besser   October 24, 2008 at 2:18 pm

    The Web Application market is indeed in its acceleration stage, though growing very fast. I would like to add a note that commercial and packaged web applications are also vulnerable and poses a clear risk to many applications. It’s enough to mention Oracle’s recent web components vulnerabilities which some are highly critical. The cost of fixing a known vulnerability or even installing a patch before someone will exploit this vulnerability is very costly. Web Application Firewalls provide a compensating control, while the organization is performing a change control process: fix the code, install a patch, test and deploy. In addition, I believe that Web Application Firewalls provide good protection against unknown attacks.
    See also http://blog.imperva.com/2008/06/protecting-enterprise-applicat.html

    Sharon Besser, Imperva.

  • 4 Greg Young   October 26, 2008 at 12:30 am

    Hi Sharon:

    COTS vulnerabilities are usually the domain of signature based IPS, and self-inflicted vulnerabilities best handled through code scanners or WAFs.

    You raise an important point about the exposure window.

    Greg