0

Hackers and other malicious third parties are changing their strategy and are directing their attacks to the core of business applications. Unfortunately, applications themselves are often the weakest link in this story.

Security technologies that target lower layers of the Open System Interconnection (OSI) reference model are incapable of effectively protecting Web applications, which run at layer 7 (the application layer) of the OSI model. Layer 7 is the standard for application services such as the Hypertext Transfer Protocol (HTTP) for transmitting Web pages or the File Transfer Protocol (FTP) for moving files across the Internet.

Web application firewall technologies come into play as the only technology available capable of safeguarding the integrity of Web applications

Security is a key concern when critical business data is at stake. 

Applications are insecure by nature as, traditionally, software developers have not developed applications with any security principles in mind. This results in poorly coded applications that contain multiple vulnerabilities waiting to be exploited by a malicious third party. The problem gets worse when applications are taken to the Web. With networks relatively well protected with a myriad of security technologies, hackers and other malicious third parties are changing their strategy and are directing their attacks to the core of business electronic assets.  

Security technologies that run at lower layers of the OSI reference model are incapable of effectively protecting Web applications, which run at layer 7 (the application layer) of the OSI model. Layer 7 is the standard for application services such as the Hypertext Transfer Protocol (HTTP) for transmitting Web pages or the File Transfer Protocol (FTP) for moving files across the Internet.

Web application firewall (WAF) technologies come into play as the only technology available capable of safeguarding the integrity of Web applications. We define Web application firewall (WAF) as a security technology, either hardware or software that sits before the Web server and analyzes layer 7 traffic (a whole session, not packets) to protect applications from attacks aimed at exploiting vulnerabilities found in the applications. 

History:

The Web application firewall (WAF) market is still in its infancy. However, it is not new technology that has suddenly emerged. The market started to see its first deployments in 1999 in the financial services area, although most of the existing competitors only started to ship their first products in 2002 and 2003. Nonetheless, 2005 may well be the inflection point for this market as vendors are starting to see their pipelines growing considerably. This growth is fuelled by the increased awareness of organizations that network firewalls and intrusion prevention systems are not effective in stopping Web attacks. However, it is still not clear how the market will evolve in the next few years as some vendors see the technology consolidating as a standalone market, while others believe that it will be offered as part of something bigger, such as application traffic management or as part of the security gateway.  

Web Application Attacks:

Businesses need to understand that applications are insecure and they are indeed exposed to multiple types of threats. Some of the most popular Web application attacks include:  

• SQL injection Intruders use these flaws to get the database to perform requests that were not intended.
• Parameter manipulation Intruders use these flaws to get information from a database.
• Cross-site scripting: A script is embedded in a field contained in the URL.
• Other attack objectives include: parameter tampering, SOAP & Web services, authentication or session theft, cookie poisoning, HTTP exploits, default configurations, application flow, buffer overflow, file upload, data encoding, backdoor and debug. 

Need to Protect Critical Business Applications: 

Companies are starting to realize that applications can be the weakest link in the security puzzle. And when these applications are taken to the Web, the risks increase considerably. However, traditional network security products do not protect from Web attacks and the use of WAF technology is the only effective way to protect from the multiple vulnerabilities that almost all applications include in their code. 

The Introduction of New Legislation:

The introduction of specific legislation to affect database protection is likely to have a very positive effect on the penetration of the technology. The California Law SB 1386 Act and Japan’s Personal Information Protection Law oblige companies to inform their customers in the event their databases have been or are suspected to be compromised by a malicious third party. In addition, since vendors are so focused on the financial services market, existing legislation regulating financial services such as Gramm-Leach-Bliley (GLB) in the US and Basel II in Europe, also contribute to the uptake of this technology. Other importantpieces of legislation influencing this market are: 

• Computer Security Enhancement Act of 2001
• Canadian Personal Information Protection and Electronic Documents Act
• Sarbanes - Oxley Act
• European Data Protection Directive 

Integrate with Application Delivery Infrastructure:

As Web application firewall technology analyzes application traffic to block attacks and protect Web applications, some vendors are planning to offer it as part of the application management platform. In fact, there is much talk about the convergence of both areas into what would be called a secure application delivery platform.