Are your Web apps secure?

See correction at end of review

Web-based applications have become vital pieces of business infrastructure. Along the way, they’ve also become major security risks for the organizations that rely on them.

Large volumes of sensitive information exchanged through Web applications -- and stored in databases behind those applications -- hold an irresistible attraction for cyber thieves and vandals who know how to exploit structural and programmatic weaknesses. Low-profile, low-traffic sites, especially those that don’t host transactions, seldom elicit enough hacker interest to cause worry. On the other hand, high-visibility or high-traffic sites invite innovative attacks.

The job of a dedicated Web application firewall is to guard against such sophisticated exploits. For this review, we tested four products dedicated to this task: KaVaDo InterDo 3.0, NetContinuum NC-1000 Web Security Gateway V3.5, Sanctum AppShield 4.0, and Teros Secure Application Gateway 100. For higher traffic volumes, these security systems make perfect sense, because they can apply special rules to Web-specific traffic while maintaining adequate network performance.

Intruder Alert

Web application firewalls stand sentry on a new frontier of creative destruction, where malicious payloads come wrapped in the structure of legitimate traffic. The most dangerous exploits target application vulnerabilities without running afoul of ordinary firewalls: no poorly formed network traffic, no unusually large packets, no mismatches between address and content. Instead, these sneak attacks employ unexpected command strings, altered cookies, or changes to hidden form fields.

In mounting a defense, Web app firewalls inspect the contents of each packet and compare the payload against rules gleaned from ordinary transactions between user and application. These security products look at both sides of the transaction, understand well-formed exploits, and block unexpected behavior. The higher the volume and the value of Web traffic, the higher the security risk -- and the more it makes sense to add the dedicated power of a Web application security system.

There are broad similarities in what all four products do but substantial differences in how they go about doing it. Two products, from Teros and NetContinuum, are available only as appliances; KaVaDo and Sanctum make their solutions available as either appliances or software suites. The latter two also come with scan software designed to suss out vulnerabilities in Web applications. Teros offers an add-on scanner and NetContinuum does not rely on a scanner at all.

Click for larger view.

The biggest and most welcome similarity among these products is that they stop, even in their default configurations, many of the most common exploits used by thieves and vandals. In addition, all include GUI management applications and all assume (quite correctly) that extensive training or customization will be necessary before the product can be relied on for real-world application security.