The Code Red and Nimda computer ‘worms’, which exploited weaknesses in web servers, wreaked havoc with IT systems globally during the first half of 2001.
The response of many organisations to these and other attacks has been to bolster their security presence. So far, the bulk of this spending has been focused on security products designed to protect an organisation’s perimeter, such as firewalls, virtual private networks and intrusion detection systems. But a perimeter-centric approach can still leave an organisation’s online applications “wide open” to attacks, says Peggy Weigle, CEO of application-level security (ALS) software specialist Sanctum.
Analysts concur that application-layer attacks now pose a major security threat. “Around 75% of web attacks are occurring at the application layer,” said John Pescatore an analyst at Gartner. Although a highly nebulous area, application-level attacks occur beyond an organisation’s firewall and are channelled through web servers. Hackers then abuse the business rules, or business logic, of an application to carry out malicious activities such as accessing confidential customer data.
Since 1997, several privately-held software vendors including Sanctum, KaVaDo, and Stratum8 Networks, have emerged to target the ALS market and analysts expect a broad range of organisations adopting the technology in the coming months.
The most established vendor is California-based Sanctum. Sanctum was co-founded in 1997 by Gil Raanan, who had previously developed security applications for the Israeli military. The company has raised $54 million (€61m) in four rounds of funding from investors including Dell Computer, Sprout Group and Gemini Israel Funds.
Sanctum’s core product is AppShield (AS), an application firewall that can be installed either on, or in front of, an organisation’s web server. It offers protection against a range of security threats such as ‘cookie poisoning’ where hackers manipulate cookie parameters to gain unauthorised access, and ‘cross site scripting’ where malicious code can be inserted into a web-surfing session to carry out activities such as setting up a dummy web site.
The company’s other product is AppScan, a security assessment tool, which helps organisations identify, assess and test the vulnerability of their applications.
Also with its roots in the Israeli military is New York-based KaVaDo. Founded in 2000, KaVaDo has so far raised $6.7 million (€7.5m) in funding from investors including 3i Technology Partners and Bank of America Ventures.
KaVaDo’s core product is InterDo. In contrast to AppShield, InterDo focuses purely on handling and preventing anomalies in web traffic. The major selling point of the product, says Tal Gilat, CEO of KaVaDo, is that it has been developed to provide generic protection for individual applications, irrespective of their deployment. This means InterDo requires less application specific customisation work than products of its competitors, he adds. Like Sanctum, the company also supplies a scanning product, ScanDo, to assess application vulnerability.
California-based Stratum8 Networks, another start-up specialising in ALS, is trailing these two companies at present. StormWall, its application firewall product, has not yet been released (although it is due for launch before the end of March 2002) and the company does not have a scanning product. It also less well funded than the others, having raised $4 million (€4.5m) to date.
Stratum8’s CEO, Bob Walters, is, nevertheless, upbeat, saying that his company’s heavy investment in application performance means that it delivers a throughput speed seven times faster than some of its rivals. He also claims that StormWall incorporates a set of technologies to ensure that it does not impair the performance of an application for end users.
Despite their impressive technology, analysts remain cautious about the prospects for ALS software vendors. As the sector becomes more established, the larger security vendors, such as Internet Security Systems and Symantec, are expected to move into the market. Such vendors, says Frank Prince, a senior analyst at Forrester Research, will likely offer a broader range of tools – and, of course, they have the advantage of a ready-made user base.
That is not the only threat. Ultimately, of course, as companies such as Microsoft build more robust security into their web server technology, the demand for such tools may disappear altogether. The ALS vendors need to move fast.