Group of network security companies creates five-point benchmark plan. A group called the Application Security...
Consortium has been established to provide users with metrics for assessing the performance of application firewalls. These are usually installed to make sure only authorised applications can be used across a network and that each packet of data transported is free from bugs and viruses. Application firewalls are particularly important for making sure web applications cannot be tampered with by hackers. Analyst Yankee Group has said that application security is expected to become a £1.2bn market over the next five years. Jim Slaby, an analyst at Yankee Group, said, "Web applications often link directly to sensitive business data, making them a prime target for hackers intent on stealing financial and identity data." The Application Security Consortium has been set up by four suppliers which are asking the large application firewall suppliers to join them in independently bench-testing their products. The four companies involved so far are F5 Networks, Imperva, NetContinuum and Teros. The group has also invited Check Point, Cisco, Juniper Networks, McAfee and Symantec to join. The five basic categories that the consortium feels all application firewalls should address are:
- Preventing command execution attacks
- Enforcing controls on application input
- Preventing cookie tampering
- Preventing form field tampering
- Preventing URL parameter tampering.
The consortium said, "We believe these minimums are not being met by many suppliers, despite their marketing claims that strongly imply such protection. The result is a false sense of security that exposes enterprises to a higher risk of identity theft and other similar data loss threats."
Greg Young, an analyst at Gartner, said, "This kind of multi-supplier collaboration is a positive development for buyers. A standard set of baseline criteria for application firewalls can be helpful in reducing the effort in product selection."
The establishment of the consortium may not get the support of the major players as they stand accused of lacking the full functionality in their solutions to meet the consortium's security requirements.
Slaby was sceptical as to whether the likes of Check Point, Cisco and Juniper would join because the founding members had chosen to focus on web security areas that the bigger suppliers have so far not addressed.
He said, "These three players only really address the first area in the list of five and perhaps the second. None have a product that address all five areas, so the smaller companies who have formed the consortium have been clever in focusing on web security areas they know they already address. I would be very surprised if any of the big three joined this consortium."
Slaby predicted that the invited companies would only think about addressing these issues when users started asking harder questions of their suppliers and they started to "feel the revenue pain from lost sales".
Although McAfee and Symantec have been invited to join the consortium, they are not seen as orthodox application firewall providers so they were also unlikely to join, said Slaby.
Cisco said it is considering the consortium's offer and Juniper did not comment.
Andrew Singer, manager of market intelligence at Check Point, said, "This is not a consortium. Four companies have simply got together to draw up criteria that simply favour their own products.
"A true consortium would have involved all the relevant companies getting together beforehand to discuss the areas that should be addressed, but this did not happen. We will not make a decision as to whether we will join or not until the end of the month."
Singer refused to confirm or deny that Check Point's application firewall product did not address the last three areas of security in the checklist of five.
Dispute over value of lab test proposal
The Application Security Consortium has launched the Web Application Security Challenge and has invited Check Point, Cisco, Juniper, McAfee and Symantec to have their shipping products evaluated by testing group ICSA Labs.
"The results of all suppliers who accept and successfully pass the Web Application Security Challenge will be posted on the ICSA Labs website at the conclusion of testing," the Application Security Consortium said.
The Open Web Application Security Project (Owasp), a not-for-profit group that produces open source documentation, tools and standards, has issued an open letter on its website calling on members of the Application Security Consortium to reveal the security issues their own products fail to address.
In the letter, the Owasp said the Application Security Consortium, representing a number of security product suppliers, was proposing to create new minimum criteria for IT security and then rate their own products against it.
"The Owasp community is deeply concerned that these criteria will mislead consumers and result in a false sense of security. In the interest of fairness, we believe the Application Security Consortium should disclose what security issues their products do not address," the open letter said.