IT Security and the No Good, Very Bad Web App Nightmare

The growing popularity of Web 2.0 applications is creating new worries about network security for IT managers and program users alike. One of the biggest concerns is the lack of attention by some product developers and the users themselves to regularly scan their computer systems for holes.

The recent acquisitions by IBM and HP of two companies that served as independent watchdogs over Web 2.0 security threats could signal a new focus on Web 2.0 security. On the other hand, such key acquisitions may limit the effectiveness of Web 2.0 security.

HP acquired Web application security firm SPI Dynamics in June. IBM acquired Watchfire the following month. Watchfire provides Web application security testing and compliance management software.

“This creates a void in security defenses. There is a need to test for vulnerabilities constantly because the network is always changing,” Susan Challenger, vice president of marketing for Core Security, told TechNewsWorld.

Unknown Impact

What makes some security experts nervous about such acquisitions is the uncertainty about product development. In the case of both SPI’s and Watchfire’s acquisitions, their products might only be available through the network products of their new owners.

“It looks like there is no intention to return these products to the same market,” Alex Horan, product manager for Core Security, told TechNewsWorld.

However, both Watchfire and SPI Dynamics continue to market their security products. Core Security last month entered the fray of Web 2.0 security by introducing Web application testing capabilities to its Core Impact product.

“It’s not clear how much of a void will be left in the market by the HP and IBM acquisitions. You’d assume some, but the jury is still out on that,” Mike Rothman, an analyst for Security Incite, told TechNewsWorld.

Testing Needed

The level of reduced or increased competition, however, is not the real issue, Rothman asserted. Enterprise customers should be testing their applications along with their networks and systems frequently.

“I can guarantee you the bad guys are testing our stuff every single day. A strong security assurance program is the only way to make sure you are not surprised by what the bad guys find,” he explained.

That view is shared by other security experts concerned about Web 2.0 vulnerability issues. Rather than creating a void, the activity in the Web application security space shows just how strategic this capability has become, suggested Eric Ogren, a security consultant for The Ogren Group.

“All businesses should have a continual program of testing their key applications for vulnerabilities, and the way to do this is with penetration testing and scanning,” Ogren told TechNewsWorld.

Security Consolidation

The Watchfire and SPI acquisitions are actually part of a strategic consolidation within the Web 2.0 market, Ogren suggested. He sees this strategic consolidation proceeding along two paths, depending on the orientation of the customer.

One is the merging of network and application penetration testing and scanning into a single operational entity. Its goal is to proactively keep the business infrastructure as clean as possible.

“This is a major trend. IT can control the scanning activity and can plug vulnerabilities before they become problems,” Ogren said.

The second consolidation path involves merging Web application testing with development tools to permanently correct vulnerabilities in the source code. This extends the Software development life cycle from the inner havens of engineering to incorporate feedback loops of production applications. The result is very attractive for large enterprises with active application development staff, he explained.

“So rather than going away, I find this to be a sign of just how important this capability is. Look for database testers to be next in line for acquisition,” said Ogren.

Watchfire’s View

IBM’s acquisition will only make Watchfire stronger in the security space, according to Danny Allan, director of security at Watchfire, who added that the company is not going into other areas of operation.

“IBM will integrate our products with theirs. Watchfire is not going away. We will have much more resource now,” Allan told TechNewsWorld.

Watchfire has always chased security problems, he said and now the company can focus on being in the forefront of doing frequent vulnerability checks.

Security Mindsets

Watchfire is seeing two mindsets developing with Web 2.0. One is that more organizations are starting to build security into their applications as they become more aware of security holes. Maybe 20 percent are doing this today, Allen said.

The other mindset is that the rest of the Web 2.0 application developers are more concerned about making things fun and thus ignore security issues.

“Education is the key to treating this ignorance. I’d say that about 80 percent of Web application users are totally unaware of the security risks and don’t know what to do,” said Allan.

There is a growing need to build more secure frameworks, but these aren’t mature enough yet to handle the security issues, Allen stated. The industry needs to supply better security platforms, he said.

Security Rundown

SPI Dynamics offers four products designed to bolster Web 2.0 security. WebInspect is an automated Web application and Web services vulnerability assessment solution. Assessment Management Platform (AMP) is a comprehensive platform for managing, tracking and measuring Web application security risk.

SPI Dynamics helps Web 2.0 application developers automatically find and fix application security defects and build secure Web applications and Web services. QAInspect enables QA professionals to incorporate automated Web application security testing into the overall test management process without the need for specialized security knowledge and slowing aggressive product release schedules.

Watchfire’s AppScan Security is a security suite of six products that pinpoints critical vulnerabilities and manages the process of fixing them. The suite includes AppScan 7.6 for application vulnerability assessment, AppScan QA for integrating Web application security testing into the current QA environment, and AppScan Reporting Console to aggregate vulnerability data and provide scalable report access.

Watchfire’s AppScan Security suite also includes AppScan Enterprise, AppScan OnDemand and AppScan Enterprise OnDemand to extend application security testing throughout the SDLC.

New Player

Core Security Technologies’ addition of Web application penetration testing capabilities to its Core Impact security product will help users find vulnerabilities that allow intruders to penetrate network defenses via exploits designed to compromise vulnerabilities in server operating systems and services, according to Horan.

Core’s earlier product tested networks and systems. Core Impact’s Web application security testing capabilities enable users to identify weaknesses in Web applications, Web servers, Web browsers and associated databases. It also dynamically generates exploits that can show the existence of security weaknesses. This will help users identify the potential consequences of a successful attack.

Core is not addressing new threats but is focusing on helping customers to test their applications in a more automated, more leverageable fashion, said Rothman.

“I’m a big fan of having all organizations poke and prod at their applications, systems and even their users on a frequent basis. It’s a function I call ‘security assurance,'” he said.