Securing Web Applications: An Overview

As this article implies, organizations are increasingly being attacked via web applications. This trend is expected to proliferate as organizations both:

1. Deploy increasing numbers of web applications (especially customer apps).

2. Deploy extensive network based security mechanisms (IPS, firewalls, Anti-Virus, etc.) - ensuring the path of least resistance will no longer be your network - but rather web applications themselves.

What are the specific and most notable threats to our Web Applications? There is a well respected organization called OWASP that has for many years been a leader in bringing these issues to light.

There are a number of options to addressing these threats:

1. Better Coding Practices / Code Review Processes
2. Layer 7 Protection Mechanisms to Block Web Exploits entirely.
3. Don't deploy web applications!

This remainder of this post will address the second option. Web Application Firewalls have been around since early 2000 - 2001 when products from Teros, Magnifire and other start up companies began introducing products. Like any nascent industry, understanding exactly what the products do, and how they do them - is difficult to ascertain. There are signs that the market is maturing though, as this overview by the Burton Group suggests.

This article by Network Computing offers an excellent overview of how web application firewalls work, how web application firewall architectures vary and what the ramifications are from an implementation perspective.

Another article from Network Computing evaluates various players in the space, from F5 Networks to SecureSphere and NetContinuum. Offers good insight as to the relative strengths and weaknesses of each approach.

This article by the Web Application Security Consortium offers good insight into how to evaluate web application firewall products & vendors.

Lastly, an interesting consideration is that ICSA Labs has only certified two players in this space: F5 Networks & Citrix Systems. This is a copy of the document describing the criteria that has been applied in evaluating products for certification.

There is no question that web application firewalls will play an increasingly important role in securing our environments. I hope this post provides some good insight into how to proceed with a project of this nature.

Please let us know if there is something else you'd like to discuss on this issue. Feedback is welcome.