Study: Businesses don't grasp Web app security threats

Lack of understanding leaves businesses open to application-layer attacks

Businesses may unwittingly leave themselves open to application-layer attacks because they don't understand their networks lack defenses to deflect them, according to a study by Forrester Research.

"[M]ost enterprises are not even aware that their traditional network firewalls cannot protect against these attacks," according to the study Web Application Firewall Forecast: 2007 to 2010. The report says demand for Web application firewalls (WAFs) will increase over the next three years, then drop.

This lack of awareness may prove harmful to businesses because Web applications are rife with weaknesses, according to a report by Symantec on Internet security threats over the last six months of 2006. "Sixty-six percent of vulnerabilities disclosed during this period affected Web applications," according to the white paper Symantec Internet Security Threat Report Trends for July-December 06.

In addition, the same study says 77 percent of easily exploitable vulnerabilities affected Web applications.

The Forrester study differentiates between traditional firewalls that examine packets and WAFs that examine flows of packets that represent sessions with Web servers. "What many firms do not understand is how [WAFs] differ from a traditional network firewall," the study says.

Awareness of Web application threats may grow as businesses come into compliance with Payment Card Industry (PCI) standards for data security intended to protect credit card numbers and other personal data transferred during credit card checks and online transactions, Forrester says. These standards actually require WAFs as one of two options for protecting against unknown attacks on Web applications. The other option is reviewing the security of individual Web applications and fixing flaws, according to the Forrester study.

Businesses face a deadline in mid-2008 to comply with the PCI standards, and up until that point knowledge of Web application security and WAFs will grow, as will sales of WAFs, Forrester predicts. After that, sales of WAFs will dip because businesses will have complied, especially retailers that depend on use of credit cards to do business.

As businesses move their defenses to higher layers of the IP hierarchy, so do those looking to pilfer private data, Forrester says. "Attackers are also moving up the stack, with application layer and session layer attacks increasing in frequency and destructiveness - but traditional network firewalls don't help," the report says.

While many customers will buy stand-alone WAFs devices to meet these threats by mid-2008, gradually the functionality of these boxes will be absorbed by other equipment, Forrester says, such as application acceleration platforms and generalized security appliances. The analyst firm predicts some WAFs vendors will be bought up by larger networking firms. "This consolidation will further push prices lower as WAF gets included as part of a packaged network security or application delivery offering," the report says.

Forrester lists Breach Security, Citrix Systems, F5 Networks, Imperva, NetContinuum and Protegrity as the leading WAF vendors.

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?