Web application firewalls prevent latest attack mechanisms.
Applicure Technologies (published 10/01/2008)
Yaacov Sherban, CEO of Applicure Technologies explains why application protection is needed in addition to simply protecting network vulnerabilities in order to guard against the latest wave of malware.
The recent SQL injection attack which compromised more than 70,000 websites (including .gov and .edu sites) and hijacked visitors’ PCs is another real life example of how hackers are now targeting applications instead of network vulnerabilities.
This time it was a database attack: MS SQL was attacked, next time it could be Oracle, MySQL or indeed some entirely different system component. The unavoidable conclusion is that unless organizations deploy a web application firewall with updating capabilities their websites, customers, and information assets will be exposed to attacks. The underlying fact is that developers are unable to build secure web applications for three main reasons:
1. Developers are not working closely enough with the security industry to develop securer applications. Security training and secure coding are essential to create safer applications.
2. Even if a developer did a good job, new vulnerabilities are discovered all the time and the system developed will always need to play catch up. The problem is inherent to the system architecture and cannot be addressed by secure coding alone.
3. Investment in developing secure applications is not a high priority, and it is very costly. We have seen cases where secure development doubled the development costs. And then there is a need to maintain the investment to cover patching and other updates. Some organisations opt for penetration testing after the application was developed, but at this time it is too late the fix the problem thoroughly and ensure patches do not create new security problems.
While the industry strives to address these issues, Applicure Technologies offers a tool for system owners to protect their existing non-secured applications against the majority of threats. dotDefender adds a security layer to applications that stops harmful requests before they reach the application, thus preventing abuse of the vulnerabilities.
