A debate has arisen in the world of application security: Is a single, integrated scan-and-protect product better than two separate products that work in conjunction to achieve the same end?
The polemic is best illustrated by rivals Kavado and Imperva. Both vendors' products provide the tools to prevent unauthorized access to sensitive information used by Web applications. But Kavado sells its application scanner software product separately from its application firewall software, while Imperva combines the scanning and firewall functions into its SecureSphere Web Application Security Appliance.
Kavado's new ScanDo version 2.5 scanner and InterDo version 3.5 firewall Web applications are more tightly integrated with one another than past versions, making it easier for ScanDo's updated application vulnerability assessments to feed into the InterDo firewall in the form of security policy, said Jon Greene, vice president of marketing at Kavado, New York.
Imperva's appliance uses persistent learning, which performs realtime adaptation to changing applications, identifying and blocking suspicious user sessions while continuously adjusting to changes in application and database structure, said Shlomo Kramer, CEO of Imperva, Foster City, Calif.
While an argument can also be made weighing the disadvantages of an appliance vs. the drawbacks of software solutions when facing server upgrades, the question of advantages remains, said James Jenkins, vice president of business development at Prosoft Consulting, a Kavado partner in London, Ontario.
"I think [there's a] good point about having one product that would have realtime scanning features built into an application firewall that can be automatically configured as vulnerabilities change, and I would not be surprised to see Kavado eventually moving in that direction," Jenkins said. "That being said, the current two-step process does, in my opinion, have certain advantages." Jenkins said one of those advantages is choice. "Some clients that I have dealt with are prepared to only look at ScanDo or InterDo, which could [be due to] a lack of education about application security. For example, they may feel that their network security tools protect their applications," he said.