Competitors Join Forces to Improve Web Application Security


Four rivals in the application security market joined forces to help define more consistent and reliable best practices for Web application security.

The partnership, announced Monday at the Computer Security Institute's 31st annual security conference and exhibition in Washington, includes F5 Networks, Imperva, NetContinuum and Teros. The quartet plans to invite vendors such as Check Point Software Technologies, Cisco Systems, Juniper Networks, McAfee and Symantec to join the consortium as well.

With the help of ICSA Labs, the group has outlined five criteria for successful Web application security. Starting next month, ICSA will test the products of participating vendors to make sure the solutions meet these criteria. According to Gene Banman, CEO of NetContinuum, these criteria will comprise the best way to evaluate which Web security applications actually deliver the security they promise, helping channel partners choose the products that will best serve their customers.

"We feel that the market has reached an inflection point where Web application security products are going to become part of the security best practices in the industry, yet at the same time there's confusion caused by conflicting claims," he said. "If we can clarify what customers need in this space, it will be a lot easier for channel partners to deliver it."

The five basic categories include preventing command execution attacks, enforcing controls on application input, preventing cookie tampering, preventing form field tampering, and preventing URL parameter tampering. Only the best Web application security products meet all five of the criteria.

"All of these criteria speak to the need to protect custom applications," said Shlomo Kramer, CEO of Imperva. "In many cases, that's the only thing that stands between users and very confidential information."

Bob Walters, CEO of Teros, agreed, adding that the effort should help "separate the wheat from the chaff" of Web application security products. Walters added that in an effort to assist security solution providers, ICSA Labs Premier Services has agreed to carry out low-cost, third-party evaluations of products that purport to provide application security. Evaluations begin Nov. 22; products from all participating vendors will be evaluated first.

Analysts seemed to like the move. Jim Slaby, senior analyst at the Yankee Group, said application security is slated to become a $2 billion market over the next five years, and noted that the lack of established industry best practices have made it difficult for IT decision makers to identify products that provide legitimate protection.

Greg Young, research director at Gartner, said multivendor cooperation presents a rare opportunity to establish those best practices and eventually develop standards for other security implementations down the road.

"This kind of multivendor collaboration is a positive development for buyers of application security," said Young. "Like the established test criteria for network firewalls, a standard set of baseline criteria for application firewalls can be helpful in reducing the effort in product selection."