WebScurity: 'Application Security Now An SMB Issue'

Although security issues at the perimeter are well-known opportunities for solution providers, one space that has been relatively untapped is application-level security. One of the few companies targeting this space is WebScurity, which makes a WebApp.secure software tool that identifies and stops abnormal application behavior typically associated with an attack. In an interview with Editor in Chief Michael Vizard, WebScurity President Wayne Ziebarth explains why application security is now an issue than can be addressed by solution providers focused on the SMB market.

CRN: How did your company get started?

ZIEBARTH: WebScurity started in June of 2001 and is focused exclusively on Web application security. We don't do anything at the network level. Our background has been doing code reviews or assessments for a large financial institution, and through that experience we developed our WebApp.secure software that protects Web applications from a number of common vulnerabilities.

CRN: How does it work?

ZIEBARTH: It uses a positive protection model, so it's looking for known good behavior and rejecting anything that doesn't fit that profile. It does that by examining outgoing HTML, HTTP and also client-side scripting. At this point, JavaScript is what we inherently support. It can also run in passive mode, where it will identify abnormal activity but still let it pass through. Obviously, the best mode is in the pure protection mode, where it will block the traffic, log it to an XML log for historical reasons, and then it can generate network alerts.

CRN: What's your go-to-market strategy?

ZIEBARTH: Our main focus has been on value-added resellers, usually companies that deal with small to medium-size businesses. When we started building the product, unfortunately we didn't really think of marketing vehicles. We thought of building a product. That's quite honestly a mistake on our part, but now we're setting up our marketing and starting to establish the relationships. We tried doing some direct sales by going through community banking organizations, like Independent Community Bankers of America, but really didn't find any success there. Developing these value-added resellers has been much more successful.

CRN: What differentiates your company in this space?

ZIEBARTH: Two of our best competitive advantages are the price and the ease of use over the life cycle of a deployment. The others are very complex and, quite honestly, they've got a lot of bells and whistles from a reporting perspective. We're making the same data available, but someone might have to import it into Excel to really analyze it. While we've left out some complicated features, our protection is as good or better, and our ability to process and really interpret client-side scripting is a huge advantage for us. Other products accommodate scripting, but they either have to go through a long training process in the application, or you have to manually identify policies in order to work around the issues with them.

We took a lot of time in figuring out how to interpret JavaScript, how to use that information to make it as automated as possible, and the benefits are really very substantial from an installation and an ongoing administration perspective. Our people are writing software products that are meant to be used by the average IT person, not someone within an IT department that has a group within it of 25 security people. Our customers don't have time to become experts, and they don't want to be administering something every day. We've spent a lot of time making it easy.

CRN: How is your approach to pricing different?

ZIEBARTH: Our price is based on what's being protected and what's the value of what's being protected. On average, though, we're 40 percent lower than any of our closest competitors.

CRN: Will you partner with network security vendors focused on the perimeter?

ZIEBARTH: We're actually talking to one firewall manufacturer who's interested in putting our technology into their products, some of their higher-end firewall products.

CRN: In general, this would seem to be a way of dealing with attacks that are getting more sophisticated.

ZIEBARTH: That's right. If you try to put yourself in the shoes of a hacker, the perimeter defenses are so good that you spend an enormous amount of time searching for a bypass to a firewall that has had years of evolution. That's a very hard target. But if you're getting in through port 80 or 443 that is being used by an application, it's already open.

CRN: So at the end of the day, why do you think application-level security is relatively overlooked compared with perimeter security?

ZIEBARTH: I was quite surprised personally to find how many companies don't focus on application security until they are compromised and then determined that it wasn't done through the perimeter defenses. I think it's about getting the right people talking about the right things.

I think there's also confusion in the marketplace by a number of vendors who use the words 'application security,' and it means something completely different than what us and others are really talking about. When you say 'application security' to a company like Symantec, what that really means is that they're looking at Layer 7 issues. When we talk about application security, we're actually a layer higher. For example, there are types of attacks such as Code Red that are indiscriminate attacks. Another category that we call a targeted or application manipulation attack would include things like hidden field manipulation. There's key data that's stored in hidden fields within the Web application to maintain space. If you alter some of those values, you can see somebody else's checking account. And it doesn't take a whole lot of technical knowledge to figure out how to manipulate that information.