Vendors issue an application security challenge
Connecting state and local government leaders
A trio of Web application security companies has challenged competing vendors to evaluate products against a set of test criteria developed by the three.
A trio of Web application security companies has challenged competing vendors to evaluate products against a set of test criteria developed by the three.
The companies'Imperva Inc. of Foster City, Calif., NetContinuum Inc. of Santa Clara, Calif., and Teros Inc. of Sunnyvale, Calif.'announced what they said are minimum standards for application security products today at the Computer Security Institute's annual conference in Washington.
'We believe these minimums are not being met by many vendors, despite marketing claims that strongly imply such protection,' the companies said in a joint statement.
The three-team consortium targeted five companies in their challenge and issued invitations last week to Check Point Software Technologies Ltd. of Redwood City, Calif.; Cisco Systems Inc.; Juniper Networks Inc. of Sunnyvale; Network Associates Inc. of Santa Clara; and Symantec Corp. of Cupertino, Calif.
ICSA Labs, a division of TruSecure Corp. of Herndon, Va., would do the testing.
So far, none of the companies has formally responded to the challenge.
But a Check Point spokesman said, 'Check Point is frequently invited to participate in industry initiatives, and we are always evaluating new opportunities."
Web application security is distinguished from network security because it takes place at the application layer. It focuses on understanding application behavior rather than on blocking penetration of the network.
'The unique issue with application security is that all of the dynamic Web applications are connecting back to databases,' said Wes Wasson, chief strategy officer for NetContinuum. The applications can be a weak link, exposing databases that contain sensitive information, he said.
The test criteria detail five basic security requirements:
- Preventing command execution attacks
- Enforcing strict controls on application inputs
- Preventing cookie tampering
- Preventing form field tampering
- Preventing URL and parameter tampering.