Firms target weakest link

Several companies are stepping up efforts to help federal agencies address the weakest link in information security: application security.

The rise in attacks on corporate and high-profile government Web sites shows that organizations not only need to protect entry points into their information networks, but also must shield their Web applications, experts say.

To that end, American Management Systems Inc. last week launched Enterprise Security Group (ESG), which will provide application security services to corporate and federal clients.

ESG will work with the AMS vertical industry groups to provide products and services to address the full range of application security, from setting policy to protecting applications from attacks to business continuity and recovery.

"We are not ignoring network and [systems] security, we're just putting another stake in the ground," said Jeffrey Johnson, vice president of ESG, which is located in the information technology consulting firm's Fairfax, Va., headquarters. Application security is crucial because applications now include interfaces that extend outside the corporate environment, Johnson said.

Applications, which contain critical business information, are more open to attack now because organizations via the Internet or intranets are giving customers, employees and business partners access to applications and databases that sit behind the corporate firewall.

"Hackers have become more sophisticated; they know how applications work and now can slip through the firewall," said Peter Lindstrom, director of security strategies at the Hurwitz Group, an IT consulting firm. "Definitely, there is an understanding in the market that network-based firewalls can do only so much for security."

AMS will offer four security services, Johnson said. The company will also provide its Cryptographic Management System to help clients effectively secure applications with authentication mechanisms such as access controls, encryption, digital signatures, role-based cryptography, passwords and public-key infrastructure technology.

To protect applications from attack, AMS will provide the Security Intelligence Management System, which lets IT administrators view potential threats and vulnerabilities to their systems from a central Web portal, and the Application Intrusion Detection System, which detects intruders at the application layer.

Meanwhile, a partnership between KaVaDo Inc., a provider of Web application security software, and ViON Corp., a provider of advanced storage products to all levels of government, aims to add another layer of protection for federal agencies. ViON will sell KaVaDo's flagship products, InterDo, a Web application firewall, and ScanDo, a vulnerability scanner, into the federal market.

InterDo intercepts all incoming and outgoing traffic to and from applications. The software validates requests before allowing data to pass through to back-end applications. InterDo provides customized security shields to block intrusions to applications, protecting against attacks that exploit protocols such as HTTP and Internet cookie software as well as database sabotage. InterDo also automatically creates or updates security policies.

ScanDo audits an entire Web application environment, including Web servers, application servers and business logic, to uncover known and unknown vulnerabilities. The application scanning and firewall technology is important because many of the attacks during the past few years have focused on breaking into Web servers such as Microsoft Corp.'s Internet Information Server and its components, Lindstrom said. Other companies offering Web protection tools include Sanctum Inc. and SPI Dynamics Inc., he added.

According to recent FBI reports on cybersecurity, about 70 percent of all attacks are executed at the application layer, said Tal Gilat, chief executive officer of KaVaDo. "And with these attacks, [the attacker] doesn't have to be as technically savvy compared to attacks against the network" or virtual private networks.

***

Securing Web applications

American Management Systems Inc.'s new Enterprise Security Group will provide four services to protect organizations' critical applications.

* Security Policy Program — Ensures deployment of policies through audits, training and awareness programs.

* Enterprise Application Security Program — Ensures effective use of a variety of authentication mechanisms such as passwords, digital signatures and public-key infrastructures.

* Application Intrusion Prevention Program — Provides threat assessment and intrusion detection.

* Business Continuity Program — Provides risk and business impact analysis and recovery.