Product Group Tests
Application and web securityNovember 01, 2013
Products in this group are intended to control security aspects on an underlying application.
This month we examine database and web security products. These include database and web firewalls and security management tools. We looked at only six products, but they were as different from each other as could be. Each of these is strong in its own way and, as you can see from the star ratings, it was hard to pick clear winners.
There is no clear definition for the kinds of products we are looking at so when we canvassed the field we used the following criteria.
Products in this group are intended to control security aspects on an underlying application, which can be a backend program that communicates between a web application and a database, a web-based application or some other application within the enterprise perimeter, as well as offering database security beyond what is inherent within the database management product itself.
Generally, as we examined these tools, a couple of high-level patterns emerged beyond some of the interesting functionality that we found. First, we saw direct protection for web applications and databases in the form of specialized firewalls. Second, we saw security management for web applications and databases much in the same way we often see perimeter or endpoint security management. That implies that we may see convergence of these products with SIEMs in years to come. I, however, doubt that. There are lots of reasons why these products - while certainly capable of being part of a suite of other products - won't fit neatly in the same box with them.
First are the performance issues. These are products that need to look at a lot of data and require resources. Unfortunately, they are the same types of resources that other similar tools require. So keeping them on their own platform makes sense. However, there are vendors looking at the ability to share platforms, perhaps by providing their product as software rather than hardware.
Second, there are some prerequisites for some of these solutions that need unshared access by the tools. Chief among these are backend databases. Finally, these tools would make a very bad single point of failure, especially if that failure was an attack that exposed the managed/protected database or application to direct attack. If the tool shares resources, there is, arguably, an increased proclivity toward compromise than if it was an independently protected platform.
All of that said, we found some commonalities in these products worth mentioning. First, for the database products, the number and types of databases supported was fairly consistent. Unless you have something particularly exotic, you'll likely find your product supported here. Similarly, we found that the web application security management products were focused on SQL injection and cross-site scripting, arguably the two most common web/database attacks today. As well, denial-of-service attacks were fairly uniformly high on the list of protection targets. This clearly defines today's threatscape at the high end. Obviously, there are specific attacks, most frequently using malware, that fall outside of these broad categories.
Finally, we saw little difference in form factors among the offerings. Most were available as appliances, a couple had software versions and one had a virtual appliance. Perhaps this relates to our comments above, but more likely it has a lot to do with configuration. Appliances are far easier to deploy and configure than software-only offerings.
Overall, we liked what we saw and advise you to take a close look at these six products. Match carefully to your environment and be sure to get whatever help you need deploying. While these all are easy to set up and deploy in the lab, a phased deployment into production is a good idea. Not taking any action except monitoring and reading logs is the safe way to deploy against production databases and web applications. It significantly reduces the chance of breaking something during the deployment process.