This month we look at application security. Really, this means application firewalls, but it is something more than that. Databases operate at layer 7 as applications, of course, but there is more to an application-level attack, sometimes, than just the layer 7 activity.
For example, there needs to be a penetration to get to the database. That could be an application-based attack - such as phishing - or it could be a directed attack, such as compromise of a weakness in the communication stack. In reality, just about all OSI layers could, theoretically, be involved in what appears to be nothing more than an application compromise.
That said, our two products this month focus on the application side of the problem. Both look for holes, but each does it slightly differently. While one performs a lot more than vulnerability assessment - including remediation - the other is focused on auditing vulnerabilities. Web apps are the low-hanging fruit in any organization with a web presence connecting to a backend database. Understanding the vulnerabilities is important and, unfortunately, not as easy as it sounds.
The problem is that in many of today's enterprises the perimeter has all but disappeared. The firewalls, NACs and IPSs are still there, to be sure, but there is a direct connection between the users on the outside and the data on the inside. All that stands between those two points is the security of the applications that act as middleware and the secure configurations of the web application itself and the database it connects to. Unless this entire path is secure you are at risk.
So the big question is, how do you know that you are secure? And if you are not, what do you do about it? Both of these fine products solve either or both of these problems. In years past, security testing of web applications was a matter of auditing the code. Today, code audits still work but performance auditing is a better bet. This tells you how the application will behave under a variety of conditions and it is less prone to false positives than a code audit. Essentially, this is a web version of a penetration test.
This type of audit needs a couple of companions to make it really effective. First, it needs a way to identify and block malicious activity attempts, and second it needs to be able to repair the damage. The tools we looked at provide one or both of these functions.
There are a limited number of attack types, although their implementations sometimes seem to be legion. If we were to attack the low-hanging fruit problems, we probably could look at cross-site scripting, SQL injection and buffer overflows to get started. We can generalize even further - as a presentation by Saumil Shah at Black Hat suggested. The generalization would include URL interpretation, input validation, SQL injection, impersonation and buffer overflow attacks. In order to control the impacts of these attacks, we need to have a comprehensive detection and defense scheme and we need to implement it with a robust tool.
When we ran the two tools in the SC Lab, we used a database and front-end that had several flaws purposely included. Both devices performed admirably to the point where they discovered flaws of which we were unaware. Further manual testing confirmed that they were not false positives. What this says is that the type of testing that we experienced with this month's products likely is the way to ensure that you are applying the best protection to your layer 7. Applications are touchy things. Every time that you update them you run the risk of breaking something in the act of fixing or patching something else. Constant vigilance and proactive remediation and protection are critical on these applications because they are the most likely entry point for an experienced intruder.
We found that both of these tools filled the bill very nicely and provided a lot of good functionality. When you are buying an application firewall, determine what types of applications and databases you want to protect. Then match the tool to the need. Tools that have multiple deployment modes - in-line, out of band, etc. - can be very attractive depending on your traffic load. Automatic remediation may be a good bet for you if you have limited resources to repair manually.
We liked both of these products. In fact it was hard - from a performance and functionality standpoint - to chose between them. They both have fine feature sets and both exhibited stellar performance. We suggest that you have a good look at both if you are considering application protection in the near future.