This month we are addressing application vulnerabilities and web-based threats. These two pieces of the risk equation are garnering more and more of our attention lately as attackers focus on the low hanging fruit of web access and lightly protected applications. The thread that connects these two is the web. Vulnerabilities of web applications and the back-end applications they serve have become major concerns. Surfing habits of employees simply exacerbates the problem.
We looked at these two product groups because, together, they offer the real promise of controlling one of the most sensitive gateways into the enterprise, especially for those organizations, such as banks, that develop custom applications that are accessed from the web by customers.
Most predictions of attacks over the next few years center on the web. Securing web-based applications and their back-end databases makes web-based attacks more difficult. Securing users against bad web-use habits adds an additional dimension of protection, especially against trojans, predicted by some to be the fastest growing threat over the next two to four years.
These organizations can take the defense in depth approach of securing their own code while limiting the opportunity of users to import dangerous threats through bad Web access habits. The application vulnerability scanners we looked at run the gamut of web apps to back-end apps. They are of varying complexity and effectiveness. This is a relatively small group that still is maturing.
On the other hand, the web content management applications are beginning to reach a fairly high level of maturity and sophistication. The biggest changes we noted in these products are new features. These products are not just URL filters anymore. This is an important evolution because predictions are that the success of worms ,such as the NUWAR worm, could evolve into a sort of instant messaging malware.
I am referring to malware that takes advantage of instant messaging systems as its transport using a worm that is as sophisticated as NUWAR and has a similarly large number of variants making it very tough to protect against. There have been warnings that such a worm might spread across the Internet in a matter of minutes. The web content management products we looked at are beginning to recognize that a holistic approach – malware, different transport schemes, etc. – is the right way to protect the enterprise from the sins of its users.
Finally, this month we welcome new review engineers into the fold at SC Labs. The application vulnerability test products were tested and reviewed by Nathan Ouellette of Viopoint. The Viopoint folks specialize in identifying, quantifying and managing risks associated with information assets. We thought that Nathan and his colleagues would be just the right group to have a look at the application vulnerability products. I think that you'll enjoy their insights.