App-Firewall Vendors Challenge Rivals to a Test

Things are getting a bit testy in the application-security market.

Saying that theyre fed up with some security vendors claiming that their products protect against application-level attacks, a group of application-firewall vendors on Tuesday will issue a challenge to Check Point Software Technologies Ltd., Symantec Corp. and others to prove that their offerings are truly capable of stopping such attacks.

Executives from Teros Inc., NetContinuum Inc. and Imperva Inc. said the reasoning behind the challenge is simple: to give customers a clearer picture of which products do in fact stop application-layer attacks.

“The major security vendors would like to establish themselves as application-security companies,” said Gene Banman, CEO of NetContinuum, based in Santa Clara, Calif.

“Web technology is really becoming the standard platform for rolling out every application IT departments want to deploy. So, we just gathered together the attacks and said, If you can protect against these, youre an application firewall. If not, youre not.”

The three companies sent letters to Check Point, Symantec, McAfee Inc. and Juniper Networks Inc., challenging the CEOs of the companies to submit their products to ICSA Labs for testing.

ICSA Labs is a division of TruSecure Corp., a security services firm based in Herndon, Va. ICSA does independent testing on a variety of security products, including firewalls, IDS (intrusion detection prevention) and anti-virus software.

/zimages/3/28571.gifClick hereto read about TruSecures merger with other companies to form Cybertrust, which executives tout as the “largest private security services provider in the world.”

The testing criteria, which will be published on the labs Web site, comprises five distinct classes of attack: preventing command execution attacks, enforcing strict controls on application inputs, preventing cookie tampering, preventing from field tempering, and preventing URL and parameter tempering. A product must be able to prevent all five types of attacks in order to pass the test.

Products that pass will be listed on ICSAs site.

The companies making the challenge have much to gain in the marketplace with this idea. If none of the companies accepts the challenge, then that can be seen as a tacit admission that their products couldnt stand up to the test. And if they submit to the test and fail, then Imperva, NetContinuum and Teros have plenty of marketing and sales material for years to come.

But the executives issuing the challenge deny that it is simply a sales ploy.

“This is very much not a marketing issue. We want to clarify the confusion about which products provide protection against what attacks,” said Shlomo Kramer, CEO of Imperva, based in Foster City, Calif.

The companies plan to announce the challenge at the Computer Security Institutes show in Washington.

The application firewall testing should be finished by January, if any of the vendors choose to participate, the executives said.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.