App Security Is Lacking

Opinion: Look for more attention to application security and continued improvement in patch management in the year ahead.

In 2004, several technologies vied for the limited enterprise dollars earmarked for protecting public-facing applications—and created a lot of confusion in the marketplace about how best to provide application security.

Intrusion prevention devices, deep-packet-inspection firewalls and Web application firewalls all provide some measure of detection and prevention of application-layer attacks, particularly against attacks targeted at Web services. Whats not so clear is the depth of protection that each technology provides.

Last month, a cadre of leading Web application firewall vendors—including F5 Networks, Teros, Imperva and NetContinuum—took the first (ultimately unsuccessful) step toward addressing customer confusion. The companies issued a blanket challenge to other application security vendors to submit products to ICSA Labs, a division of TruSecure, for testing against a predetermined list of criteria.

/zimages/3/28571.gifClick here to read an in-depth analysis about building security into applications.

I was excited about this development, but I would have liked to see greater discourse among companies to determine the testing criteria. Unfortunately, no companies stepped up to answer the challenge before the deadline, so Ill continue to look forward to more positive developments. However, as more enterprise money is freed to address application security, all these vendors will find potential customers demanding greater details about the efficacy of each technology.

The scan connection

As the proliferation of mobile devices in the enterprise dissolves the corporate network perimeter, the desktop host has become the de facto perimeter. This year saw a dramatic improvement in desktop security technologies, and I expect more improvements in the year ahead.

While desktop anti-virus and firewall applications have long been staples in corporate administrators tool kits, Ive seen desktop security grow to include intrusion protection capabilities and first-generation spyware detection features.

I expect to see developments with "scan on connect" technologies—exemplified by Ciscos October purchase of Perfigo for its CleanMachines scanning technology. Scan-on-connect systems identify potential weak spots on a system as it attaches to the network and then quarantine vulnerable machines from the rest of the network until the vulnerability is remediated.

Furthermore, I expect to see patch management companies tap scan-on-connect technologies to provide automated vulnerability remediation as part of an effort to ensure client compliance with corporate security policies before the device gets on the network.

2004 saw other gains in the patch management space. Products quickly evolved from early-generation patching solutions designed to shore up Microsoft-based hosts to more-feature-rich entities that integrate well with vulnerability assessment solutions and support a wider array of operating systems and applications.

In the last year, patch management wares have made great gains in usability and scalability and have branched out to remedy vulnerabilities caused by missing patches and others that result from misconfigured settings, faulty registry entries and more. Many patch management systems now leverage the findings of vulnerability assessment scanners such as Nessus or STAT Scanner as part of enterprise policy enforcement—the best use Ive seen of the voluminous data the latter products generate.

In the new year, I expect to see major steps toward melding patch management with the wider area of asset lifecycle management. Im seeing products that promise features that improve device detection on networks and cull data on hardware, software, settings and running services to improve real-time insight into those devices. I expect to soon see added features that address license management and application deployment as well.

Technical Analyst Andrew Garcia joined eWEEK Labs last year after serving as a systems integrator and an IT consultant for small businesses in the San Francisco Bay area. Andrews also done a tour of duty as the network infrastructure project leader for PC Magazines labs. His current beat includes network hardware and security, WLAN technology, and patch management.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.