Vendors issue an application security challenge

Vendors issue an application security challenge

A trio of Web application security companies has challenged competing vendors to evaluate products against a set of test criteria developed by the three.

The companies'Imperva Inc. of Foster City, Calif., NetContinuum Inc. of Santa Clara, Calif., and Teros Inc. of Sunnyvale, Calif.'announced what they said are minimum standards for application security products today at the Computer Security Institute's annual conference in Washington.

'We believe these minimums are not being met by many vendors, despite marketing claims that strongly imply such protection,' the companies said in a joint statement.

The three-team consortium targeted five companies in their challenge and issued invitations last week to Check Point Software Technologies Ltd. of Redwood City, Calif.; Cisco Systems Inc.; Juniper Networks Inc. of Sunnyvale; Network Associates Inc. of Santa Clara; and Symantec Corp. of Cupertino, Calif.

ICSA Labs, a division of TruSecure Corp. of Herndon, Va., would do the testing.

So far, none of the companies has formally responded to the challenge.

But a Check Point spokesman said, 'Check Point is frequently invited to participate in industry initiatives, and we are always evaluating new opportunities."

Web application security is distinguished from network security because it takes place at the application layer. It focuses on understanding application behavior rather than on blocking penetration of the network.

'The unique issue with application security is that all of the dynamic Web applications are connecting back to databases,' said Wes Wasson, chief strategy officer for NetContinuum. The applications can be a weak link, exposing databases that contain sensitive information, he said.

The test criteria detail five basic security requirements:

  • Preventing command execution attacks


  • Enforcing strict controls on application inputs


  • Preventing cookie tampering


  • Preventing form field tampering


  • Preventing URL and parameter tampering.


Imperva CEO Shlomo Kramer said the challenge and the test criteria are not meant to be self serving.

'We really made the effort to make the challenge architecturally independent and product independent,' he said. 'The criteria are simple: Either you protect against these types of attack or you don't.'

Kramer said he was skeptical that the five companies would accept the invitation to test their products but said he hoped that the challenge would evolve into an ongoing application security certification program.

Wasson said he would like to see the criteria baked in to standards such as the government's Common Criteria. The Common Criteria are used as the basis for evaluating IT security products against vendor claims or against a set of requirements established by a government user.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • A forward-located Control and Reporting Center. Air Force photo.

    Data security at the tactical edge: Rightsizing solutions

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group