Two very old adages in security are "least privileges" and "defense in depth." The idea is to only give software enough privileges to get the job done, and not to rely on only one security mechanism. M. Andrews and J. Whittaker, Guide to Web Application Security
Although security tools have their limits, they are usually necessary to make IT security infrastructure stronger. And , by the way, they have to be completed with two major components of an efficient security policy : human resources (expertise, training, threat awareness, ) and organisation (processes, best practises, committees, ).
Security experts refer to IT security infrastructure as RINGS OF PROTECTIONS. Two very well known and common tools are antivirus and network firewalls. As regards with web security, we have seen that web traffic penetrates IT systems with no real opposition. That is why web application firewalls become indispensable. A web application and a web site need its bodyguard, as web technologies become increasingly critical and exposed in modern IT infrastructures ! In late 2004, a Red Herring journalist mentioned : "Web-app security will be just like anti-virus was 10 years ago. In five years, it will be a must-have..
Conclusion : web application firewalls act when conventional tools show their limits
We face conjunction of major trends :
- IT infrastructure has an ever-growing role in business value creation
- Web architectures take a major place in this process
- These solutions are vulnerable
- Traditional tools can not protect them efficiently
This is why web application firewalls are an important building block in every HTTP network. Web applications need their [intelligent and self-learning] bodyguard. When we say bodyguard, we mean a solution which understands the application, taking into account its behavior, which is close to it (ie directly on the web server) and can ACT immediately and consequently (counter-measure). At the same time, it has to be discrete and stick to business logic. It is the last rampart, the ultimate protection !
Richard Touret is manager at Binarysec, http://www.binarysec.com , security software company editing an intelligent web application softwall -or software firewall-. This Apache module adapts on most web sites, learning legitimate traffic to block malicious requests, including sql injection, cross-site scripting, directory traversal, forceful browsing, command injection, parameter tampering, attack obfuscation, buffer overflow, ...
|
