Debate over what protections a Web application firewall is supposed to provide reached a head last week as four security vendors rallied around a common product-testing regimen.
Although each offers a distinctly different product for protecting applications from attack, F5 Networks, Imperva, NetContinuum and Teros say they are backing five types of tests to be done at ICSA Labs that will show a product can recognize and block some common threats, such as SQL injection.
The four vendors say the ICSA Labs security evaluation will help clear up market confusion about what application security firewalls do. They pointedly challenged many other vendors, including Check Point, Cisco, Juniper, McAfee and Symantec, to join them in submitting products for testing.
"If you have an intrusion-prevention system or firewall, these are the baseline things you have to do for Web application security," says Wes Wasson, vice president of marketing and chief strategy officer at NetContinuum, which makes the NC-1000 application security gateway. The four vendors launched the product-testing initiative during last week's Computer Security Institute conference in Washington, D.C.
Scott Markle, ICSA Labs technology program manager, says the evaluation tests, expected to start early next year, were developed with help from SPI Dynamics, a maker of Web application security assessment products.
Wasson says the larger vendors might not be intentionally making misleading claims but they do sow confusion about application firewalls. "We're hopeful this effort helps by giving customers a more standardized way of evaluating all of us," he says.
Cisco, McAfee and Symantec all had a muted reaction to the Web application security "challenge" last week, saying they would look at the program.
However, Check Point's manager of market intelligence, Andrew Singer, called the collaborative effort "a big positive step," saying ICSA Labs could play a role in bringing the vendors together to set standards for application security defense.
But Singer expressed reservations that the ICSA Labs test criteria, developed only with input from the four vendors, might favor their products.