I had conversations lately with three CEO's of web application defense companies: Doug Camplejohn of MI5Networks, Nir Zuk of Palo Alto Networks, and Shlomo Kramer of Imperva. All of them are industry veterans and all of them are developing products to address the inability of standard network security gear to address web application attacks.
The just announced Big Oops in Deutsche Telekom's web portal is a case in point. From reading the report I surmise that they exposed the entire database of 30 million subscribers. If a hacker had stumbled on the problem they could have sucked down those identities, including bank account info, in minutes. One truism in exposing web applications is that stuff happens. No matter how well you analyze your code, test your applications, and scan on a regular basis you can still have mis-configurations that expose critical data.
Of the three I talked to Imperva's products are the best suited for addressing this kind of issue. Usually deployed inline, Imperva's web application firewall can detect and block the activity needed to grab a database such as in DT's recent blunder.
Deploying a web application firewall would have been preferable to having to announce the blunder.
Thanks to Martin McKeay for the tip on this story.
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.