Technology sparks Igniting the market Web application firewalls at work Web application protection in practice

Industry statistics show that 80% of malicious attacks target Port 80, the Web traffic pass-through. Why, then, does the onus for Web application protection still fall largely on network-layer devices? Web applications clearly need special security.

Firewalls specifically designed to protect Web applications would recognize a hacker's attempt to create a buffer overflow, to inject false SQL or system commands in program variables, or to otherwise manipulate the datastream for ill purposes. Web application firewalls see the breaches that a network-layer firewall (or intrusion-detection system) is not capable of detecting.

Security experts have begun to call the Web application firewall a must-have.

"I would never deploy a Web application today if I haven't deployed a Web application firewall," says Ravi Ganesan, vice chairman of NSD Security, which helps user organizations build secure Web infrastructures.

Training Web developers to build secure applications and to conduct initial and periodic vulnerability tests are musts, but don't suffice. Ganesan equates doing those things but not also deploying a Web application firewall to calling Windows or other operating system secure and throwing out the perimeter firewall. "You'd be crazy," he says.

Ed McNachtan, program manager with the Family and Children First (FCF) office serving Montgomery County, Ohio, can testify to the benefits of Web application firewalls. He discovered them early - four years ago, when FCF used Health Insurance Portability and Accountability Act (HIPAA) draft documents to perform a Gap Analysis of the security architecture it planned to use for interagency communications via the Web. "We found our security plan failed around Web applications, and we needed to make reasonable efforts to block that hole," McNachtan says.

He is using AppShield, a software-based Web application firewall from start-up Sanctum, to protect two particularly complex and politically touchy applications that have taken years to develop. The first, in pilot tests now, is a family violence cross-jurisdictional database application. The second is a collaborative case-management application that will go into pilot tests by year-end. "We have privileged and confidential information that we have to protect, plus HIPAA rules and guidelines to follow," McNachtan says. "I'm married to AppShield. It does a great job."