• United States

Protect your Web apps

Jun 30, 20033 mins
Enterprise ApplicationsSecurityWeb Development

* Teros aims to protect Web apps from malicious attacks

According to Teros, a developer of Web services security devices, the threat of malicious attacks by hackers is growing exponentially, and the resulting costs are in the billions of dollars. Code Red alone cost businesses more than $2 billion in downtime and repairs and the estimate for the cost of security-related downtime to U.S. businesses in a 12 month period is $273 billion, says Teros on its Web site.

Locking down your Web Applications to prevent the bad guys doing the things that bad guys like to do is one of the biggest concerns for Web developers and administrators.

While a significant amount of protection can be provided through the configuration of Web servers and firewalls, the big risks lies in the actual exchanges between client applications and Web servers.

The kinds of security challenges involved include bogus data which can be used to exploit buffer overruns, forged requests, poor coding practices, cookie tampering, form mismatch attacks, SQL Insertion and URL hacking.

Specialized security devices are a powerful way of dealing with these issues and the technology behind them is interesting. For example, Teros’ Teros-100 APS is as far as I am aware, unique in examining all HTTP traffic using something the company calls the HTML Interaction Model or HIM.

The objective of HIM is to discriminate valid HTTP exchanges from invalid exchanges in real time. HIM is a state transition model for HTTP traffic that defines what are allowable requests and responses in the context of an HTTP session.

According to the company, this framework is based on the definitions of the HTTP 1.0 standard (RFC 1945), the HTTP 1.1 standard (RFCs 2068 and 2616), and current HTML and Java coding practice.

The idea is that any exchanges that violate the model are blocked unless specific non-standard exchanges are enabled. Exactly what these non-standard exchanges are can be established by running the Teros-100 APS in “learning mode” which detects and lists the exceptions. These can then be added to the rule set to prevent blocking.

The device also supports high-level content checking for example, for valid credit card and social security numbers or that a password string is at least as complex as required by system policies.

And lest you worry that such complex checking will add overhead to your Web applications and services the company notes that independent testing determined that the Teros-100 APS adds around 1 millisecond of latency to HTPP exchanges.

The Teros-100 APS is priced starting at $25,000.


Mark Gibbs is an author, journalist, and man of mystery. His writing for Network World is widely considered to be vastly underpaid. For more than 30 years, Gibbs has consulted, lectured, and authored numerous articles and books about networking, information technology, and the social and political issues surrounding them. His complete bio can be found at

More from this author