Enterprises need to utilize software testing that can automatically review applications for security problems. This document examines the market drivers and technology associated with software security code review products and discusses how Cenzic is addressing this urgent need.
I D C V E N D O R S P O T L I G H T
S e c ur i n g We b Ap p l i ca t i o ns : T h e Ti m e I s N ow July 2006 Adapted from Worldwide Security and Vulnerability Management Software 2005–2009 Forecast and Analysis: Taking Control of the Security Environment by Charles J. Kolodgy and Rose Ryan, IDC #34604
Sponsored by Cenzic Not long ago, Web application security was the least of an IT professional's worries. Times have changed. The combination of improved network defenses, hackers motivated by profit not notoriety, expanded deployment of Web-based business applications, increased value of Web-based ecommerce transactions, availability of critical data using Web technology, and heightened regulatory requirements makes Web application security a top consideration. Enterprises understand the need to improve security in this area and have deployed various security products (including Web application firewalls, Web single sign-on, and encryption) to defend against Web application attacks. However, most solutions deal with the symptoms but don't get to the root cause — insecurities inherent in Web applications. Enterprises need to look at the application software if they want to vastly improve Web application security. Specifically, enterprises need to utilize software testing that can automatically review applications for security problems. This document examines the market drivers and technology associated with software security code review products and discusses how Cenzic is addressing this urgent need.
Introduction: Web Is Driving Force for Business
It's no secret that IT is an integral component of the business environment. In IDC surveys of business executives, over 80% of the respondents indicate that IT performance is critical or important to business success. Those same surveys illustrate that executives want to focus on key applications to meet their customer needs. IT is to be used to create more business value and to increase the number of high-value transactions.
The Internet is a key avenue of interaction with customers. Web applications and ecommerce are today's storefronts. For many businesses, especially small ones, a Web presence becomes the "I exist" statement. A Web site can be the great equalizer, allowing a small business to look and feel like a larger business. Nearly 80% of all businesses with Web access have public Web sites, and many of those businesses are engaged in ecommerce, taking orders and accepting credit cards online. A corporate Web site transforms the landscape in which applications are used, from an environment of limited access to one providing wide-open, 24 x 7 admission.
Today's Web sites are no longer static, informational electronic brochures; instead, they are multifeatured and dynamic showcases. They offer multiple functions, such as customer support, special content for registered visitors, and online ordering. Web pages are no longer written by hand; rather, they are generated and customized based on users' requests. The Web application front end receives input from the client-side browser and responds to the requests by returning dynamic Web pages based on user input as well as back-end databases. These complex Web applications — now comprising Web servers, interface code, front- and back-end applications, and databases — are the gateway to business success. But they also are fraught with danger.
IDC 490 "But People Are Supposed to Come In"
The growth and proliferation of the dynamic Web create a conundrum for companies. Web applications are designed to make customers and partners visit and interact with Web sites. They use Web applications to buy products, interact with companies, gather valuable information, and enable many other critical business processes. Use of this technology greatly enhances business opportunities. On the other hand, the openness of Web applications offers attackers an avenue to access critical back-end databases not otherwise reachable from the outside. The threat to Web applications is heightened because attackers are no longer just mischievous; instead, they are motivated by profit. Today's attackers are out to steal something, be it money, corporate secrets, or user data. This changing threat environment raises the stakes and makes Web application security an imperative.
The problem is that although security generally is thought of as something that... [download for more]
