A Bear's Face on Mars Blake Lively's New Role Recognizing a Stroke Data Privacy Day Easy Chocolate Cake Recipe Peacock Discount Dead Space Remake Mental Health Exercises
Want CNET to notify you of price drops and the latest stories?
No, thank you

Group aims to create hallmark of security

Four founders invite security giants to join push to test network products, to make sure they live up to its promises.

A small group of security companies has set a baseline standard for application firewalls and has challenged the industry's biggest players to put their goods to the test.

The Applications Security Consortium, comprised of F5 Networks, Imperva, NetContinuum and Teros, plans to make its formal launch at the Computer Security Institute's annual conference in Washington, D.C., on Tuesday. The joint initiative aims to establish "minimum criteria" for protecting Web-based applications.

"The four of us have expertise in application firewalls, and it occurred to us independently that there was a need for clarification in the market," said Gene Banman, chief executive of NetContinuum, who noted the group formed last month. "The incumbent security vendors have made claims about application firewalls that have created confusion in the space."

Testing defenses

The Applications Security Consortium's five criteria for application firewalls say a product must:

  • Detect and block application inputs containing malicious executable commands.
  • Prevent attempts to insert illegal data types into application inputs by controlling the format and type of data.
  • Prevent cookie tampering by blocking attempts to modify application state information stored in cookies.
  • Prevent attempts to modify application form fields, which are used to accept user input for processing, storage and display.
  • Prevent attempts to modify URL parameters.

  • Source: Applications Security Consortium

    The group said Monday it has invited Symantec, McAfee, Cisco Systems, Juniper Networks and Check Point Software Technologies to test their security software and hardware products against five criteria. ICSA Labs, a subsidiary of security firm TruSecure, will conduct the tests and issue certifications to those that meet the criteria. The security companies have a Nov. 22 deadline to respond to the challenge.

    The invitations were sent out on Thursday, the group said. Symantec and Cisco said they have received their invitation and are currently reviewing it. Juniper, McAfee and Check Point did not have an immediate comment.

    One of the explicit goals of the program is to improve protection for underlying software protocols and application code in Web applications. The Applications Security Consortium said many security companies promise such safeguards, but have failed to live up to those claims.

    "The result is a false sense of security that exposes consumers and corporations to a higher risk of identity theft and other similar data loss threats," the group said in a statement. "Our goal is to pave the way for minimum standards that will ensure the safety of consumers as well as corporate and government environments on the Web."

    Analysts said the five evaluation criteria are a good "starting point" and that they do not seem to favor features in products from the consortium founders.

    "If you need an application firewall, this standard will help you make that assessment," Gartner analyst Greg Young said. "We think customers should establish their own criteria, but this should ease some of the selection load and save some in-house testing time."

    He also noted that comparing Symantec and some of the other larger security companies, with their breadth of products, to the niche application firewall in the consortium is a "pears to oranges" comparison.

    "Antivirus and firewall vendors offer two different classes of products," Young said. "The important part of this announcement is the criteria. The challenge is less important."

    Earlier this month, the Morris Internet worm, one of the most prevalent forms of Web-borne IT attacks, achieved its unofficial sixteenth birthday. In 1988, the Morris worm, written by a 23-year-old student, was released on the embryonic Internet and overloaded thousands of Unix-based VAX and Sun Microsystems systems in a matter of hours.

    Since that time, security threats have grown infinitely more prevalent and complex, creating what will grow to be $2 billion market for application security over the next five years, according to latest estimates from research firm The Yankee Group. The companies in the Applications Security Consortium maintain that a lack of security industry collaboration has made it difficult for companies to find tools that provide genuine protection against Web application exploits.