Arguing that Web applications are nowhere near as secure as the firewalls behind which they operate, Cenzic today announced an alliance to bundle its Hailstorm application risk controller software with Borland Software’s Gauntlet version control software.
Hailstorm performs security assessment of applications either already deployed or being built. The goal here is to check applications for security vulnerabilities while they are in development, to catch such flaws before they are deployed.
“People who handle network security did a really good job of securing their networks through firewalls and such. But hackers found that network apps are not secure so they started attacking at that layer instead,” Mandeep Khera, vice president of marketing for Cenzic, told internetnews.com.
In its tests for Fortune 1000 companies, Cenzic has not found a single Web-based application that was not vulnerable at some level, Khera said.
That’s due to priorities being slightly different, said one analyst. “In most cases with Web apps, it’s all about getting it done and deployed fast. Security doesn’t really come to mind,” said Diana Kelley, security analyst with The Burton Group.
The other problem is how the applications are built. Web application developers aren’t that well versed in security methodology, said Khera, while those who do know security often aren’t involved in the development of Web applications.
Problem is when devs code, they really don’t think about security, partly from a lack of expertise but also a lack of time. So they don’t think of how to code it for input validation.
Hailstorm tests applications for things like cross-site scripting, SQL injection errors and buffer overflows. It also does browser-level security, like testing for session hijacking. Its Stateful Assessment technology maintains the state of the application during assessment to draw a more accurate picture of an application when it’s deployed.
“We’re excited about extending the continuous testing and visibility capabilities of Gauntlet with the application vulnerability detection capabilities of Cenzic Hailstorm,” said Rob Cheng, director of developer solutions at Borland in an email sent to internetnews.com. “This combination will allow customers to ensure quality and security from day one of a development project.”
The agreement with Borland is for Hailstorm to be available as part of a download with Gauntlet. Gauntlet has a 30 day free trial while Hailstorm’s is for 60 days.
It may seem hard to believe that Web applications are not being secured, but that’s still happening, said Scott Crawford, senior analyst for Enterprise Management Associates. He adds firms are getting clued in to the problem.
“It is important to have the security of apps be an integral aspect of the software development lifecycle. Vendors in every phase of development are beginning to realize this. This allows for integrating security with every phase of the development lifecycle,” he said.
Because security and application programming are different skill sets, they some times don’t cross during the development life cycle, but there is increased interest in bringing these two together, noted Crawford.
“That has to be done through tools that make it possible to do secure development as well as solutions that secure applications throughout the operational lifecycle. What Cenzic is doing with Borland is an aspect of that trend,” he said.