[WEB SECURITY] note regarding Cobr4 request

Aiken, Dan AikenD at HSS.EDU
Mon Aug 8 11:44:40 EDT 2005 

Andre,

It is my understanding that the "usual suspects" of network controls do not perform the right preventive activities at layer seven. The purpose of the network controls is to make sure that application input gets to the application securely, with integrity, when needed. They do not verify that the input is appropriate for the application or safe. That could be the job of an Application Firewall. See the following web link contained in an excerpt from my GSNA practical in which I performed an application audit: (http://www.giac.org/certified_professionals/practicals/gsna/0184.php).

"Application Firewalls - There are a number of application firewall products that could offer protection for existing and new web applications. Network World Fusion (www.nwfusion.com/_bg/2004/appsecurity/index.jsp) rated and compared ten application firewall products. Purchase prices for the reviewed products range from $1,295 to $35,000."

Dan Aiken, GSEC, GSNA
Corporate Compliance Director
Hospital for Special Surgery
535 East 70th Street
New York, NY  10021
(212) 774-2569
aikend at hss.edu
"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." Bruce Schneier

The opinions expressed in this message are the author's own and not necessarily those of Hospital for Special Surgery.


-----Original Message-----
From: Andre Maisonneuve [mailto:Andre.Maisonneuve at validian.com] 
Sent: Monday, August 08, 2005 10:36 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] note regarding Cobr4 request

To your question about "How can we optimize security?"

One of the elements often mentioned is about "application security". I think this concept should be split into two components:
1 - building "secure" applications, meaning application that cannot be easily penetrated and that cannot induce risks into other applications they interact with.
2 - making sure that the required "network security" with the firewalls, IDS, IPS and all the alphabet soup, be completed by a security network acting at the application layer, not at the transport layer. This way, no malware can penetrate or cause harm to the "application". One must remember that 75% of successful attacks aimed at the Application layer, not at the network layer (Gartner)
 

André Maisonneuve

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

More information about the websecurity mailing list