New XML Schema for Application Security Assessment
NetContinuum And SPI Dynamics Integrate Attack Prevention And Application Vulnerability Assessment Technologies
First Integration Between Independent Solutions Demonstrates Real-World Benefits of Emerging AVDL Standard for Application Security Interoperability
Santa Clara, CA and Atlanta, GA, USA. July 30, 2003.
NetContinuum, a leading provider of web and application security solutions, and SPI Dynamics, the expert in web application security assessment, today announced they have completed initial integration between NetContinuum's NC-1000 web security gateway appliance and SPI Dynamics' WebInspect Enterprise Edition application vulnerability assessment software. Integration between the two technologies automates the ongoing security assessment and protection cycle required to fully defend against the growing risk of application-layer security threats, which now comprise up to 70 percent of all new attacks. This interoperability allows organizations to respond more quickly to new threats and dramatically decrease their exposure to attacks and potential downtime.
The new integration is based on an expanded XML schema that allows application assessment information discovered by WebInspect to be reported and organized in a way that can be easily read and interpreted by the NC-1000 web security gateway. SPI Dynamics and NetContinuum have submitted the knowledge gained from this integration to the OASIS Application Vulnerability Description Language (AVDL) technical committee for consideration as part of the AVDL 1.0 specification, scheduled for release later this year. Additional information on AVDL is available at www.AVDL.org.
"Historically, security managers have had no easy way to take warning data from any vulnerability assessment tool and transfer it to any firewall to block the vulnerability," said John Pescatore, Vice President of Research at Gartner. "Integration of this nature, conducted in an open standards forum, is significant because it paves the way for all vulnerability scanners and firewalls to exchange information and ultimately provide customers with a stronger defense against attacks against their business infrastructure."
With new security patches and vulnerabilities appearing at a rate of nearly 50 per week, most experts agree that complex web applications can only be secured through an ongoing process that incorporates both vulnerability assessment and attack prevention solutions. With no standard way for such products to share information, however, security managers are often left to manually translate the results of security assessments into policies that ensure optimal security settings for each unique web application. In the constantly changing world of web applications, this can be time consuming, complicated and costly. Delays and mistakes in this process can also increase a company's risk of penalties for non-compliance with legislation such as the US Sarbanes-Oxley Act, the Graham-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the US Government Information Security Reform Act and California Senate Bill 1386.
SPI Dynamics and NetContinuum have addressed this problem by delivering the following:
SPI Dynamics' WebInspect Enterprise Edition now exports the results of an application assessment in a substantially expanded XML format that depicts both the legitimate architecture of an application as well as a detailed description of all vulnerabilities. This output highlights important details of the application environment that are of critical value to other products responsible for protecting the target application.
NetContinuum's NC-1000 now directly reads and interprets the results of a WebInspect assessment via the new expanded XML format. This information is then used to automatically generate a recommended security policy specifically customized to the exact security needs of the target application. Recommended configuration changes can then be directly imported into the NC-1000 to immediately improve the security profile of the application.
Integration between the two technologies dramatically increases an organization's ability to ensure ongoing application security in complex, constantly changing web environments. It also simplifies security configuration for complex web applications and helps prevent one of the most common security problems that has plagued security managers for years - day-to-day firewall configuration changes that inadvertently create new exposures.
Completing this integration via an open standards process will ultimately enable security managers to conduct ongoing application security audits from multiple, independent sources, each generating AVDL-compliant reports on their findings. These reports could then be read by whatever application firewall is protecting each individual application and automatically compared with that firewall's current configuration. As applications are modified, new configuration settings and security policies could be automatically generated to block attacks against new vulnerabilities and recommended to security managers for immediate consideration.
"With the growing complexity of web applications, ensuring around-the-clock protection has become a substantial challenge for most security managers," said Wes Wasson, chief strategy officer of NetContinuum. "NetContinuum and SPI Dynamics share a common vision of multi-vendor interoperability that will make it far easier for customers to realize the benefits of the web without compromising security."
"Corporations have an increasingly difficult job managing the ever growing number of application vulnerabilities," said Brian Cohen, chief executive officer of SPI Dynamics. "Our product integration and sales and marketing partnership with NetContinuum furthers the commitment of both companies to arm our customers with solutions designed to best fit their needs in developing and testing web applications and securing them on an ongoing basis."
SPI Dynamics' WebInspect Enterprise Edition protects web applications by identifying security vulnerabilities throughout the application lifecycle. NetContinuum's ASIC-based NC-1000 uses deep packet inspection to provide immediate protection from web and application security threats by blocking attacks. Unlike traditional security products such as network firewalls and intrusion detection systems that focus solely on the network layers, both SPI Dynamics' and NetContinuum's solutions protect web sites and applications - the most vulnerable and least secure components of today's online business infrastructure.
Pricing and Availability
Integration between the NetContinuum NC-1000 web security gateway and SPI Dynamics WebInspect Enterprise Edition is available at no additional charge in the currently shipping products from both companies. As a special introductory offer, customers who purchase both products prior to September 30, 2003 will receive an additional 10 percent discount on the purchase of each product.
About NetContinuum, Inc.
NetContinuum is a leading provider of enterprise-class web security gateways - next-generation web security appliances designed to secure applications and protect against web attacks. NetContinuum is listed in the "visionary" quadrant on Gartner's Magic Quadrant for Enterprise Firewalls and was named a "Top 10 Start-up to Watch" by Network World Magazine. Privately held, NetContinuum has secured more than $55 Million in funding from blue-chip venture capital firms and investors, including Palomar Ventures, Menlo Ventures, NIF Ventures/Daiwa Securities, Adams Street Partners, Invus Group, MKS Ventures, and Siemens. For more information, please visit www.netcontinuum.com or call 408.961.5600.
About SPI Dynamics
SPI Dynamics, the expert in web application security assessment, provides software and services to help enterprises protect against the loss of confidential data through the web application layer. The company's flagship product line, WebInspect, assesses the security of an organization's applications and web services, the most vulnerable yet least secure IT infrastructure component. Since its inception, SPI Dynamics has focused exclusively on web application security and SPI Labs, its internal research group, is recognized as the industry's foremost authority in this area. Software developers, quality assurance professionals, corporate security auditors and security practitioners use WebInspect products throughout the application lifecycle to identify security vulnerabilities that would otherwise go undetected by traditional measures such as automated application testing tools, network firewalls, intrusion detection systems, or manual code reviews. The security assurance provided by WebInspect helps Fortune 500 companies and organizations in regulated industries, including financial services, health care and government, protect their sensitive data and comply with legal mandates and regulations regarding privacy and information security. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. For more information and a free 15-day trial of WebInspect products visit www.spidynamics.com or call .678.781.4800.
Tel: +1 408-961-5657
Tara Leder Biller
Tel: +1 678-781-4853
Prepared by Robin Cover for The XML Cover Pages archive. See related references in: (1) OASIS Application Vulnerability Description Language TC website; (2) "Application Security."