Security Vendors Stumping For Certification

Saying companies like Cisco, Symantec and McAfee are making claims they can't back up, four vendors ask them to prove it through certification.

By Jim Wagner | Posted Nov 10, 2004
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Four application security vendors are challenging some of the biggest names in the security industry to put their money where their mouth is about secure products.

Teros, NetContinuum, Imperva and F5 Networks issued a challenge to Cisco , Juniper Networks , McAfee , Check Point Software and Symantec to certify their products are as good at rooting out application-level vulnerabilities as they've claimed.

Officials said that, according to a Gartner Group research paper, application-level attacks make up to 70 percent of all attacks on the network. Those attacks, officials say, go right at the Web applications tied to the back-end systems that house personal information and confidential data.

Greg Smith, director of product marketing for Teros, said the good news is that security administrators are beginning to give application-level attacks attention, while checking claims made by some of the bigger security vendors about the ability of their products to detect and restrict application-level malware .

"We believe these claims are exaggerated and even misleading to customers," he said.

As such, the four smaller vendors have set up a certification process, administered by ICSA Labs, which will prove Symantec, Juniper, Cisco, McAfee and Check Point all meet the minimum levels of application security. Letters went out to the CEOs and executives at the companies last week with the challenge to take the $8,000 certification test by Nov. 22.

Application-level vulnerabilities occur on a different level of the OSI Model than network-based attacks and need to be handled separately. While attacks on both layers have similar methods, for example DDoS attacks , application-level attacks have their own lexicon: SQL injecting, cross-site injecting and cookie poisoning to name a few.

Officials point to some of the following claims from the four network security vendors they say are unfounded:

  • "To defend networks from a wide variety of application layer attacks and give businesses more control over applications/protocols in their environments, [Cisco's[ inspection engines combine extensive application/protocol knowledge with a variety of security enforcement technologies..." -- Cisco
  • "McAfee Entercept Web Server Edition prevents unauthorized access to Web servers." -- McAfee.
  • By integrating full application inspection, application-layer proxies, stateful inspection, and packet filtering into a unique hybrid architecture, Symantec Enterprise Firewall ensures that information entering and existing the corporate network is thoroughly inspected at all levels..." -- Symantec.

Officials at Cisco confirmed they had received the letter from the four vendors and is evaluating whether they will test their products, but wouldn't comment on the claims made by the four vendors.

"We recognize the value of industry-wide testing opportunities and carefully review and evaluate every opportunity Cisco's invited to," said Amy Hughes, a spokesperson for Cisco. Comment from Symantec and other vendors involved were not immediately available.

Smith maintains that while three of the four vendors are startups (Teros, NetContinuum and Imperva), this isn't a ploy to grab attention.

"We didn't set the objective targeting the big guys simply to create more noise or more press coverage," he said. "We looked at who we thought was creating confusion in the marketplace and these are the five vendors, when we compared and talked to our sales force and we saw where the confusion was stemming from and we looked at where the claims were coming from, it boiled down to these five."

According to the Yankee Group, application security will grow to be a $2 billion market in the next five years, as the number of vulnerabilities targeting applications grows proportionately.

"Web applications often link directly to sensitive business data, making them a prime target for hackers intent on stealing financial and identity data," said Jim Slaby, Yankee Group senior analyst, in a statement. "Open initiatives by vendors to self-regulate their industry benefit customers by helping establish minimum baselines for comparing security products and sorting through sometimes confusing marketing messages."

The announcement came at the Computer Security Institute (CSI) conference, taking place in Washington, D.C., this week.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter