Today, Internet security is comprised of four elements:
1) anti-virus protection at the desktop
2) data encryption and authentication for transport
3) firewalls and advanced routers at the network-layer security
4) manual patching for application-layer security
Encryption and virtual private networks, using algorithms such as SSL, provide security for data travelling over the public Internet. Firewalls prevent unauthorized network-level access to the server systems on which e-Business applications reside. The reality is, neither firewalls nor encryption schemes like SSL protect the web application itself. Web application-level security ensures that online applications can only be used the way they were intended by the developer. Any attempts at manipulating them is directly blocked, preventing the unauthorized use of an e-Business resources or customer information by hackers attempting to gain access to the online network directly through the application itself.
Traditional approaches require developers to address security issues at each stage of the development cycle design, implementation, testing and deployment. This is a very costly and time-consuming process. The approach requires that someone reviews the code line-by-line and has the capacity to imagine potential security loopholes. With the constantly growing nature of web applications, the enormous explosion of new software code in these applications, and the constant need to implement patches, protecting these online applications by manually patching or upgrading will fail, sooner or later.
Web
Perversion, it's what hackers do when they reach right through the Web to turn the
site's applications against you. It's how they can steal the digital property,
from sensitive customer data to confidential corporate information. It's why
they can even shut down the site, or alter prices to buy goods or services for
nothing. Most shocking of all, to
pervert applications, a hacker needs nothing more than a tiny hole in a code, a
web browser and a little determination.
AppShield automatically secures e-Business applications on the fly. As HTML pages are requested from a web server to a browser, AppShield protects the application from hacking attempts using patent-pending technologies, the Policy Recognition Engine and Adaptive Reduction Technology. The Policy Recognition Engine in AppShield automatically identifies and remembers all of the acceptable responses defined in the HTML page by the page developer, while the Adaptive Reduction Technology enforces those requests when they return from the web browser to the server. Only legitimate requests as defined in the security policy pass through. Since these technologies operate automatically, AppShield does not require customization for different HTML content produced by each application, nor does it require upgrades every time a new bug is discovered in a third-party application.
AppShield provides these
high-level security benefits at the web application level:
AppShield also improves the
process in the e-Business application cycle:
AppShield acts as a proxy between your web server and load balancer or firewall. As such it can reside either on the server itself or as a standalone box.
When a
user starts an application session by directing his browser to an e-Business site,
AppShield first verifies that the page accessed is indeed a legal Start URL
to the site, a previously bookmarked page, or a signed URL.
Once a
session is established, AppShield analyzes each HTML page that belongs to that
session as it is being forwarded to the browser. The patent-pending Policy
Recognition Engine examines the page, looking for information such as CGI
parameters, hidden field values, drop-down menu values, and maximum size of
expected text fields. Based upon this run-time analysis, AppShield
automatically determines the security policy of the application. As the web
server generates more pages, AppShield generates or adjusts the security policy
for the session.
AppShield
secures not only HTML content, but also client side logic (such as JavaScript,
VBScript, or any other programming language). Extending the security to client
side logic is done using the Policy Refinement Rules mechanism. This mechanism
allows the definition of rules that tell AppShield how to handle requests that re
generated or modified by a program such as JavaScript on the client. For
example, if the application employs JavaScript code that pre-loads or animates
GIFs taken from directory /images/, AppShield can be instructed using a single
rule to allow all of the requests of the form
/images/<legal_filename>.GIF. Other rules can be used to inform AppShield
about operations such as hidden fields or cookies that may be manipulated by a
programming language on the client.
AppShield
provides a secured environment for applications through verification methods
that assert that the application protocols are correct so that the application
is used the way it was designed. AppShield ensures that users follow the
application logic so applications protected with AppShield do not need to be
built to cope with application hacking. AppShield security is implemented
without impending web applications, effectively allowing the costumers to
access applications to their fullest extent without allowing anyone to pervert them
beyond their design scope and thus keeping the site safe and secured.