While Web services are all the rage amongst the enterprise cliques, a report issued Monday may open a few eyes to security threats these services incite, and one company says its product is ready for combat.
In its Top Ten report, the Open Web Application Security Project (OWASP) unveils the most common and threatening flaws in Web services code including buffer overflows – Web application components that do not properly validate input and in some cases, can be used to take control of a process – and cross-site scripting (XSS) flaws – where the Web application can be used as a mechanism to transport an attack to an end user’s browser.
But, topping the list of top vulnerabilities in Web services applications is unvalidated parameters. According to OWASP, this occurs when information from Web requests is not validated before being used by a Web application. Attackers can use these flaws to attack backside components through a Web application.
In response to the Top Ten list, Santa Clara, Calif.-based Stratum8 Networks announced Monday its Application Protection System (APS-100), which the company says addresses all ten of the threats defined by OWASP.
According to Stratum8, APS-100 protects against threats that are not detected by network-based firewalls and intrusion detection systems. APS-100 operates at the application layer and uses behaviour-blocking technology that learns an application’s behaviour, inspects incoming and outgoing traffic and allows acceptable behaviours to be executed, while blocking unacceptable transactions.
“The OWASP Top Ten list is a call to action for corporations and government agencies with high-risk Internet-based applications that contain classified information, customer records and business transaction data,” said Abhishek Chauhan, chief technology officer for Stratum8 in a statement. “This list is an important first step for evaluating application security, yet clearly demonstrates the need for an application-level protection system.”