Imperva ADC Helps Organizations Understand and Defend Against Web 2.0 Security Threats

March 7, 2007; 07:09 AM
Imperva®, the global leader in data security and compliance solutions for the data center, today announced that its internationally-recognized security research organization, the Application Defense Center (ADC), is making available two free educational resources designed to help organizations understand and defend against security risks posed by Web 2.0 infrastructures. First the ADC is offering a free Webinar that outlines and demonstrates violations of security best practices introduced by Web 2.0 applications. In addition, the ADC has developed a downloadable technical brief that explains the security vulnerabilities associated with Web 2.0 applications and presents mitigation techniques.

“Web 2.0 technologies such as AJAX, RSS, and client-side JavaScript libraries allow enterprises to build more responsive, immersive and collaborative applications. Although many of the technologies are not new, the threat model for Web 2.0 is not yet fully understood by developers,” said Andrew Jaquith, Senior Analyst at Yankee Group. “Imperva is taking a leadership role by educating organizations about the risks associated with Web 2.0 applications, and by offering mitigation techniques.”

Web 2.0 Risk Landscape

Web 2.0 applications generally include a mix of three characteristics: Rich Interface Applications (RIA), Syndication (RSS, Mashups, etc.), and User participation (social networks, Wikis, blogs). Each category introduces its own set of vulnerabilities and risks, which create a larger attack surface. One common weakness is the shifting of security processing from the web server to the client. This approach is imposed by scripting used to deliver dynamic Web 2.0 content. Client side security checks, however, violate documented best practices for protecting Internet applications. By blurring the distinction between client and server code, Web 2.0 applications increase exposure to session and cookie tampering, SQL Injection, directory traversal, and cross site scripting (XSS) attacks.

Understanding and Mitigating Vulnerabilities

To help IT organizations understand the vulnerabilities introduced by Web 2.0 applications and take appropriate measures to secure their infrastructure, Imperva is hosting a free Webinar on March 14 and offering a companion technical brief entitled Understanding Web 2.0: Technologies, Risks, and Best Practices. The Webinar and brief will cover key Web 2.0 security concepts and remediation strategies, including:

• Why Web 2.0 frameworks are ideally suited for cross site scripting and script injection attacks
• Best practice violations: client versus server side security processing
• Tracking input validation in AJAX
• Performing state tracking in modular applications

To register for the Webinar please visit http://www.imperva.com/go/webinar20. To request the companion technical brief, which will be available after the Webinar, visit http://www.imperva.com/go/tbw20.

“The convergence of web and collaboration technologies that made Web 2.0 applications possible has created an equally disruptive shift in the Internet threat landscape,” said Amichai Shulman, CTO of Imperva and head of the Imperva Application Defense Center. “Organizations that deploy Web 2.0 applications without a clear understanding of the vulnerabilities they introduce are at risk. Our goal is to arm IT professionals with the knowledge they need to secure their Web 2.0 infrastructures."

About the Imperva Application Defense Center

The Imperva Application Defense Center (ADC) is internationally-recognized for its leadership in security and compliance research and education. The Imperva ADC has found over 20 vulnerabilities in commercial Web application and database products. Database and application vendors have credited the organization with the discovery of serious vulnerabilities and mitigation techniques that have led to increased security in their products.

About SecureSphere

SecureSphere’s adaptive architecture detects Web 2.0-related threats and future-proofs organizations against subsequent generations of vulnerabilities. SecureSphere allows enterprises to leverage the rich features in Web 2.0 without exposing themselves or their users to attack. With SecureSphere, companies can safely roll out applications with interactive updates, data from external sources, user-contributed content, and other Web 2.0 hallmarks. To protect Web 2.0 applications, SecureSphere:

• Prevents AJAX-specific attacks by inspecting and validating Web and XML communications.
• Blocks cross-site scripting (XSS), cross-site request forgery (CSRF), and other exploits associated with collaborative applications.
• Fortifies applications against session attacks like cookie poisoning – a growing attack vector as validation checks are pushed to the client.
• Automatically detects application changes over time, ensuring that even the most dynamic Web applications are always protected.
• Receives regular security updates to protect against the latest application attacks, including Web 2.0 specific exploits.

About Imperva

Imperva is the global leader in data security and compliance solutions for the data center. The Imperva product line provides an automated and transparent approach to protecting and controlling sensitive data throughout transactional data systems. The Imperva database and Web application appliances are deployed in leading financial, retail, telecommunications, healthcare, and government organizations around the globe. Founded over five years ago by Shlomo Kramer, recently named one of the 20 luminaries who changed the network industry, Imperva is a solid, privately held company with growing revenues and backing from Accel Partners, Greylock Partners, US Venture Partners, and Venrock Associates. For more information, visit www.imperva.com.

Imperva and SecureSphere are trademarks of Imperva, Inc. All other brand or product names are trademarks or registered trademarks of their respective holders.