I was getting caught up today on my backlog of security blog reading, and noted that Ivan Ristic had a good post on his prediction that 2008 will be the year that the web application firewall 'takes off' in the mainstream market as opposed to simply being viewed as a security geek's toy.

Ivan considers how pervasive network firewalls have become (no IT manager in his/her right mind would even consider running a network without one) but the same consciousness doesn't yet exist regarding application firewalls. The same managers that believe in network firewalls are rolling the dice every day hoping that the web applications they've deployed publicly don't get compromised - even though they know the network firewalls do nothing to protect their web apps. Reminds me of some research that Gunnar Peterson did that shows the silliness of this comparative ignorance.

Gunnar reminds us that on average business generally spend about 10x as much on application development as they do on network infrastructure - yet when it comes to security, the spending trend is the reverse of this (i.e. they'll spend tens or hundreds of thousands on a network firewall, penetration test, system security audit, etc. - but spend next to nothing to secure their public-facing applications).

This needs to change. The security of our applications can no longer rest on the hope that an attacker isn't interested in them.

 

I'm curious to know weither something like an ASTARO Security Gateway would provide much protection? www.astaro.com