What is application-level security?
Put simply, application-level security ensures that eBusiness applications interact with
end users only in ways that were intended by the application�s developers.
Application-level security is focused on preventing the unauthorized use of an
eBusiness� resources or customer information by hackers attempting to gain access
to the eBusiness network directly through the application itself.
Application-level hacks typically exploit weaknesses in internally developed code, such as Common Gateway Interfaces (CGIs), or in third
party products such as web servers and application servers. To better understand the scope of application-level security please join our Application Hacking Demo.
Back to Questions
How do privacy and security relate to eBusiness?
Industry studies have shown that the privacy and security of personal information is a
serious concern for a majority of Internet users. Most Internet users would be more
likely to conduct business online and supply personal information if their privacy and
security concerns were addressed.
- NetZero, a nationwide provider of email and Internet access, recently conducted a survey in which 53 percent of Internet users ranked privacy and security as the most significant inhibitors to the growth of e-commerce.
- Seventy-eight percent of respondents to a 1998 BusinessWeek survey said they would use the Web more if privacy were guaranteed.
Back to Questions
Is it possible to quantify the bottom-line impact of the lack of consumer trust online?
Yes. Because many consumers have such strong concerns about conducting business online,
those eBusinesses that can bridge this "trust-gap" can potentially gain a competitive
advantage in the highly competitive Internet marketplace. According to Boston Consulting
Group, eCommerce revenue could double from $6 billion to an estimated $12 billion by
2000 if Internet companies successfully address the privacy concerns of users.
Back to Questions
What are the business risks associated with lack of application security?
Common security holes in eBusiness applications pose a serious risk not only to the
privacy and security of Internet users, but to the assets (e.g., systems, network and
data) of an eBusiness itself. Hackers can use loopholes to:
- gain access to private customer information (purchase histories, medical status, prescribed medications, travel information) and personal financial information (credit card numbers, stock portfolios).
- reveal sensitive business data, such as partners and trade secrets.
- deface or shut down a company�s Web site.
Hackers have perpetrated numerous other types of attacks, causing costly and
embarrassing outage and damage to eCommerce companies. Please join our application
hacking demo to learn more.
Back to Questions
How can the application security problem be solved?
The eBusiness environment has outgrown the stage where application security can be
viewed as a minor by-product of the application development process. To achieve
application security without affecting their development costs or time-to-market,
eBusinesses require a new Internet Application Security infrastructure. This
infrastructure must be a dedicated, universal solution that is
independent from the eBusiness application itself. Such an infrastructure will eliminate
the need to identify and remedy each and every security problem during the application
development process. Perfecto introduces AppShield, the first Internet
Application Security solution. To learn more please visit out product section.
Back to Questions
What has been the traditional approach to application-level security?
The traditional approach to application security required developers to address security
issues at each stage of the development cycle--design, implementation, testing and
deployment--a costly and time-consuming process.
Back to Questions
Why is the traditional approach to application-level security unsuitable in the eBusiness environment?
The traditional approach to application security is almost unfeasible in the eBusiness
environment. The rapid pace of the eBusiness environment puts heavy constraints on the
application development process. eBusiness applications are usually created in a 90-day
timeframe and are updated frequently. Thus, for many eBusinesses, the desire to
implement application security is outweighed by time-to-market concerns. This results in
a situation in which most eBusiness application loopholes are identified and fixed on a "one-off"-basis
during the application-building phase -- a costly and time-consuming process.
Furthermore, this approach does not account for potential risks associated with the use
of many third-party products. eBusinesses often rely on third party products--such as
Web servers and Application servers. Because businesses generally do not control the code for these
products, and they generally do not test them, they are vulnerable to unforeseen security hazards.
Back to Questions
Why can�t application-level security be achieved by coding around the known bugs in an application?
eBusiness applications may include hundreds of thousands of lines of code. And due to
the rapid pace of the eBusiness marketplace, these applications change frequently.
Combined with the assumption that all software naturally has bugs, it is almost impossible
to create a secure application by coding around the existing bugs. Further compounding
the problem is the time-to-market-driven reliance on third party code. Developers may
simply not be able to find every potential problem with software they did not originally
create. But since many third party applications are open source,
they are readily available for hackers to scrutinize and potentially undermine.
Back to Questions
Why aren�t firewalls and data encryption enough to protect eBusinesses?
eBusiness security is comprised of three elements:
- Data encryption and authentication
- Network level security
- Application Level Security
Encryption technologies, such as SSL and virtual private networks, protect data as it is
transmitted over the public Internet. Firewalls provide network-level protection
against unauthorized access into the server systems of an eBusiness. While essential to
the overall security of an eBusiness site, neither of these technologies can prevent an
attack that is focused directly on application. For example, hackers can force an
application to behave in unintended ways and gain access to underlying network systems
by sending unexpected or unusually large inputs to the eBusiness application, modifying
cookies, exploiting weaknesses in third party code or vulnerabilities in public-source
web server applications. Once undermined, an eBusiness application can allow hackers to
gain access to an eBusiness� most sensitive, valuable information and resources.
Back to Questions
Does a privacy seal (such as BBBOnline or TrustE) imply that a Web site is absolutely secured?
Not necessarily. Privacy seal programs help companies formulate and post a privacy
policy on their Web sites, and they provide a seal of approval on the site�s practices
regarding personal information. Privacy seals make an implication regarding a company�s
commitment to privacy, but they do not imply anything regarding the site�s security
measures. Such seals are not enough to guarantee security. Security measures must be
implemented along with privacy measures. Data collected should be safeguarded against
unauthorized use.
Back to Questions
What are the benefits of installing an Internet Application Security infrastructure?
Internet Application Security infrastructure can provide a substantial return on
investment for eBusinesses by reducing development costs and cost of ownership, by
increasing customer transactions and loyalty, and by limiting site down-time. With an
Application Security infrastructure in place, eBusinesses can devote their limited
application development resources to their core, revenue-generating applications.
Back to Questions
Why is Perfecto well-suited to address the application security problem?
Perfecto�s management and technical teams have a unique understanding of providing
security for mission-critical applications. Perfecto�s founders, Eran Reshef and Gil
Raanan, gained extensive knowledge of security while managing the development efforts of
an elite technology unit in the Israeli Defense Forces. This knowledge has been put to
use in creating the Company�s portfolio of advanced, proprietary security technologies.
Click here to learn more about Perfecto Technologies.
Back to Questions
top