Web application firewalls are evolving to support XML- and Web services-based applications, and vendors Teros and NetContinuum are both driving upcoming product releases in that direction.
Teros announced Monday that its Secure Application Gateway family of appliances protects applications that pass XML data in addition to existing HTML applications. NetContinuum has already begun. However, both companies are entering a new market for Web services protection, already crowded with startups such as DataPower Technology Inc., Forum Systems Inc., Reactivity Inc., and WestBridge Technology Inc.
Greg Smith, senior director of product marketing at Teros, said customers are increasingly deploying Web services and are just now asking for ways to protect these early instantiations.
"We think this market is underserved," Smith said. "This is a space we intend to lead."
According to Smith, the new functionality for XML-intensive applications is designed to help enterprises that have already deployed a Web service application. He said the features are meant to meet the "real-world problems" customers face in securing Web services, and adds that next quarter the company will deepen its Web services protection with support for Web services standards WS Security, SAML, and XML encryption.
The inline gateway appliance learns the behavior of applications, then provides recommended security controls to tighten the inputs of the application, Smith said.
NetContinuum also has been adding support for Web services with each new release of its NC-1000 Web Security Gateway.
"We're not seeing many core applications with XML yet," said Wes Wasson, vice president of marketing at NetContinuum. But "application development trends are moving that way."
He points to development tools and platforms that are building Web services hooks into its products, which is speeding the creation of Web services-based applications.
And this advance is one of the arguments that startups such as DataPower uses to convince potential customers to adopt its appliance, which was built for Web service applications.
Eugene Kuznetsov, CTO of DataPower, said that if enterprises are using Web services, they are better served using a product like DataPower's XS40 XML Security Gateway than one that evolved from an HTML-based Web application heritage.
"Why buy potential from Teros, when you can buy something that has been in production for over a year?" Kuznetsov asked.
However, analysts believe the traditional Web application vendors have just as good an opportunity as the Web services startups.
Richard Stiennon, vice president of research at Gartner Inc., said most customers today are ready to deploy Web services applications, but do not yet require the depth of protection that companies such as DataPower provide.
Eric Ogren, a senior analyst at The Yankee Group, agreed that most enterprises don't need advanced Web services protection today, but they will soon, putting all the vendors on the same playing field.