Security Watch

SAN MATEO (05/08/2000) - The Internet Security Conference (TISC), held in San Jose, California, each year, always brings out the top names in the security industry to rant and rave about its highlights and lowlights.

Many of the industry leaders -- such as Char Sample, Ray Kaplan, and Fred Avolio -- spin the tales of a bright future for security. But after peering into the booths and talking to various vendors and attendees about the state of the industry, we can't help but walk away feeling a bit empty. The security industry has grown up so rapidly over the past few years that we often wonder if any further innovation will surface.

In many respects, the security industry is in a transition. The acquisition flurry of 1998 and 1999 has morphed into the refocusing of traditional software companies -- such as Symantec Corp. -- exclusively into security in an attempt to gain market advantage. Now with many large, traditionally non-security companies competing in the security space, these outfits are focusing on building their own product suites.

Sure, we saw demos of new products and services at TISC, but everywhere we turned it seemed that the companies' offerings were simply revamped or repackaged versions of older, limited technologies. For example, ClearTrust SecureControl appears to have some interesting technology, providing a granular authorization mechanism for Web pages, but it's been done before. Its main competitor, Netegrity's SiteMinder, has had this technology for years.

New managed security services from Exodus now promise on-the-pulse security assessment and intrusion-detection capabilities. The company's recent acquisition of the security practice of Network-1 led to increased security interest in its customers' networks. Although concern abut the topic is refreshing, nothing appeared to be new.

Host system hardening has been around for a while, but the folks at Pentasafe have tried to branch out beyond their AS/400 roots. The Pentasafe product line now includes Unix, Windows NT, Apache, Netscape, and more.

Despite our general malaise about the new security technologies appearing on the market, we saw some glimmers of hope. The first surprise was in G-Server, by Gilian. This start-up has developed a Web site protection product that works in a similar fashion to AppShield, by Perfecto Technologies, but with a twist.

AppShield provides a mechanism for limiting the type of bogus data and traffic being sent to your Web server by acting as a filtering mechanism and comparing the data being sent to the client against the data being sent back to the server. G-Server takes a different approach. The product claims to prevent altered Web pages from leaving your network by comparing a signature of your original Web pages with that being sent to the client. Therefore, if a Web page is altered on the server, it would never reach your customers' eyes. Instead, the product reportedly displays the original Web page in place of the altered one; the client is none the wiser.

A number of issues with this type of technology point to a critical fact regarding security technologies: No one solution will solve your security problems. The company (wisely) does not claim to prevent all Web attacks. In fact, we pointed out more than a few weaknesses in its design -- including hidden-tag attacks, input validation attacks, and dynamic content issues such as server-side includes and ASP (Active Server Pages)/CGI content. To its credit, Gilian admits to these limitations -- making us even more interested in testing G-Server's merits.

Overall we were encouraged by the show's great attendance, vendor participation, and, as always, its speaker list; but we wonder if the lack of technical innovation is a sign of things to come. Either the industry has embarked on a downward slide or it's simply the calm before the storm. Either way, we'll be there for the ride.

What do you think about product solutions? Let us know at security_watch@infoworld.com.

Stuart McClure is President and CTO and Joel Scambray is a Managing Principal at security consultant Foundstone (www.foundstone.com).

Join the newsletter!

Error: Please check your email address.

More about ApacheCGIClearTrustExodusFoundstoneKaplanNetegrityPentasafePerfecto TechnologiesSymantec

Show Comments

Market Place