Assessing What’s Hot in Web Application Security

Web applications running on open architectures have become breeding grounds for security vulnerabilities. Enterprises and government organizations embrace Web applications as a cost-effective means to open new revenue-generating product lines, to cut the operational expenses of communicating with suppliers, and to increase customer satisfaction by improving the convenience of completing transactions.

The benefits come at a price: corporate networks that once were shielded by a security perimeter are now exposed to the world of Internet users. The architectural changes are a direct contrast to the hard-perimeter techniques that dominated the security of the 1990s.

In our evaluation of the Web application security market, the Yankee Group interviewed product vendors and enterprise security managers to identify the characteristics of leading security products. We specifically paid attention to ways to prevent damage from attacks, manageability, scalability, performance, strategic partnerships within the security community, depth of product offering, working relationships with application and platform vendors, and noteworthy enterprise customer successes.

The Yankee Group estimates the market for Web application security products and services was worth $140 million in 2002, and predicts it to grow at a compound annual growth rate (CAGR) of 65 percent to $1.74 billion by 2007.

Web application security will be one of the hottest segments of the security industry over the next 5 years. There will be fundamental shifts in the layers of defense to make room for white-list prevention. Host intrusion-prevention products will become essential components in all Web application deployments, and Web application gateways will become common for medium and large-scale enterprises. Web security assessment software will start becoming SOP for network auditing. Web application security is in for an exciting ride with the next wave of security innovation for Web services not too far away.

Future Directions and Predictions

• The Web application security market will be the hottest sector in Internet security, growing 100 percent in 2003. Enterprises will allocate budget for WAG evaluations from IDS and firewall line items before officially budgeting for Web application gateways in 2004.
• Web application gateways generate shifts in security architectures. The market acceptance of WAGs leads HIP products to focus on operating platform and custom application protection; firewalls and security service switches add WAG blades as options to enhance their validation of well-formed protocol packets and remote-user authentication; intrusion detection systems become tools for audit capability.
• Web application gateways will evolve to provide Web services functionality over the next 3 years. Security for Web services, characterized by XML/SOAP messages, will appear in HIP products in 2 years followed by WAG implementations within 3 years. Look for Forum Systems, DataPower, and Vordel software kits to be primary targets for partnership or acquisition.
• Initial product purchases will be driven by revenue-generating e-commerce applications and compliance needs to preserve consumer privacy.
• Web application gateways consolidate performance features. WAGs will incorporate operational performance features such as load balancing, content caching, and content filtering. These will be offered as optional product line extensions to reduce the total customer footprint for security devices, and to lessen administrative overhead.