At the Computer Security Institute's 31st Annual Security Conference and Exhibition, leading vendors in the application security market announced they have joined forces to help define more consistent and reliable standards for customers. Jeff Pancottine, senior vice president and general manager of the Security Business Unit for F5 Networks; Shlomo Kramer, CEO of Imperva; Gene Banman, CEO of NetContinuum; and Bob Walters, CEO of Teros have invited Check Point Software Technologies, Cisco Systems, Juniper Networks, McAfee and Symantec to join them in submitting their products to an independent application security evaluation conducted by ICSA Labs, the global leader in information security product certification.

"With a wide array of security technologies to choose from and a lack of criteria for what constitutes adequate application protection, selecting appropriate solutions to protect the Web-enabled enterprise is daunting," said Mary Ann Davidson, chief security officer for Oracle Corp. "Objective, independent standards for evaluating Web application security solutions will make it easier for IT security executives to make better informed purchasing decisions."

According to a joint statement issued by the companies: "Each of our companies offers architecturally different solutions, and we compete with each other in the marketplace. At the same time, we are united regarding the minimum criteria that any security product must meet to provide acceptable protection for mission-critical Web applications. We believe these minimums are not being met by many vendors, despite marketing claims that strongly imply such protection. The result is a false sense of security that exposes consumers and corporations to a higher risk of identity theft and other similar data loss threats. Our goal is to pave the way for minimum standards that will ensure the safety of consumers as well as corporate and government environments on the Web."

"This kind of multi-vendor collaboration is a positive development for buyers of application security. Like the established test criteria for network firewalls, a standard set of baseline criteria for application firewalls can be helpful in reducing the effort in product selection. Maintaining vendor neutrality will be a critical success factor for this effort moving forward," said Greg Young, research director with Gartner Inc.

Application security is slated to become a $2 billion market over the next five years according to a recent industry survey by research firm Yankee Group ("Spending on Application Security Accelerates Security BPO," September 2004). However, the lack of established industry best practices, combined with inconsistent and confusing vendor claims, have made it difficult for IT decision makers to identify products that provide legitimate protection against Web application exploits. The result is a greater risk of identity theft and security breaches that expose confidential data and violate customer confidentiality.

"Web applications often link directly to sensitive business data, making them a prime target for hackers intent on stealing financial and identity data. Organizations that do not take this threat seriously expose themselves to significant risk and increased legal liabilities," said Jim Slaby, senior analyst at The Yankee Group. "Open initiatives by vendors to self-regulate their industry benefit customers by helping establish minimum baselines for comparing security products and sorting through sometimes confusing marketing messages."