Study: Web Security Spending To Surge

Spending on Web security efforts is expected to triple in the next four years, according to a new report released by research firm IDC.

The report predicted that security spending will increase 60.5 percent annually to nearly US$700 million by 2006, compared with $65 million in 2001.

According to IDC, while enterprises continue to invest in security measures like firewall protection, Web sites and applications continue to fall victim to hackers and crackers.

“Web presence for businesses today is essential; but just as it is essential, it is also the center of security problems,” said Charles Kolodgy, research manager of IDC’s Internet Security Software service.

“Securing Web sites and the corresponding applications and databases is a difficult problem, as Web sites exist to be accessible and firewall ports need to be left open for communication,” Kolodgy added.

Security Focus Misaligned

The IDC report pointed to security at the application layer as the most vulnerable, noting that most efforts at protection are built instead around the network layer.

Kolodgy told the E-Commerce Times that as corporations begin to make Web security a business focus, as opposed to an IT focus, and as they place more e-commerce and critical functions online, spending in these areas will increase.

“The Web presence needs a tighter type of security,” he said. “Unlike your back-end systems or your corporate network, where you have definitive entrance and authentication measures, your Web site is just there.”

The report identified the weak areas in a majority of companies’ Web server and application security. They included the use of firewalls and IDS (intrusion detection systems) to secure the application layer, poor programming of CGI scripts and bugs in Web server applications, source code that is available for viewing by users, and freely available hacking tools.

The report noted that it is not uncommon for Web sites to add so much new code daily that operators are unable to maintain patches or fix holes in systems.

Change in Attacks

Certain types of attacks, according to IDC, are relatively easy to launch, including efforts to “poison” a Web sites’ cookies to gain unauthorized information about a server. As applications do not expect anyone to change cookies, they may process a poisoned cookie that modifies fixed data fields.

Hackers also may employ a tactic called cross-site scripting in which malicious code, usually in the form of a script tag, is added to a URL, then executed when a user clicks on that URL.

The report also highlighted the practice of modifying a URL by using various characters and symbols to bypass Web controls and break out of a server’s root directory to access files.

Methods to thwart such attacks, IDC said, include the use of host intrusion prevention and detection systems, application shields, GAP appliances to physically separate different networks, exit control to prevent the display of unauthorized alternation to the content of a Web site and vulnerability assessment scanning.

Security Companies Thriving

Security-related companies are already feeling the effects of a corporate and consumer focus on keeping systems safe from attack.

Security firm Symantec on Wednesday announced plans to purchase SecurityFocus, Recourse Technologies and Riptech in separate acquisitions worth a total of $355 million.

The company also reported fiscal first-quarter results that outpaced Wall Street expectations, attributing its strong showing in part to robust consumer sales of antivirus software. Earnings for the quarter totaled $56.6 million, up from a net loss of $21.2 million in the year-ago period.