Ten questions to ask about application security systems

Computerworld - Robust application security is necessary to ensure Web site availability and to protect sensitive customer and corporate data and application-enabled revenue. However, there's growing confusion about what constitutes application security and how it's achieved.
The following 10 questions will help you evaluate whether a product delivers true application protection.
1. Does it inspect application communications or just packets?
To reliably identify application-layer threats, a security appliance must "see" the same communication stream as the application it is protecting. This means the security device must perform a full deconstruction of the HTML data payload, as well as track the state of each application session. It is technologically impossible to analyze application behavior through simple inspection of IP packets, either individually or reassembled into their original sequence.
2. Does it detect and defeat encrypted application attacks?
Virtually all Web applications that process confidential customer or corporate information use Secure Sockets Layer encryption to protect both the confidentiality and integrity of data while in transit. However, SSL also provides hackers with a useful tool to evade detection because it's impossible to detect attacks that are strongly encrypted. Therefore, application-layer security can be performed only if SSL-encrypted traffic is decrypted into its original clear text form prior to inspection.
3. Does it protect the application infrastructure and users?
Application security involves protecting all elements of an application infrastructure (e.g., server operating system, application program and back-end databases), as well as users of the application. Protecting the application program and application data isn't sufficient. Trust relationships with users must also be closely guarded to ensure the continuing business viability of the application. For example, an application security product should thwart the hijacking of user sessions.
4. Does it defeat zero-day attacks?
Zero-day attacks come in two varieties: attacks exploiting vulnerabilities in custom applications, and attacks aimed at vulnerable packaged applications for which a patch has not yet been released. An application security solution must detect and defeat all forms of zero-day attacks. Using attack signatures or event correlation will fail to protect against zero-day attacks. A positive security model that understands and enforces correct application behavior in real time is the only viable defense for zero-day attacks.
5. Does it cloak application infrastructure elements?
Many attacks against Web applications are custom-crafted and designed to exploit security vulnerabilities in the application infrastructure. Effective reconnaissance can help the hacker focus his attack methodology, target a smaller number of potential security weaknesses and craft more damaging attacks. At a minimum, a Web application protection solution should provide the