Fortify Extends On-The-Fly Web App Protection To .Net
Fortify Software, which has for the past year offered an on-the-fly approach to securing Java-based Web applications, has extended that coverage to include .Net as well.
As the "month of (insert Web application here) bugs" campaign drags on with MySpace as the latest target, the pressure to bolster the security of Web applications continues to mount. Any company looking to protect itself from these dissections, or from more general attacks, needs to quickly find some way of defending its Web applications, whether those apps were written using the Java or Microsoft .Net platforms. Fortify Software, which has for the past year offered an on-the-fly approach to securing Java-based Web applications, Monday extended that coverage to include .Net as well.
Fortify Defender for .Net takes a Web application's already compiled code and inserts what it calls "guards," or pieces of code that act as a security checkpoint for data coming into an application from the network. These guards check the incoming data against security policies defined by the company running the Web application to determine whether the data can be allowed through or should be blocked because it's looking to perpetrate a SQL injection, cross-site scripting attack, or buffer overflow.
"We take the Java or .Net binary code and inject guards around the application and any APIs associated with that application that could be exploited," says Barmak Meftah, Fortify's VP of products and services. "And we can do that without needing access to the application's source code." Another key feature of Defender, which was known as Fortify Application Defense when it was introduced a year ago, is its ability to continue to protect Web applications, such as corporate Web mail, even if an attacker gets past an identity management system. Defender can be set to expire user sessions and require users to re-authenticate themselves regularly.
Defender is most commonly used when companies aren't able to analyze a Web application's source code, whether for lack of time or access to the code. Defender also provides information about where an attack has originated and the time of day the attacks peak against a particular Web application.
The 554th Electronic Systems Wing, a unit of the Air Force Electronic Systems Center at Hanscom AFB, Mass., is using Defender to help protect and monitor its Java and .Net applications, Fortify said on Monday. The 554th Electronic Systems Wing develops, fields, sustains, and operates worldwide communications, computer, and force protection systems and capabilities for the president, secretary of defense, chairman of the Joint Chiefs of Staff, unified combatant commanders, services, and specified Department of Defense and non-DoD agencies to direct military forces.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.