Fortify Extends On-The-Fly Web App Protection To .Net - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Fortify Extends On-The-Fly Web App Protection To .Net

Fortify Software, which has for the past year offered an on-the-fly approach to securing Java-based Web applications, has extended that coverage to include .Net as well.

As the "month of (insert Web application here) bugs" campaign drags on with MySpace as the latest target, the pressure to bolster the security of Web applications continues to mount. Any company looking to protect itself from these dissections, or from more general attacks, needs to quickly find some way of defending its Web applications, whether those apps were written using the Java or Microsoft .Net platforms. Fortify Software, which has for the past year offered an on-the-fly approach to securing Java-based Web applications, Monday extended that coverage to include .Net as well.

Fortify Defender for .Net takes a Web application's already compiled code and inserts what it calls "guards," or pieces of code that act as a security checkpoint for data coming into an application from the network. These guards check the incoming data against security policies defined by the company running the Web application to determine whether the data can be allowed through or should be blocked because it's looking to perpetrate a SQL injection, cross-site scripting attack, or buffer overflow.

"We take the Java or .Net binary code and inject guards around the application and any APIs associated with that application that could be exploited," says Barmak Meftah, Fortify's VP of products and services. "And we can do that without needing access to the application's source code." Another key feature of Defender, which was known as Fortify Application Defense when it was introduced a year ago, is its ability to continue to protect Web applications, such as corporate Web mail, even if an attacker gets past an identity management system. Defender can be set to expire user sessions and require users to re-authenticate themselves regularly.

Defender is most commonly used when companies aren't able to analyze a Web application's source code, whether for lack of time or access to the code. Defender also provides information about where an attack has originated and the time of day the attacks peak against a particular Web application.

The 554th Electronic Systems Wing, a unit of the Air Force Electronic Systems Center at Hanscom AFB, Mass., is using Defender to help protect and monitor its Java and .Net applications, Fortify said on Monday. The 554th Electronic Systems Wing develops, fields, sustains, and operates worldwide communications, computer, and force protection systems and capabilities for the president, secretary of defense, chairman of the Joint Chiefs of Staff, unified combatant commanders, services, and specified Department of Defense and non-DoD agencies to direct military forces.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Python Beats R and SAS in Analytics Tool Survey
Jessica Davis, Senior Editor, Enterprise Apps,  9/3/2019
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Flash Poll