At the Computer Security Institute Conference in Washington, D.C., held last week, the CEOs of F5 Networks, Imperva, NetContinuum, and Teros challenged their larger rivals to join them in putting their products to the test before ICSA Labs, an independent information-security-product certifier. Their goal is to promote more consistent metrics for customers to evaluate products.
In a prepared statement, the foursome suggest that some of their larger rivals are selling security short. "We are united regarding the minimum criteria that any security product must meet to provide acceptable protection for mission-critical Web applications," the companies state. "We believe these minimums aren't being met by many vendors. The result is a false sense of security that exposes consumers and corporations to a higher risk of identity theft and other similar data-loss threats. Our goal is to pave the way for minimum standards that will ensure the safety of consumers as well as corporate and government environments on the Web."
The application-security vendors "normally don't talk to each other," says Bob Walters, CEO of Teros. "But we came together to help improve the situation." Gene Banman, CEO of NetContinuum, notes that his company and its allies have built their businesses around better Web-application security.
"It's pretty remarkable that these companies have come together," says James Slaby, an analyst with the Yankee Group. "It shows the difficulty of competing against entrenched incumbents."
The criticisms are accurate, Slaby says. The smaller, specialized vendors offer application-specific security that considers the context of external network requests, as opposed to generic packet filtering typically offered by the larger vendors. Slaby suggests that packet filtering isn't enough to identify some attacks.
Even so, it may be tough for the specialized vendors to convince the market of their merits. "The buyers want to believe what the big guys are telling them," Slaby observes. The major players in the security market probably are aware of their deficiencies, he says, and may correct them through future development or by acquiring companies and their technologies.