Businesses large and small are now taking application security seriously. The application is the doorway to their
sensitive data, and criminals are exploiting apps to get at the good stuff.
Add regulatory requirements that strongly imply or, in the case of the Payment Card Industry Data Security Standard (PCI DSS), have specific code review and/or Web application firewalls, and it means growing sales and service opportunities for the channel in what was a peripheral market just a couple of years ago.
Web application firewalls (WAFs) in particular are strong sellers in what had been a largely greenfield sales landscape. PCI DSS Requirement 6.6 mandates that organizations implement a WAF or conduct application code reviews. For many companies, WAF is an easy, quick path to compliance.
"There was a group of analysts who thought the PCI DSS 1.1 deadline (in 2007) would be the end of the upswing for Web application firewalls," said Sanjay Mehta, senior vice president at Breach Security Inc., based in Carlsbad, Calif. "But PCI demand really kicked in the second half of last year."
An effective application security rule base has 100,000 or even million kinds
of rules, because an application has that kind of complexity."
Consequently, vendors in the Web application firewall market are beefing up their channel programs, and more security solution providers are either adding WAF as a stand-alone offering or part of an integrated application security practice.
Vendors that enjoyed some success in enterprise sales are now seeing fast growth on the lower half of the Web application firewall market. Imperva Inc., for example, said the percentage of revenue, which has been as high as 75% on the enterprise side, started shifting rapidly to smaller organizations last year.
A number of vendors in the Web application firewall market have responded to this new demand by releasing small to midsized business (SMB) versions of their appliances with the same functionality as the big boxes, but with lower throughput capabilities and without some large-network features, such as load-balancing.
While compliance is a powerful purchasing motivator, especially in the short term, many organizations recognize that application attacks are a serious business threat, even to smaller companies. Everyone has sensitive data, and everyone does business online.
"There's a big push for brand protection by banks and well-known consumer brands whose customer data they believe is at risk," said Chris Richter, vice president of security products and services for Savvis Inc., an IT infrastructure services provider in Town and Country, Missouri, which recently announced managed WAF services based on Imperva appliances. "The greater the value of information assets that can be accessed through the Web the higher perceived risk of Web application exploits."
Large enterprises have responded by creating application security groups, and are looking at WAFs' business benefits in addition to security.
"Enterprises are looking at the business side, not just security," said Gordon Shevlin, executive vice president for Fishnet Security Inc. They are addressing the speeds and feeds of that particular application as well. That's the change."
So, if you're not yet in the WAF business, what does it take and how do you know it's a good fit?
"We flock to guys who have deep security experience," said Breach's Mehta. "We ascertain if they are they just experienced in terms of moving gear, or actually have deep expertise to follow on."
For example, Breach partner Sun Management, a regional security company operating from Philadelphia to South Carolina, focuses its business on a handful of technologies and chooses just one good product to sell and support in each.
"Since we're only carrying 4-5 products," said John Vanderzon, Sun's chief technology officer, "our sales guys are extremely focused; our engineers are extremely focused."
On the higher end of the channel spectrum are companies like FishNet, which has a dedicated application security practice; what Shevlin likes to describe as one of his company's security "buckets."
Generally speaking, if your company specializes in information security, or has a strong security practice, the leap to WAF is not unduly difficult. Engineers with experience installing network firewalls and IPSes won't face a very steep learning curve.
The tough part is in supporting the WAF after you get it up and running. Many companies don't have the application security expertise and/or don't want the added cost required for the care and feeding of Web application firewalls. That means more training/expertise to make your people into WAF experts.
"Application security is very complicated. Compare it to network security, where you get to a couple of hundred rules and call your vendor or VAR to simplify," said Mark Kraynak, vice president of marketing for Imperva Inc.. "An effective application security rule base has 100,000 or even million kinds of rules, because an application has that kind of complexity."
That's not so bad for small companies, which may have one or two Web apps that front their corporate data. However, larger enterprises have hundreds, even thousands of applications.
"Large enterprises typically have lots and lots of applications, some internal, some outsourced, some from acquisition," Mehta said. "The complex dynamic of applications, their sources and how frequently they change is much more severe for the enterprise."
Effective WAFs have to be highly automated and intelligent, dynamically creating profiles by "learning" the application. They also periodically need tuning, one of a number of value-added services that present additional revenue opportunities for the channel.
In addition to training, tuning and servicing, VARs can offer reports and security assessments based on quarterly analysis of WAF data, for example. Based on the findings, a channel partner can deliver remediation services as well.
Those service opportunities are beginning to migrate to full-blown managed security services as well. For example, in addition to Savvis, SecureWorks and Verisign have announced Imperva-based WAF services. Mehta said Breach has a number of small and hybrid service provider partners, and expects announcements of larger partnerships in the near future.
As with every emerging market, solution providers gain experience supporting individual engagements, observe the rise in customer demand and decide whether to take the plunge.
"With every service, there have to be concerns about market viability, difficulty to manage and support. WAF was no different," said Savvis' Richter. "We were in beta for more than a year, and working closely with customers allowed us to gain a solid understanding of support requirements."
Savvis learned that WAFs are very support-intensive, requiring tuning for each app and 24x7 monitoring and management. For Savvis, that's a good thing.
"It's the kind of labor and effort and expertise that customers aren't equipped to handle on their own in most cases," Richter said. "So, it's a perfect candidate for managed services."
The Web application firewall market is looking very promising for the channel.
"Channel has figured out that after making 30 points on a box and 10% on support, they can make $5,000 to $15,000 a year around services that are relatively automated," Mehta said.
Imperva's Kraynak said channel-initiated deals accounted for 25% of sales at the beginning of 2008. That number is now 50%.
And the market remains strong in tough times, he said.
"The average discount in Q1 dropped. Even in down economy, we've been able to have pretty strong pricing."