Rohit Gupta: June 2008 Archives

It seems that there is renewed interest in protecting enterprise applications (e.g. SAP).  Our own Sharon Besser blogged about it, McAfee's Rees Johnson blogged about this here and there has been some commentary from Eric Kang on how PCI DSS applies to SAP here.  SAP even has a list of complementary security providers (software, hardware and services) on this site (yes, Imperva is on this list as well).

Why is there so much focus on protecting applications that enterprises use to run their business?  Well, if you need to ask... But seriously, do think back for a bit and see what your own applications contain.  I suspect that most companies keep at least the following data:

• Customer names, addresses, credit references, payment history, tax ID numbers, etc.
• Employee names, social security numbers, addresses, bank account numbers (for automatic deposit of paychecks)
• Supplier/partner information (similar to customer information above)

You can see why the "bad guys" are after enterprise applications now.  And, as Eric Kang noted above, most of the PCI consultants don't understand ERP applications.  The problem here is obvious, the solutions, not so.  I could talk about how our SAP-certified WAF is one answer to this and how our DAM solution is another but then I would be pitching products...

Today is an exciting day for Imperva (and for me) as we are launching what I consider to be an extremely valuable offering that ties two distinct markets into an integrated solution.  I am talking about putting together penetration testing (aka black box testing) and web application firewalls.  While this concept has been tossed around recently in a few places - Gartner is quoted in Dark Reading and Rich Mogull wrote about it at Securosis.com - the actual integration and idea goes beyond the run-of-the-mill "lets reuse results" approach of other integrations like this.  Let me explain.

Imperva is allowing customers to take decisions on what and when to fix vulnerabilities in their web applications on their own schedule.  While that part is not necessarily new, what is new is that Imperva is opening up the web application firewall as a platform so penetration testing tools from more than one vendor can integrate with it.  And, here is the really different part, Imperva is also allowing these partners to take data from the web application firewall and improve the scanning process.  This "feedback" loop allows scanners to narrow the scope of the scan to just what has changed in the application, focus in on the areas of the application that handle sensitive data (e.g. credit card information) and provide additional insight into those parts of the application that are typically inaccessible to automated tools (e.g. those that require writing to the database or are accessed by completing transactions only).

This concept of improving the behavior of web application firewalls by taking ContentIn and giving relevant InformationOut is new and lends itself to other technologies, all aimed at improving the security of the infrastructure - did someone say Adaptive Security?

-- Rohit Gupta, VP Business Development, Imperva