KML_FLASHEMBED_PROCESS_SCRIPT_CALLS
 

GoGrid and art of defence Partner to Provide First Distributed Web Application Firewall (dWAF) in the Cloud

March 2nd, 2010 by - 32,611 views

Today art of defence and GoGrid announced the availability of the Industry’s first Distributed Web Application Firewall running within the GoGrid cloud. This is a cloud-based SaaS (Software as a Service) solution called hyperguard™ and can be easily and quickly deployed using a GoGrid Partner Server Image (GSI). By using a GoGrid Server Image running art of defence’s hyperguard SaaS, customers can be assured that they are receiving robust application-level protection beyond simply the network layer within their cloud environment.

AOD-logo

By deploying the hyperguard-enabled GoGrid Server Image, GoGrid users simply have to configure their applications and their respective protection levels through hyperguard‘s web-base GUI which allows for comprehensive attack detection and protection at the Web Application layer. hyperguard SaaS basic (which is currently available on GoGrid for $39/mo/server plus associated GoGrid RAM/Bandwidth costs) offers web application security monitoring, detection-only and protection modes.

Hyperguard SaaS Standard dWAF provides the following key capabilities:

  • Security monitoring at the application layer of attacks like SQL-injection, cross site scripting and OWASP Top10 for all applications delivered on the hyperguard web server GSI
  • Comprehensive baseline protection against known attacks at the application layer – only if rule sets are run in protection mode
  • Automated updates of baseline protection rule sets by art of defence – with testing capability for these new rule sets via detect-only mode

The GoGrid Server Image is available now through GoGrid:

gg_art_of_defence_image

More information about art of defence within the GoGrid Exchange is available here.

The full press release is available online as well as below:

art of defence Expands Availability of Industry’s First Distributed WAF (dWAF) as a SaaS With GoGrid Partnership

Company Focused on Making Real Web Application Security Available for All Cloud Computing Needs

SAN FRANCISCO, CA–(Marketwire – March 2, 2010) – Today, art of defence, the leading distributed web application firewall (dWAF) provider, announced the industry’s first cloud-based SaaS solution, hyperguard™ SaaS, is now available through the GoGrid Cloud. GoGrid customers can access hyperguard SaaS by simply deploying a GoGrid Partner Server Image (GSI) with hyperguard SaaS installed.

This announcement marks another step closer to reaching art of defence’s goal of providing universally accessible web application security to companies using cloud computing. By integrating a dWAF right into a virtual image and hosted as a SaaS, customers overcome the false sense of security created by traditional network perimeter security strategies which fail at the application level.

The first of several service levels to be rolled out, hyperguard SaaS Standard, offers users web application security monitoring, detection-only and protection modes. hyperguard’s SaaS delivery model allows customers the freedom to pay on a use-case basis and avoid having to invest in owning and maintaining a solution themselves. For a limited time, art of defence and GoGrid will offer a $100 GoGrid credit to test the service. Full details for the solution and the promotion can be found http://gogrid.artofdefence.com.

Key hyperguard SaaS Standard Facts

  • Web application security monitoring enables customers to understand the risk and exposure of their cloud applications to known attacks at the application layer without hyperguard SaaS Standard interfering with web traffic.
  • ‘Detection only mode’ allows rule-sets to be tested but not enforced, alongside with rule-sets in ‘protection mode’ that enforce already proven security policies.
  • hyperguard SaaS Standard is ideally suited for GoGrid customers who want application-level protection beyond the network layer for their cloud offerings.
  • For companies relying on the GoGrid Cloud for application overflow resources, hyperguard SaaS Standard defends users’ custom applications on the cloud.

Resources

Supporting Quotes

  • “Use of cloud computing is on the rise as companies shift from testing services to beginning to rely on them for critical business applications and we’re excited to work with GoGrid who is at the forefront of providing these services,” said Georg Hess, founder and CEO, art of defence. “As the migration continues, web application security gets put under the microscope and traditional WAFs just don’t hold up to the rigors of fully virtualized environments. When we launched the world’s first distributed WAF, we targeted these challenges specifically and the uptake we’ve experienced in this approach shows we made the right decision.”

Tags
GoGrid, cloud, art of defence, hyperguard, WAF, web application, security

About art of defence
Founded in 2005, art of defence established its San Francisco-based North American headquarters in 2009. Focused exclusively on providing comprehensive web application security technology on any scale, art of defence’s distributed web application firewall (dWAF) technology, hyperguard™, is the industry’s first WAF SaaS offering. Available in many forms, hyperguard is the most flexible solution on the market today. Customers have access to the solution as a software plug-in, virtual appliance, hardware appliance or as a standalone software solution.

The company serves the financial services, eCommerce, technology, telecommunication and public sector markets exclusively through OEM/technology and reseller channel partners. art of defence partners with leading technology providers like GoGrid, Amazon Web Services, Microsoft, Zeus, GeNUA, and Armorize. Regensburg, Germany, remains the global headquarters for the European and Asian markets in addition to North America.

For more information about art of defence, visit: www.artofdefence.com/en.

About GoGrid
GoGrid is the Global LEADER in Hybrid Cloud Infrastructure that delivers true “Control in the Cloud™.” GoGrid enables sysadmins, developers, IT professionals and SaaS vendors to create, deploy, and control free f5 load balanced cloud & dedicated servers and complex hosted virtual server networks with full root access/administrative server control which includes personal server images (known as MyGSIs). GoGrid server instances maintain industry standard specifications with no requirement to learn and adapt to proprietary standards. Deploying GoGrid infrastructure takes minutes via a unique, award winning web control panel or GoGrid’s API. GoGrid delivers portal controlled servers for Windows Server 2003/2008, SQL Server, and ASP.NET, as well as multiple Linux server operating systems like RHEL and CentOS. GoGrid gives users the control of a familiar datacenter environment with the flexibility and immediate scalability of the cloud, a “cloudcenter.”

To learn more, visit www.gogrid.com.

To view other GoGrid Partners, we recommend that you visit the GoGrid Exchange for a variety of Software & Application, Development & Test, Disaster Recovery & Backup, Cloud Management, and Security, Monitoring & Reporting solutions now available within the GoGrid Cloud.

The following two tabs change content below.

Michael Sheehan

Michael Sheehan, formerly the Technology Evangelist for GoGrid, is a recognized technology, social media, and cloud computing pundit and blogger who writes regularly about technology news and trends.

3 Responses to “GoGrid and art of defence Partner to Provide First Distributed Web Application Firewall (dWAF) in the Cloud”

  1. [...] GoGrid customers are able to access the solution by simply deploying a GoGrid Partner Server Image (GSI) with hyperguard SaaS installed. By integrating a dWAF right into a virtual image and hosted as a SaaS, customers overcome the false sense of security created by traditional network perimeter security strategies which fail at the application level. [...]

  2. @atdre says:

    I just wanted to let you know that this is not going to work.

    There are many organizations that have not adopted this strategy or similar because they have seen it fail. Please reconsider what you are doing. It may lead to unhappy customers, who are sold something that they get zero value from.

    Every application security expert I've ever talked to has concluded that a blacklist approach to application security works significantly less well than blacklist applied to anti-virus or firewall.

    As a replacement to whitelist input valdiation (or as monitoring), web application firewalls continue to provide less value than building these into the application themselves, via normal coding methods or perhaps even an aspect-oriented point-cut architecture. Logging directly from the application can add a significant amount of context, and it can be centralized along with other security measures. Data valdation, while still very important today, is much less important than properly parameterizing data queries with proper variable binding and use of SQL clauses/statements. Data valdiation is also much less important than proper canonicalization and use of output encoding. However, data valdiation is still very important, and it works best when used in abstraction layers that control and define the validation relationships directly to the data (something that only an application can do).

    Web application firewalls also suffer in many multi-tier architectures, especially in modern application that contain integration tiers. A WAF can only monitor/protect a minimum amount of attacks the client-to-presentation-tier. It cannot monitor/protect the formatting tier, the behavior tier, the data tiers, the integration tiers, etc. Does a WAF protect or monitor attacks against Ajax, Flash, or Silverlight?

    I urge you to not promote products that only work as a blacklist at the HTTP or TLS layer. Further, if a WAF intercepts TLS, this could be a severe violation against many compliance standards (especially in the way that the WAF handles the sensitive data, including session management keys, cookies, et al).

    • Re: @atdre’s comment, he’s absolutely right that blacklisting-only is a terrible way to use a WAF. He missed the point of hyperguard, however, and perhaps didn’t have a chance to look at the product in entirety.

      To clarify our product, hyperguard can black, white and gray-list data, including HTML and SOAP, XML or JSON which are used by products like Silverlight, Flash and AJAX-based frameworks. It also has proactive security features to protect the architectural layer of applications, like broken authentication, session management or data leakage through URLs and other parameters. These are really important problems that typically take a long time to patch and fix at the developer level.

      I also agree with @atdre’s comments about secure development from scratch, however, he should be well aware of the fact that currently 80% of all attacks target web applications because they haven’t been developed this way. Further, the IBM X-FORCE report in 2009 highlighted that a shocking 75% of all web application vulnerabilities took more than a year to fix.

      @atdre is speaking about a perfect world – we are not in a perfect world. Defense in depth and 'security as a process' will take root in companies over time (I hope!), which should include a variety of tools and best practices such as source code reviews (tool-based and by hand), peer reviews, a WAF and external/internal audits.

      Unfortunately, rarely do companies have a secure development lifecycle, regular code or peer reviews, penetration tests, proper tools or a static source code checks in place in order to develop the perfectly secure application. For these web applications, a blacklist approach can be a good start while the company has time to implement a whole cycle of steps towards securing the application.

      Further, companies are deploying 3rd party applications quite frequently that compound this issue. I may be able to securely develop my own web applications, but I have little control over the development processes of my vendors. A comprehensive WAF is a good first line of defense.

      For companies who don’t have the expertise that @atdre speaks of, GoGrid and art of defence are able to provide very good web application security, at the application itself, through a cloud model. A perfect world is a worthy goal to reach for and until we get there, companies should look at how a WAF can help.

Leave a reply