May 19, 2008 -- Every company today has a presence on the Internet. The number of web applications (e-commerce, extranet, content management system, etc.) is increasing, and their growing importance to all aspects of business is obvious.

In particular the updated standard for securing websites accepting major credit cards, The Payment Card Industry Data Security Standard (PCI DSS 1.1), is very specific and prescriptive about web application security. In section 6.6 it requires that either an application layer firewall is installed or that web facing applications are tested by web security specialists.

Other standards are less prescriptive but PCI-DSS is likely to set the future standards of website security as it will serve as a guideline for auditors evaluating the strength of a company's security provisions.

Of course, from a technical standpoint, the best option would be to go for both (security testing and application firewall) but from a business perspective a lot of companies are likely to choose one of the options as only one is required, especially when they have to choose between $25K+ options, with high re-occurring cost.

Choosing the application firewall path, one option is to go for do it yourself manually configured open source application firewall solutions. For some it will work but as applications and website content tend to change over time (sometimes without the security administrator knowing it) the policy needs to be adjusted to reflect changes. Also this solution requires that the security administrator is skilled at regular expressions and that he/she has the complete picture of the web sites and applications including all input options.

There is no such thing as a free lunch and the price of the open source solution is a lot of time spent creating and adjusting the policy. The free web application firewall from Armorlogic is automated will require the policy to be manually adjusted as applications change.

Another option is to go for an automated appliance based solution which will automatically learn normal application behaviour and configure a policy allowing normal application use. These solutions will provide excellent protection but many businesses are put off by the price tag.

Clearly, the perfect solution would be an affordable automated solution allowing for fast track web security. That's Profense Professional web application firewall. "Profense fits the gap between free open source hard-to-manage-and-configure and expensive automated solutions allowing for a more balanced approach in terms of time/money spent on the solution. There may even be money left for application security testing," says Srebrenko Sehic, CTO of Armorlogic.

Some reasons for Armorlogic being able to offer their web application firewall at such attractive prices are that Profense is a "do it yourself appliance". Armorlogic provide an ISO image with a complete package including a minimalized OS (OpenBSD) which will turn a piece of server hardware into an appliance. Thus Armorlogic does not have to spend money on specialized hardware. Others have done a lot of work for Armorlogic making high quality Open Source software (OpenBSD, Apache, OpenSSL, etc.). Armorlogic rely on high numbers instead of high margins.
    
Download a free less automated version of Profense from www.armorlogic.com.

Learn more about Armorlogic and Profense, get a free license or download it to try the 30 trial at armorlogic.com.

About Armorlogic:
Armorlogic is a Danish software development company focused entirely on web application security. Armorlogic is founded on a solid foundation of expert knowledge in the areas web application development, network infrastructure, internet security and IT-security management.