Web and Enterprise Application Controls

  • Web and Enterprise Application Controls

    With high-profile data breaches announced every day, a growing number of compliance initiatives now mandate application controls. These initiatives were enacted to address both external attacks and insider threats. Regulations such as PCI DSS, SOX, and HIPAA require application controls as a means to protect data confidentiality and integrity. Enterprise applications including SAP, Oracle EBS, and Peoplesoft are subject to regulatory compliance requirements focused on insider threats.

    The following application controls will satisfy most regulatory compliance requirements:

    Protect Web Applications Against Known Attacks

    Organizations should fortify public-facing Web applications with a Web Application Firewall (WAF). A WAF automatically detects and blocks attacks before any damage can occur. A WAF provides continuous protection—not just after a scan, fix and test cycle—and fully satisfies PCI DSS requirement 6.6. A WAF should prevent the OWASP Top Ten list of Web security risks, block both known and custom application attacks, and virtually patch application-specific vulnerabilities.

    Securing and Auditing Key Enterprise Applications

    Businesses store sensitive financial, personal and operational data in enterprise application databases. Faced with increased security risk and regulatory scrutiny aimed at this data, organizations are looking to improve security and demonstrate compliance without impacting application performance and availability. A comprehensive solution for access control, activity monitoring and auditing and vulnerability assessment should be application aware and minimize the performance and operational impact on enterprise applications.

    Follow Secure Web Application Development Best Practices

    Implementing application code according to security best practices can effectively reduce the number of vulnerabilities in Web applications. Secure Web development is an important way to fortify applications and satisfy multiple federal and industry regulations including the PCI DSS and the Massachusetts Data Protection Act. Used in conjunction with a Web Application Firewall, a Database Firewall, vulnerability scanning, and code review, secure Web development offers a comprehensive defense in-depth strategy.

    Apply Latest Vendor Supplied Security Patches

    To ensure the most up-to-date protection against vulnerabilities, organization should install security patches to critical systems and applications. Security patches protect critical assets from published and easily-exploitable vulnerabilities. Database and Web vulnerability assessment tools can help organizations discover unpatched systems and manage and prioritize patch updates. Integrating database assessment with a database firewall enables virtual patching of vulnerabilities—sometimes even before a vendor patch is released.

    Generate Pre-Defined and Custom Compliance Reports

    Security and auditing reports document regulatory compliance. Out-of-the-box reports should demonstrate how application controls have been implemented, while custom reports offer unique views tailored to individual business requirements. Flexible graphical reports, as well as real-time alerts and audit analytics tools, enable organizations to easily understand and present security and compliance status.

    • Database Security
      Product Name Capabilities
      SecureSphere Database Firewall
      • Protects application data stored in databases
      • Virtually patches vulnerabilities discovered by database assessments
      SecureSphere Discovery and Assessment Server
      • Discovers database servers
      • Assesses databases and systems for vulnerabilities and patch level
      • Prioritizes security risks
    • Web Application Security
      Product Name Capabilities
      SecureSphere Web Application Firewall
      • Continuously protects against known and zero-day application attacks
      • Prevents common application vulnerabilities, including the OWASP Top Ten
      • Provides transparent protection with no changes to existing Web applications or network
      • Automates security management by dynamically learning application structure and usage
      • Integrates with application scanners for instant virtual patching of vulnerabilities
      • Offers predefined and custom compliance reports
      ThreatRadar Reputation Services
      • Detect known malicious sources such as anonymous proxies, malicious IP addresses, and TOR servers
      • Provide visibility into phishing incidents
      • Identify and optionally restricts access based on the geographic location of attack sources
      ThreatRadar Fraud Prevention Services
      • Rapidly provision and enforce Web fraud protection to address compliance requirements such as FFIEC
      • Correlate fraud prevention policies with Web Application Firewall rules for granular, centralized control of Web security
      1. 1Blocking accesses to sensitive data in databases requires SecureSphere Database Firewall
      2. 2SecureSphere Discovery and Assessment Server is included with SecureSphere Database Activity Monitoring and SecureSphere Database Firewall
      3. 3Blocking access to sensitive files requires SecureSphere File Firewall