When fear is justified

Want a quick primer on cheap tricks of the magazine trade? Try this: Sex sells. So do “Free” and “Top Secret.” If those fail, trot out the fear factor: Readers are sure to pick up an issue if they believe they are in danger. At InfoWorld, however, we like our tricks less, er, … cheap. A provocative turn of phrase or a bit of razzle-dazzle is all well and good, but our readers want their information straight. They don’t need to be seduced by the transparent come-on or the dubious bait and switch. They’re hard-headed IT professionals seeking tech news, no-nonsense reviews, and peer-to-peer advice.

Which brings us to this week’s cover and cover story. Yes, the image cooked up by Mark Estes is frightening, menacing even. But we make no apologies for fear-mongering. We’re just being realistic: Attacks on Web applications — as described in “Are your Web apps secure? ” –are legitimately scary. After all, they can put a company out of business. Although Web site defacements and obvious nuisances such as DDoS (distributed denial of service) attacks get most of the press, a black-hat assault on a Web application (and the databases that support it) can be much more destructive, potentially exposing credit card numbers, social security numbers, and other personal data. And a conventional firewall won’t do you much good. Even worse, it’s highly likely that you won’t know you’ve been compromised, unless your customers’ data starts circulating on the Net. The only reasonable shot you have at protection comes from a new breed of Web application firewall, such as the four we review this week. (Look for more app firewall reviews in upcoming issues.)

“Traditional firewalls look for network packages that are ‘wrapped funny,’ in the same way that a postal inspector looks for something wrapped funny going through the mail,” explains co-author Curtis Franklin Jr., a Test Center senior contributing editor. “Web services provide lots of new ways to wrap application traffic, so you get a lot more stuff that’s wrapped up,” he says, which renders a garden-variety firewall defenseless. Web app firewalls, on the other hand, provide protection by inspecting the contents of the package.

According to Franklin and co-author Jordan Wiens, a network security engineer at the University of Florida, Web application exploits are on the rise, although they often go unreported. Not surprisingly, companies would rather keep this kind of embarrassing breach hush-hush, unless concerns for customer privacy force them to notify their users. (Franklin learned about that particular scenario the hard way when someone cracked a major commerce site he patronized.)

Maybe next time, that site’s caretakers will consult one of our firewall reviews first. It sure beats being scared.