Persistent, expensive, and overlooked, the web-application problem provides a new market for startups.
September 30, 2004
Some security startups are trying to plug the holes in web applications – and tap into a market that research firm The Yankee Group estimates will reach $1.8 billion by 2007.
The interface between an Internet user and a web site, a web app can take various forms, from a Google search to communications software used between a company’s headquarters and a satellite office. Web-app hacks happen with alarming regularity: research firm Gartner estimates that since 2002, 70 percent of Internet attacks penetrated through the web-app layer. Still, The Yankee Group says the web-app security market accounted for only $100 million in spending in 2003, a tiny fraction of the $3.8 billion technology analyst firm Gartner estimated for total security software spending that year.
You don’t even hear about the worst web-app breaches, says Gartner’s John Pescatore. If an online shopping site has not been properly designed, a malicious hacker could destroy customer information – or make orders without paying – but if a bank’s database is compromised, billions can be lost.
“This is the single biggest threat to the Internet,” one expert said. “Nobody hacks Amazon through Windows.”
Three approaches
Three startups are tackling different sides of the web-app security problem.
Software company NT Objectives, based in Orange County, California, is just coming out from under trade-secret litigation from security consulting firm Foundstone, and has secured less than $1 million in funding. Erik Caso, vice president of sales at NT Objectives, which secures corporate web sites, describes the URL of an e-commerce site as a “cruise missile.” He says poorly designed applications allow attackers to order merchandise without paying or delete a business’ database; just by typing things they shouldn’t into the URL they can gain access to forbidden areas of the domain.
NT Objectives' product, the NTOSpider, automatically scans a web app and delivers recommendations for reducing vulnerability. CEO J.D. Glaser developed a Windows version of Tripwire scanning software and orchestrated development of FoundScan, a vulnerability finder, while at Foundstone. He says the company searched for funding, did not get it, and has since stopped looking and is getting by on product sales.
While NT Objectives targets the business-to-consumer-application market from the West Coast, Covelight shoots for the business-to-business market from its headquarters in Cary, North Carolina.
Covelight CEO Dave Logan says his company’s software, Percept, sees what everyone using a company web app does and reports any “suspicious behavior,” such as a user logging onto the network simultaneously from both California and New York. Covelight started selling Percept in March, less than a year after it secured $2.5 million of VC funding in its Series A. Mr. Logan says his company hopes to close its Series B and have more than 50 customers within the year.
"Web-app security will be just like anti-virus was 10 years ago,” Mr. Logan says. “In five years, it will be a must-have.”
Software maker SPI Dynamics is aiming at the root of the problem. Instead of locking down the system after it is deployed, wouldn’t it be better to address security concerns before an application hits the market? SPI has expanded its vulnerability assessment software for use by programmers who develop web apps. SPI’s CEO, Brian Cohen, says, “You have to bake security in, you can’t just brush it on.” Mr. Cohen says the company, which started in Atlanta in 2000, has revenues of between $5 million and $10 million. The company’s focus came from “a groundswell from security experts to say to the rest of the organization: ‘Don’t send us things we can’t secure!’”
Same challenges
One of the biggest problems with selling web-app security, say the startups, has been the lack of customer understanding.
“Everyone knows network security," says NT Objectives’ Mr. Caso. "Nobody knows web-app security. It is unique because there is no pre-knowledge of the application. Windows is Windows. If there’s a vulnerability, you patch it. The challenges are well known. Web apps are made to order, there’s little standardization. The challenge is not in patch-management-type legwork, but knowledge.”
A group of seven companies is working to raise awareness, share information, and standardize terms. The Web Application Security Consortium hopes to replace the Open Web Application Security Project, which provided vendor-specific recommendations rather than agnostic advice.
The first hurdle the security consortium hopes to overcome is the plethora of names for different web-app threats. It believes standardized terms will help consumers differentiate between products. Confusing phrases like “Cookie Poisoning,” which refers to when an attacker intercepts information exchanges between a web site and an unsuspecting user, have taken standard forms, such as “Session Prediction.”
“Customers quickly become overwhelmed about what they should be doing and then often adopt a wait-and-see attitude,” says Jeremiah Grossman, the CEO of Santa Clara, California-based scanning company Whitehat, and a founder of the security consortium.
Simplified terms may be one way to uncork the market for web-app security, but a major, well-publicized security incident would certainly open a few eyes. Those with the most to lose, or, perhaps, those that have already lost, have been the first to sign up for web-app solutions. “The early adopters are getting it, especially financial services,” says Covelight’s Mr. Logan. “We are hearing people say ‘We’re so fortunate our management realizes this is an issue.’”
© 1993-2004 Red Herring, Inc. All rights reserved.
Back to Portfolio News
