You Can't Make Everyone Happy— but Can You Come Close?


Government auditing compliance requirements can be extremely costly for many businesses.The complexities of meeting audit industry best practices and delivering the information that auditors require put a significant strain on IT departments that are already strapped for manpower and resources. In a recent conversation with our editors, Imperva (http://www.imperva.com) CEO Shlomo Kramer and Vice President of Marketing Alan Norquist explained that their company provides a solution designed to address compliance from all sides.

SecureSphere Database Monitoring Gateway is a network-based appliance that logs query-level details of database activity, audits usage for exception-based behavior, and associates every event with the responsible Web-application user.The product gives auditors what they want: details about all logged activities, who is accountable for every transaction, and what transactions are material exceptions. The product also gives IT staff members what they want: automated Universal User Tracking that identifies specific users and their activities without requiring a rewrite of the database or application. In addition, because the appliance doesn't sit on top of the database, users get what they want: unimpaired performance. At a starting price of $35,000, the appliance can be a realistic alternative to putting a DBA on compliance duty full time.
- Dawn Cyr

SPI Dynamics Identifies Application Security Trends and Requirements


SPI Dynamics (http://www.spidynamics.com) CEO Brian Cohen describes his company as "the leader in Web application security assessment throughout the life cycle." Cohen recently identified for us the trends and requirements the company sees currently in the Web-application security space.

According to Cohen, customers are beginning to realize that application security is a life cycle issue that begins in the application development phase. Federal and state regulations specify that Web applications must be secure. Vendors are more aware that they must develop and test applications for security, and the Web-application security market is maturing.

Customers require fewer false positives during testing, tools that combine black-box testing and source code analysis, automation, tools built into the IDE, and tools delivered as services.

SPI Dynamics recently made several product and service announcements that address these trends and requirements. WebInspect 6.0 has Intelligent Engines technology to tailor attacks according to what the tool learns about a particular Web-application. Thus the product can inspect an application faster and with fewer false positives than it could by launching every attack in its database against the application. WebInspect Direct is a service that customers can choose instead of deploying the WebInspect software.

DevInspect 2005 (named "2005" to line up with Visual Studio 2005) combines source-code analysis and black-box testing to find and fix problems in Web applications while giving customers fewer false positives.
- Renee Munshi

Turn IT Weaknesses Into Auditing Strengths


In its customer research, Lumigent (http://www.lumigent.com) identified five areas of weakness in IT controls. IT departments have a hard time dealing with employee account terminations and entitlements, often fail to segregate duties, don't have a way to audit privileged users, provide an inadequate review of audit logs, and fail to identify anomalous transactions in a timely manner.

According to Lumigent Director of Marketing Ed Gavin, these five weaknesses fall under the umbrella of an emerging need in the auditing industry: Just turning on auditing and collecting information is no longer enough. You need to understand the information and be able to take action based on your audits.

The latest release of the company's flagship auditing product, Audit DB 5.0, addresses this core trend.The database-based transaction-log monitor creates a centralized repository, where it records all transactions and the context in which they occurred. This context-savvy information lets companies not only audit but also identify and verify the effectiveness of the IT controls they have in place. In addition, customers can separate their security and auditing functions from DBA functions.

A special feature of Audit DB 5.0 is that it monitors the activity of privileged users. The completeness of the repository also lets customers perform long-term trend analysis of activities involving sensitive data.
- Dawn Cyr