Small Vendors Issue Security Challenge To Large CompetitorsSmall Vendors Issue Security Challenge To Large Competitors

Four vendors of application security products have created an alliance to challenge the ability of large-scale vendors--such as Check Point Software Technologies, Cisco Systems, Juniper Networks, McAfee, and Symantec--to protect customers from hacker attacks and other security breaches.

On Monday at the Computer Security Institute Conference in Washington, D.C., the CEOs of F5 Networks, Imperva, NetContinuum, and Teros challenged their larger rivals to join them in putting their products to the test before ICSA Labs, an independent information security product certifier. Their stated goal is to promote more consistent metrics for customers to evaluate products.

The situation, as these upstarts describe it, is a growing market for Web application security--which the Yankee Group tags at $2 billion over the next five years--and suspect claims from vendors about the capabilities of their products.

In a prepared statement, the foursome suggests that some vendors are selling security short. "We are united regarding the minimum criteria that any security product must meet to provide acceptable protection for mission-critical Web applications," the companies state. "We believe these minimums are not being met by many vendors, despite marketing claims that strongly imply such protection. The result is a false sense of security that exposes consumers and corporations to a higher risk of identity theft and other similar data loss threats. Our goal is to pave the way for minimum standards that will ensure the safety of consumers as well as corporate and government environments on the Web."

The application security vendors "normally don't talk to each other," says Bob Walters, CEO of Teros. "But we came together to help improve the situation." Gene Banman, CEO of NetContinuum, notes that his company and its allies have built their businesses around better Web application security.

"It's pretty remarkable that these companies have come together," says James Slaby, an analyst with the Yankee Group. "It shows the difficulty of competing against entrenched incumbents."

The criticisms are accurate, Slaby says. The smaller, specialized vendors offer application-specific security that considers the context of external network requests, as opposed to generic packet filtering typically offered by the larger vendors. Slaby suggests that packet filtering is not enough to identify some attacks.

Even so, it may be tough for the specialized vendors to convince the market of their merits. "The buyers want to believe what the big guys are telling them," Slaby observes. He adds that the major players in the security market are probably aware of their deficiencies and may correct them through future development or by acquiring companies and their technologies.