Been too busy to keep your finger on the pulse of the hottest new security tools? No worries. Relax, sit back, and we'll walk you through some the industry's hottest emerging tools.
We've settled on a Top 6 list that details some specific products as well as some emerging categories of products that have won over some of the hardest-nosed security experts with their innovation and promise.
Let us know what you think about these hot products and categories, and whether you have others you think should be added to the list. We're always on the trail of the next sizzling generation of security technology.
(Editor's note: Please send comments via the message board associated with this story, not by email. All postings are completely anonymous. Enjoy.)
- Page 2: Browser Anonymizers
- Page 3: Core Security's Impact
- Page 4: Voltage Security's Identity-Based Encryption
- Page 5: Blue Lane's Virtual Patches
- Page 6: Lockdown Networks' NAC Enforcer
- Page 7: Secure Code-Scanning Tools
Next Page: Browser Anonymizers1. Browser Anonymizers
In the early days of the Web, users liked the way browsers kept their surfing histories -- remembering where they had been and helping them return to their favorite sites. Now that attackers, spyware, other users, and the IT department can use these histories and cookies, however, many end users are ready to give up convenience in exchange for more privacy.
In response to this demand for privacy, a new crop of products and services has sprung up in recent months, each promising to keep surfers identities and behaviors hidden from those who might want to peek at them. Although these products dont all work the same way, they all have a common goal: to let the user surf the Web anonymously, without leaving a trail.
With names like Anonymizer, EverPrivate.com, FindNot.com, NetConceal, and many others, proxy services are by far the most popular means of hiding a users surfing tracks. For around $30 a month, these services enable users to log onto a single site, then surf anonymously as they wish. With proxies, an analysis of the users Web history will show only one long session with the proxy service, and no clickstream details are visible to observers, hackers, or subsequent users of the computer.
A company called Browzar recently introduced a "browser" it claims can surf the Web without collecting a history or leaving an auditable trail. (See New Browser Hides User Behavior.) However, users and reviewers who have tried Browzar say it amounts to little more than a shell for Internet Explorer that might hide histories from subsequent users, but it does little to protect users from determined attackers or computer forensics experts checking into a users history.
"Browzar is no panacea, and not even worth the small download," says Jack Schofield, a Web privacy expert who has reviewed the product.
Last week, a group of hackers and privacy proponents called Hactivismo released a specialized version of Firefox that claims to give users complete anonymity when they surf the Web. Called Torpark, the browser runs from a USB drive, leaving no trail on the PC, and passes all data through the TOR network, which hides the true IP address of the machine.
IT organizations already have begun to develop their own tools to break through the emerging wave of anonymizers. Just last week, Cymphonix unveiled a new product feature called Anonymous Proxy Guard, which prevents users from logging onto proxy services while on the corporate network. (See Cymphonix Undoes Anonymous Activity.)
Vulnerability assessment scanning is one thing, but running real exploits to put your systems to the test is another: That's what Core Security's Impact tool does. It's a do-it-yourself penetration tester without the outside consultants invading your space.
Impact is similar to the popular freeware tool, Metasploit, but it's a commercial product. "If you need commercial-quality exploits, Core is the best bet," says HD Moore, the developer of the freeware Metasploit tool.
So how does Core's Impact stack up with Metasploit? "Metasploit does well with regard to reliability and features, but Core has much wider coverage, a spiffy user interface, and some cool features that make penetration testing and relaying attacks through compromised systems simple," says Moore.
And unlike Metasploit, Impact will cost you -- $25,000 per year for training, support, and exploit updates. It runs on Windows 2000 and XP, and it includes exploits for Windows XP, Windows 2003, NT4, Windows 2000, Solaris, OpenBSD, Mac X, and Linux. It goes deeper than a vulnerability scan, simulating real exploits. "They work like vulnerability scanners, but rather than probe if vulnerabilities exist, they actually exploit them and use it to test other parts of the system," says Thomas Ptacek, a researcher with Matasano Security.
Core Security isn't the only commercial penetration testing tool -- other popular tools in this area include Immunity's Canvas and Mu Security's Mu-4000.
These types of tools aren't for the feint of heart, however. They can be tough on enterprises, where they run the risk of crashing or interrupting business systems and applications. So they're typically used in lab environments, for testing a new application or IPS tool before it's deployed, for instance. "They're less useful for routine 'bulk' scanning of enterprise systems in production deployment because they tend to be more disruptive than scanners, which are already too disruptive for on-hours use," says Ptacek.
Core is popular among the intrusion prevention system (IPS) vendors, too. "All the major IPS certifications are based in part on tools like Core's," he says.
Everyone complains about passwords, but few organizations have been willing to ditch them for digital certificates, either. What if you could use your name and email address as your "key" instead? That's what Voltage Security's proprietary identity-based encryption (IBE) technology does.
IBE is as strong as a digital certificate but not as hard to use and manage as the typical PKI-based identity infrastructure that requires SSL and SSH keys. "This is space-alien technology," says Thomas Ptacek, a researcher with Matasano Security. "Your key is your name, not a big long string of hex digits."
The IBE technology may be the first realistic alternative to passwords taped under keyboards. And unlike digital certificates, there's no key management or user pre-enrollment required. "And with a PKI, you can't send a message to someone who's not enrolled... You'd need to get their public key," says Richi Jennings, an analyst with Ferris Research.
Voltage so far is focusing on encrypting email messages, but security experts say the technology could expand to files and other applications as well. In addition to the SecureMail product, it sells SecureFile for encrypting files, and SecureDisk for encrypting laptop and PC disks.
Ptacek says you could use IBE to secure an enterprise management application, for instance, and provision it with the names of the authorized users. This type of authentication is simple to deploy like a password, but stronger and more convenient, he says. "When you set up a server, you decide who to allow onto it and you don't need a crypto key, just their names."
When a recipient outside the organization running Voltage gets an encrypted message, he also gets a link that uses the server to decrypt the message on the fly. (It uses the fourth-generation Boneh-Franklin IBE Algorithm.) It also supports federated authentication for messaging among business partners.
"It says go to this [proxy] site, download this software, or do this through this Web app," Jennings says.
Voltage runs on Windows servers and works with Outlook and Lotus Notes. And it now has company in the IBE space: Identum recently rolled out an IBE messaging service called Private Post for organizations that don't want to run their own IBE servers.
Relief from the constant stream of security patches vendors push out to customers? What's not to like about that?
It's not just the volume of patches that IT managers have to deal with -- they must also contend with testing against current implementations to ensure against conflicts or crashes, a process that can turn into a huge time-suck. Then there's the need to power down a server or network node while the patch is applied and activated. That often means delay, unhappy users, and potential for lost revenue.
That all helps explain the growing buzz around the inline proxy technology from Blue Lane Technologies, which checks traffic for any possible problems, then emulates patch functionality so that applications can continue to operate till the actual patch gets released, tested, and activated.
"IT needs to only apply a virtual patch to a single BlueLane device to mitigate vulnerabilities for all affected downstream servers," notes Eric Ogren, senior analyst with the Enterprise Strategy Group. "Application environments can be rapidly protected, especially when critical high priority patches are released."
Cool yes, cheap no. The PatchPoint Gateway G/450, Blue Lane's top of the line appliance for larger networks, lists for $50,000; the G/250 for remote offices runs $18,000. Blue Lane's Enterprise Manager can be run either as software on the G/250 for $5,000, or as a dedicated appliance for $12,500 on either gateway. Once customers move to multiple gateways, the dedicated appliance is required, according to the vendor.
Still, if enterprises pick their spots widely, it may be money well spent. With average patch times running 30 days or longer, ESG's Ogren encourages enterprises to consider this sort of virtualized patching for critical servers. It may give IT staff some breathing room and confidence till Microsoft, Oracle, or Red Hat can get the real patch out the door.
Network access control (NAC) technology is one of the security industrys hottest buttons these days. Unfortunately, most currently-available NAC solutions fall into one of three categories: 1. not available yet; 2. vendor-proprietary; or 3. incompatible with currently-installed networks and security systems.
So far, there is one company that has managed to stay out of all three of these negative categories: Lockdown Networks. Its Lockdown Enforcer appliance has turned many heads in the NAC world by offering a way to do NAC today, regardless of the vendors involved, and without redesigning the enterprises existing infrastructure.
"Lockdown has been a pioneer and a leader in appliance-based NAC," says Peter Christy, principal analyst at Internet Research Group.
In a nutshell, Lockdown prescribes a "NAC overlay" approach, which means that enterprises can distribute Enforcer appliances around an existing network to determine the compliance (or non-compliance) of end points that want to join the network. If the end points comply with the enterprises policies, they are allowed past the Enforcer and can attach via conventional means; if not, they may be quarantined or disallowed.
"One of our 'ten commandments' is to work with the infrastructure that enterprises already have," says Dan Clark, vice president of marketing at Lockdown.
With its enterprise NAC product line, Lockdown is taking on the likes of Cisco, Juniper Networks, Microsoft, and the Trusted Computing Group (TCG), all of which are developing their own enterprise architectures for NAC. Isnt it crazy for a startup to challenge vendors of that ilk?
"The thing about companies like Cisco and Juniper is that theyre looking to solve the problem using their equipment, to give themselves a competitive advantage," Clark says. "Almost by definition, theyre going to have a bias." The TCG's Trusted Network Connect standard doesnt have a vendor bias, but it also doesnt have Ciscos support, so it cant work in the most prevalent network environments, he observes.
Lockdown has a window of opportunity while the big vendors wrestle with strategies and standards, and the company is taking advantage of it. The startup vendor has doubled its revenues each quarter since it began operating in Aug. 2005, and it boasts more than 100 installations, many of them in large enterprises.
"The market is ready for NAC, and were seeing it starting to do a hockey stick upward," Clark says. "Right now, the list of all-in-one solutions for NAC is incredibly short, and were on it."
Next Page: Secure Code Scanning Tools6. Secure Code Scanning Tools
A lot of security vulnerabilities start from the beginning, when errors are written into nascent code. But a generation of secure-code scanning tools, such as those from Fortify and Coverity, are catching on as a way to pinpoint software problems before they become actual vulnerabilities and exploits.
These tools have already made a splash in open-source software initiatives. Fortify, for instance, has donated its treasure trove of software security errors to the Open Web Application Security Project (OWASP) and is a sponsor of FindBugs, an open source tool that looks for bugs in Java. Coverity, meanwhile, has teamed up with Stanford to provide a new baseline for open source software security. And under a contract with the U.S. Department of Homeland Security, Coverity is doing daily security audits of open source software -- think Linux, Apache, Mozilla, etc. -- as well as making its data on the most critical bugs available to the open source community.
"They have been very successful in allowing open source to use them for free. They've amassed quite a track record on open source projects," says Thomas Ptacek, a researcher with Matasano Security, who also lists Klocwork and Ounce as other key players in this space.
But secure code-scanning is also catching on commercially, too. Fortify has some big-name clients such as Oracle, Bank of America, Symantec, and Wells Fargo, and Coverity has Cisco, McAfee, EMC, Juniper, and NASA. "It's on the verge of becoming an industry," Ptacek says.
These tools basically run on source code and fix any errors or potential vulnerabilities before the software goes out the door. Fortify's Source Code Analysis, for example, runs on Windows, Linux, Solaris, HP UX, IBM AIX, and MAC OS X, and is priced from $29,000 and up.
But these tools are only the first step in secure coding. "Generally speaking, static analysis tools are useful for finding defects and security flaws which have not been detected by other means," says Robert Seacord, senior vulnerability analyst for CERT/CC.
But you can't rely on these tools to fix poor programming, he says. "These tools are unlikely to catch all possible errors that can lead to software vulnerabilities and the potential consequences of these errors."
These tools should be the last stop, along with quality assurance techniques such as source-code audits, penetration testing, fuzz testing, and dynamic analysis tools, he says. The first step should be secure coding practices that minimize the number of flaws that are inadvertently programmed into code, he adds.
The Staff, Dark Reading