With U.S. e-commerce retail sales ballooning to over $54B in 2003, overall e-commerce sales including B2B extending beyond a staggering $1 Trillion, and over 200 million Internet users, enterprises face a mammoth problem. How to secure the applications that are behind these web sites?

The Anti-Virus Era
Although application security is a relatively new issue, IT security tracks its history to the mid-Eighties. Organizations started focusing on other aspects of security in the early Eighties with the advent of anti-virus. After MS-DOS gained momentum, the first known virus, “Brain,” originated in Pakistan in 1986. Brain was a boot-sector virus and only infected 360K floppy disks. Between 1987 and 1989, a number of new viruses were discovered including the Lehigh virus from Lehigh University in the United States, Jerusalem virus from Hebrew University in Israel, and Ping Pong virus in University of Turin in Italy, among others.

Early Nineties saw a slew of new and more deadly viruses including Fish, Joshi, Flip, and Whale as the main ones. Vendors smelled the opportunity and many anti-virus solutions sprung up including McAfee, Norton, IBM, Iris, Certus, and others. In 1992, the Michelangelo, a polymorphic virus caused not a little bit of a havoc. With the proliferation of the Internet and e-mail came more malicious viruses including Melissa in 1999 which took advantage of the e-mail to propagate. Since then, we have had a number of other malicious viruses and worms including Klez, Loveletter, Code Red, Nimda, SQL Slammer, which circled the globe in 10 minutes, Nachi, and more recently the Sasser worm. Currently, there are over 60,000 known viruses and vendors are updating these constantly. Although it’s not foolproof, most enterprises have installed anti-virus software on most of their machines to protect themselves.

The Era of Network Security
In the early Eighties, organizations had limited networks and most of the security was taken care of with basic authentication mechanisms. Then came the Local Area Networks (LANs), which were controlled through remote authentication procedures. In the early to mid Nineties, with the increasing usage of the World Wide Web, enterprises had to open themselves to the outside world to connect to customers, partners, and vendors. This made companies vulnerable to attacks on the network from worms, viruses, and access of information by unauthorized users. Companies knew at that point they needed to secure their perimeter.
Network Firewalls were the first wave of perimeter security that helped control the traffic that flows in and out of the enterprise. After companies realized that some of the malicious traffic was still going through, a new technology called Intrusion Detection Systems (IDS) was introduced by some of the leading vendors. IDS monitor and malicious network traffic by comparing the traffic to a signature-based database. When it detects an attack signature, IDS appliance sends out an alert to the administrator. Due to many pitfalls of IDS including the amount of traffic to monitor, Intrusion Prevention Systems (IPS) have started becoming popular in the recent years. IPS boxes combine the functionality of firewall and IDS to not only monitor the traffic but also have the ability to drop the packets based on pre-set configurations. Network vulnerability management products have been fairly effective in scanning the network ports to find existing vulnerabilities. Most companies have dedicated a lot of resources and budget on securing their perimeter over the last few years and feel comfortable with the infrastructure.