Israel’s AppliCure untangles the Web

‘TotalShield’s software agent follows the user through every step of the process and if the user tries to do something they don’t have the permission for, the system will know instantly that something is not right’ – Moshe Basal.Firewalls and …

‘TotalShield’s software agent follows the user through every step of the process and if the user tries to do something they don’t have the permission for, the system will know instantly that something is not right’ – Moshe Basal.Firewalls and anti-virus software can protect computers from many outside threats, but not it seems from web applications – the latest security hole which criminals are using to steal everything from social security numbers to credit card and bank information.

Any web site that is not just a page of information but that a user can interact with is running a web application. Millions of Americans use web applications every day to check their bank accounts online, get insurance quotes or blood test results, or make purchases. But web applications also leave a company’s database wide open to anyone with the know-how – a criminal can get inside the database right from the opening web page with a fake username. This is already happening, and if the situation gets worse, it could spell the end for web applications.

Luckily Israeli company AppliCure refused to listen to all those who told them it couldn’t be done and has developed a solution to this critical problem.

“We developed a new security model,” AppliCure CEO and co-founder Moshe Basol told ISRAEL21c. “And when we went to the technical people and said ‘See, this is the problem and someone has to develop an appropriate product’, they said, ‘You can’t do it.’”

Founded in 2003, the Herzilya-based AppliCure gathered a team and spent a year and a half proving everyone wrong. The company now has a product, TotalShield, which it is about to start testing it in real situations with several companies, including Sun Microsystems.

One way to use web applications to get into a database is for a hacker to enter a fake username followed by a semicolon and a certain command. The web application goes into the database to look for the username, but when it doesn’t find it, it reads the rest of the line and carries out the command which comes after the semicolon – which could be to copy all the data, or to wipe out the database completely. There are so many different ways to do this that a firewall can block some, but then hackers just come up with new ways to get in. According to the Gartner group research firm, 75 percent of all hacking occurs through web applications.

Basol used a human analogy to describe AppliCure’s novel approach. “At a certain company, the guard at the entrance checks you and says, ‘Ok, you are allowed in. You can go in and do anything you want.’ If you hid a knife and he didn’t find it, you can use it.

“Then there is another company where there is a guard at the entrance and he identifies you as a guest and says, ‘You must go to Floor 18, Room 12.’ He encodes this permission in a smartcard and gives it to you as a badge and asks someone from the organization to follow you in and out. This is our model,” he said.

This approach of permission-based security is more effective at combating as-yet-unknown hacking tactics because instead of defining what a user can’t do, it gives a user permission to only do certain things. TotalShield’s software agent follows the user through every step of the process and if the user tries to do something they don’t have the permission for, the system will know instantly that something is not right.

“It doesn’t matter what hacking methods you are using,” said Basol. “If someone tries a semicolon, nobody has [permission] to delete the database. This agent won’t let anyone delete it.”

This sounds like a very logical approach but is difficult to do in computer terms because there are so many different systems at work in different languages: the web page, the web application, the company’s computer system and the database. AppliCure’s solution works at the deepest level of the operating system, something that only someone with a very intimate knowledge of computers could develop.

David Allouch, AppliCure’s other co-founder and chief technology officer, has the perfect credentials for the job. Like Basol, he has worked as a consultant in computer security for many years. But he started much earlier: Allouch, who was born in France, was picked as a seven-year-old in the 1980s in Paris in a French government project to train 500 children in the latest computing methods.

Unfortunately, after five years or so, the project was shut down because the government couldn’t decide what to do with all these highly computer literate children, but the training has proved invaluable for Allouch and the other participants, all of whom have high-powered jobs in the technology industry, Allouch told ISRAEL21c.

Allouch emigrated to Israel at the age of 18, and worked in the computer industry, founding his own computer security software start-up, Netect, in 1995. Netect was sold to American company BindView in 1999 for $35 million, some of which he and Basal used to fund AppliCure. Basal, who was born in Syria and escaped with his family through Lebanon to Israel in 1973, worked for the Israeli security services in a special government information security company and then for a consulting group. He and Allouch met and found that they had a lot to talk about: how to use a computer to close the security gaps that they were doing manually for their clients.

AppliCure is planning for their software – which anyone using a web application would not even know was there – to hit the market at the beginning of 2005. Several companies, including fellow Israelis Sanctum and Kavado, and U.S. companies including Solaris, Cisco and Symantec, are also attempting to keep web applications secure, but none of them have a full solution which works on such a deep level, according to Basal and Allouch. Some of the products, known as Web Application Firewalls, slow down the performance of the web application and make transactions slower for the user, which is something a company doesn’t want.

Web application attacks are not some future threat; it is already happening.

“The situation is already very bad,” said Allouch. “It’s organized crime, it’s not hacking.”

The Yankee Group predicts that the web application security products market could be worth $1.74 billion by 2007. AppliCure, which is looking to raise around $1.5 million to start marketing their product, is in a good position to take a share of this market.

“The bottom line,” said Allouch, “is that if you take all the break-ins of the past year, everyone agrees that our solution would have prevented most of them. Every time we show the software to someone, they say, ‘OK, I need it.’”