My RSA week started off on the right foot with an early Tuesday morning meeting with Mykonos Software. This is an exciting young pre-A round company with an interesting idea for cutting off custom-designed web application attacks before they can be launched. It is an intriguing approach to web application security that is likely to please organizations that want to say goodbye to cross site scripting and SQL injection attacks.
It is surprising that the intuitive Mykonos solution has not been tried more often. Mykonos offers an appliance that monitors outbound web traffic for the presence of forms and validates that the completed inbound form does not carry malware. The product salts the web form with what it refers to as “detection points”, allowing the solution to recognize malicious changes to the form when it is returned to the application. Attackers that are testing their attack code are identified, permanently tagged, and future activity blocked before the attack development completes and launches. Mykonos does not require “scan and hope” signatures and does not rely on interpretation of application behavior – if the detection points have been modified then there is no question about unauthorized activity.
There are benefits of the Mykonos approach over traditional web application firewalls:
+ Mykonos does not have to learn web application behavior or understand the business logic expressed in the web dialog. This significantly simplifies the administration and reduces false positives that can plague other web application firewalls.
+ IT does not have to coordinate changes to the dynamic web site with security – the Mykonos appliance just recognizes the presence of a form and applies its detection points-based logic. Traditional solutions that are dependent on rules or learning mode struggle to keep up with the rate of change of dynamic web sites.
+ As a start-up with a new idea, Mykonos can tap into existing enterprise PCI-driven line item budgets for web application firewalls.
The intelligence gathered on the attackers, their locations and attack methods, gives the company nice flexibility going forward. They still have challenges such as ensuring that attackers can’t recognize detection points to by-pass the security mechanisms, or improving the catch rate of already developed attacks. The Mykonos idea has a lot going for it, without requiring cumbersome rules. With proper execution, Mykonos will have a fun 2011.