Why do we have to choose between performance and security ?

The countrys economy relies heavily on networked computer information systems this dependence on computerbased, networked information systems will only increase. When services are interrupted and data stolen or misused, then property and even lives are placed at risk. Cybercrime and the attendant threat of identity theft reduce user and consumer confidence, slowing the acceptance of e-commerce (Conclusion CSI / FBI 2006 Survey)
75% of malicious attacks on the web take place on the application layer (Gartner)
... The evolution of web applications has been characterized by a relatively immature level of security awareness ... (Deloitte and Touche)

It is obvious, in any business or institution, information is increasingly important.
Websites are thus at the core of the activity. They SUPPORT VALUE. Whether you are an e-merchant, car manufacturer, an administration or a plumber, your core values (accounting, supply chain, customer data, business info, ) are processed, stored and communicated via your IT system and may indirectly be accessed via your website. Because the web site is often the ENTRY POINT of IT systems ...

It is a fact : more and more companies and administrations tend to webize their IT infrastructure. Web applications include of course web sites as well as business and logic internal applications, intranets, extranets, portals
What do web applications benefit from ? Well, you may have been convinced by :
- Easiness of development and deployment : affordable technologies like web servers (Apache, ) and tools (PHP, ), many developers available, quick (too quick ?) developments
- Standardisation and universality : open and well documented protocols, large existing base of open source and proprietary applications,
- Easiness of communication and access : IT systems interconnections is easy, a web application can be displayed through any browser
- Capacity to maintain and upgrade a web app without need to distribute or (re)install the software on thousands of computers

But there are counterparts : being open, being visible from the internet, brings dangers and threats that are often underestimated

The second article will deal with web protocols.

Richard Touret is manager at Binarysec, http://www.binarysec.com , security software company editing an intelligent web application softwall -or software firewall-. This Apache module adapts on most web sites, learning legitimate traffic to block any malicious request, including sql injection, cross-site scripting, directory traversal, forceful browsing, command injection, parameter tampering, attack obfuscation, buffer overflow...