Like many security firms with Israeli roots, Sanctum employs technology developed by a super-secret unit in the Israeli army. Sanctum was formed more than six years ago when founders recognized that many companies, among them insurers and health-care providers, were hosting private and confidential information on their Internet sites, yet faced major security problems because of poorly designed applications and increasingly complex sites, Chief Executive Officer Peggy Weigle said from her office in Santa Clara, Calif.

To address this, Sanctum introduced two automated Internet security solutions that can help organizations detect hacking forays and block them. One product, AppShield, "does for the Internet site what network firewalls do for the network," Weigle said. This monitors what a user does on a Web site and which applications are being accessed, and if it recognizes so-called "bad behavior," it will stop the user cold in his tracks, she said. The second product, AppScan, is an auditing tool that Sanctum uses when asked to assess the vulnerability of a Web site at the application level, where most security breaches occur. AppScan also is used by internal application developers, application quality assurance and security audit groups at large corporations to assess and fix their Web application vulnerabilities.

In one case, Blue Cross Blue Shield of Kansas City called in the security firm when the insurer suspected its six-month-old Web site, which services a sizable population, might be vulnerable to "cookie poisoning," Weigle said.This "poisoning" involves altering a cookie, or series of numbers that identifies a user when he or she logs onto a site. The "cookie" then follows the user in moving from one part of the site to another. "Once hackers get on a site, they can go in and try to steal someone else's cookie and then you have access to that user session," Weigle said. "If you don't protect against cookie poisoning, you are allowing somebody to steal your identity and then get access to the private information of another person."

Sanctum performed an audit for Blue Cross Blue Shield of Kansas City and confirmed the company's fears. Because of the Health Insurance Portability and Accountability Act, the insurer's management decided to act immediately, Weigle said. One solution could have meant deploying three or four people to completely rewrite the applications so that they did not use cookies, a process that would have taken four months with the site down the entire time. That option was rejected. Instead, the insurer opted for one-day results by installing Sanctum's AppShield, which is designed to be put up in front of a company's application servers to detect and deter any hacker attempts, Weigle said.

"Let's say you're logging on to your favorite health-care provider site, and there's a user name and a password field to fill in," Weigle said. "If you're a hacker and the developer of the site certainly didn't anticipate that you would do anything other than put in a user name and password, you can basically insert a program or script in that field that can run a query against the database sitting behind there holding all the private information."

If the site developer didn't explicitly write the application code to protect against data manipulation by using special characters such as ampersands and caret signs, then it's very likely that a hacker will be able to hack a site and obtain confidential information, she noted. "This is another portion of the whole infrastructure that really desperately needs protection because it's the easiest place to penetrate," she said.

Her biggest challenge has been convincing company officials that safeguarding their Web sites should be a top priority. The security personnel understand the need, Weigle said, but in many organizations, security budget dollars are very tight. Executives who hold the purse strings are under spending constraints, and without a clear corporate mandate, Web site security isn't given a high enough priority because it's technical and they have already spent a lot of money on security, she said. "They've bought firewalls and anti-virus protection, and they really thought that they had bought enough technology to protect them," Weigle said. "Until established Internet sites, that was probably true, but once you open up all your private information via these Web sites, you've basically created a portal into your back-end systems that a hacker can manipulate unless the company has secured this last mile."

But the implementation of HIPAA's Privacy and Security rules, which she sees as naturally linked, has made her sales job easier, Weigle said. She likes to point to the track record of AppShield, which has more than 150 installations worldwide and has been battle-tested on the company founders' home turf. Sanctum installed it in front of several Israeli Web sites including the Jewish state's Knesset, or Parliament, site in September 2000. "Those sites had been routinely and ferociously attacked by anti-Israel hackers," Weigle said. "They could not keep the Knesset site up and running for more than a few minutes--it would get attacked again and it would fall over. So we were brought in. We installed the software in 48 hours, and when we turned on the logging capability, they saw that there were 3,000 hacking attacks against the site a day and this product was blocking every single one of them."