[WEB SECURITY] Are there any disadvantage of Application Security SaaS offering?

Jeremiah Grossman jeremiah at whitehatsec.com
Tue Jul 21 11:59:56 EDT 2009

Hi Sutapa,

	Great question, surprised no one has asked it here before. As the  
founder of the company that pioneered SaaS for website vulnerability  
assessment, please take my bias in account on the comments below.

SaaS is a business model, which in website VA space, is as an  
alternative to purchasing scanning products or one-off consulting  
engagements. As you mentioned, SaaS has amazing cost efficiencies, but  
the model also speeds technology innovation by enabling vendors to  
benefit from their own results. R&D using primarily test websites is  
lame at best when compared learning from scan results on large numbers  
of real-world websites.  At the same time, anything offered as SaaS  
have common disadvantages and website VA is no different. Here are  
some to be mindful of:

1) Adoption of SaaS can be slowed by individuals inside the  
organization who find it difficult to relinquish control or trust  
third-parties. The vendor becomes a custodian of some very sensitive  
information, vulnerability data. This data must be protected with at  
least as much care as the organization would provide on its own --  
hopefully much better.

2) Exacerbated the current economic climate, concerns around what  
happens to the data if the vendor disappear is prudent. While no  
revenue generating business processes are given up by outsourcing  
website VA, the data is what is of immediate importance followed by  
how to reestablish service. Understanding SLAs are key.

3) The knowledge and experience of how to conduct website VA is not  
internalized with SaaS. Scanning tool require users to learn a number  
of new skills to become proficient and productive, which could be of  
long-term use to the organization.

4) Certain industries may not allow the outsourcing of particular data  
or business functions to third-parties, which makes SaaS a non-option.  
Organizations must clearly understand their objectives and operating  

There are a number of notable disadvantages for the vendors, which  
oddly turn into customer market advantages, but we'll save that for  
another time. :)


Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: jeremiahg

On Jul 20, 2009, at 11:22 PM, sutapa dey wrote:

> Hi All,
> Today, there are couple of vendors in market such as WhiteHat  
> Sentinel, HP Application Security Center, who are offering  
> application security softwares as a service. I accept that there are  
> manifold advantages of a SaaS model, the prime one being cost  
> reduction.
> But as every model has it's own advantages as well as disadvantages,  
> similarly SaaS with respect to app security also must be having some  
> disadvantages.
> Just wanting to know your suggestions on what possible disadvantages  
> SaaS for app security has. From my side, one suggestion may be  
> sharing "application code/application details" to a third party may  
> pose a risk.
> Regards,
> Sutapa
> See the Web's breaking stories, chosen by people like you. Check out  
> Yahoo! Buzz.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list