[WEB SECURITY] Are there any disadvantage of Application Security SaaS offering?
jeremiah at whitehatsec.com
Tue Jul 21 11:59:56 EDT 2009
Great question, surprised no one has asked it here before. As the
founder of the company that pioneered SaaS for website vulnerability
assessment, please take my bias in account on the comments below.
SaaS is a business model, which in website VA space, is as an
alternative to purchasing scanning products or one-off consulting
engagements. As you mentioned, SaaS has amazing cost efficiencies, but
the model also speeds technology innovation by enabling vendors to
benefit from their own results. R&D using primarily test websites is
lame at best when compared learning from scan results on large numbers
of real-world websites. At the same time, anything offered as SaaS
have common disadvantages and website VA is no different. Here are
some to be mindful of:
1) Adoption of SaaS can be slowed by individuals inside the
organization who find it difficult to relinquish control or trust
third-parties. The vendor becomes a custodian of some very sensitive
information, vulnerability data. This data must be protected with at
least as much care as the organization would provide on its own --
hopefully much better.
2) Exacerbated the current economic climate, concerns around what
happens to the data if the vendor disappear is prudent. While no
revenue generating business processes are given up by outsourcing
website VA, the data is what is of immediate importance followed by
how to reestablish service. Understanding SLAs are key.
3) The knowledge and experience of how to conduct website VA is not
internalized with SaaS. Scanning tool require users to learn a number
of new skills to become proficient and productive, which could be of
long-term use to the organization.
4) Certain industries may not allow the outsourcing of particular data
or business functions to third-parties, which makes SaaS a non-option.
Organizations must clearly understand their objectives and operating
There are a number of notable disadvantages for the vendors, which
oddly turn into customer market advantages, but we'll save that for
another time. :)
Chief Technology Officer
WhiteHat Security, Inc.
On Jul 20, 2009, at 11:22 PM, sutapa dey wrote:
> Hi All,
> Today, there are couple of vendors in market such as WhiteHat
> Sentinel, HP Application Security Center, who are offering
> application security softwares as a service. I accept that there are
> manifold advantages of a SaaS model, the prime one being cost
> But as every model has it's own advantages as well as disadvantages,
> similarly SaaS with respect to app security also must be having some
> Just wanting to know your suggestions on what possible disadvantages
> SaaS for app security has. From my side, one suggestion may be
> sharing "application code/application details" to a third party may
> pose a risk.
> See the Web's breaking stories, chosen by people like you. Check out
> Yahoo! Buzz.
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity