[WEB SECURITY] Are there any disadvantage of Application Security SaaS offering?
Jeremiah Grossman
jeremiah at whitehatsec.com
Tue Jul 21 13:35:34 EDT 2009
On Jul 21, 2009, at 10:15 AM, Bil Corry wrote:
> Jeremiah Grossman wrote on 7/21/2009 10:59 AM:
>> At the same time, anything offered as SaaS have
>> common disadvantages and website VA is no different.
>
> Would a product such as yours still work when the target system is
> inaccessible from the internet?
Maybe I should have listed the potential disadvantage of SaaS as it
would appears the external position only allows it to scan Internet-
facing websites. There are SaaS-based website VA offerings, WhiteHat
Sentinel included, capable of supporting non-Internet-facing systems
such as in development and staging environments. This is achieved in
two possible ways.
1) Allow the SaaS offering IP-ranges through the firewall and/or route
them to the eventual destination.
2) Appliance proxy. Install a device behind the firewall, which then
connects out to the SaaS infrastructure thereby establishing a outside-
inside traffic conduit. Whatever the proxy is allowed to access, so
can the SaaS offering.
Both options are already fairly common in the managed security
services markets, IDS/IPS and network vulnerability scanning for
example.
Regards,
Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: jeremiahg
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list