[WEB SECURITY] Are there any disadvantage of Application Security SaaS offering?

Jeremiah Grossman jeremiah at whitehatsec.com
Tue Jul 21 13:35:34 EDT 2009

On Jul 21, 2009, at 10:15 AM, Bil Corry wrote:

> Jeremiah Grossman wrote on 7/21/2009 10:59 AM:
>> At the same time, anything offered as SaaS have
>> common disadvantages and website VA is no different.
> Would a product such as yours still work when the target system is  
> inaccessible from the internet?

Maybe I should have listed the potential disadvantage of SaaS as it  
would appears the external position only allows it to scan Internet- 
facing websites. There are SaaS-based website VA offerings, WhiteHat  
Sentinel included, capable of supporting non-Internet-facing systems  
such as in development and staging environments. This is achieved in  
two possible ways.

1) Allow the SaaS offering IP-ranges through the firewall and/or route  
them to the eventual destination.

2) Appliance proxy. Install a device behind the firewall, which then  
connects out to the SaaS infrastructure thereby establishing a outside- 
inside traffic conduit. Whatever the proxy is allowed to access, so  
can the SaaS offering.

Both options are already fairly common in the managed security  
services markets, IDS/IPS and network vulnerability scanning for  


Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: jeremiahg

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list