[WEB SECURITY] Are there any disadvantage of Application Security SaaS offering?

Rafal @ IsHackingYou.com rafal at ishackingyou.com
Tue Jul 21 14:10:22 EDT 2009


Actually... if I may throw in an HP vendor-response here... that's not 
entirely the case!

  Our [HP's] "SaaS" offering employs and extends our sensor/controller model 
wherein there is a "Controller" (AMP Server) which lives at the SaaS 
hosted-center; while your "sensors" live where ever you would like them to 
live.  This can be internal, external, or in the SaaS environment... doesn't 
matter- for us it's all in the implementation.

  Our customers typically utilize the sensors so that they can place them 
"inside the data center" closest to their applications so as not to have to 
scan across IPS/IDS, firewalls and other network devices for a "clean" scan. 
These sensors are commonly deployed internally as well where the sensor and 
controller only need to communicate via https... and only on scan 
initialization (controller sends comment to sensor) and completion of the 
scan (sensor sends back findings).

  We've utilized this model in order to cut down on the volume of traffic we 
have to send when crossing customer equipment for internal scans (even 
exterior-facing scans cross firewalls) as this can cause customers issues 
such as filling up state tables, and setting off alerts of clogging precious 
bandwidth.  Also, this makes more certain that a 'scan' is cleared of any 
network-generated false-positives/false-negatives.  Think about it... if an 
attack is sent and captured on your IPS/IDS and never makes it to your app 
(and your app is vulnerable to the attack) you still want to know... right?

  Sorry for the vendor response but I figured I'd jump in as the ice has 
already been broken :)

Cheers.

__
Rafal M. Los
Security & IT Risk Strategist

 - Blog:		http://preachsecurity.blogspot.com
 - LinkedIn:	http://www.linkedin.com/in/rmlos
 - Twitter:    	http://twitter.com/RafalLos

--------------------------------------------------
From: "Jeremiah Grossman" <jeremiah at whitehatsec.com>
Sent: Tuesday, July 21, 2009 12:35 PM
To: <websecurity at webappsec.org>
Subject: Re: [WEB SECURITY] Are there any disadvantage of Application 
Security SaaS offering?


On Jul 21, 2009, at 10:15 AM, Bil Corry wrote:

> Jeremiah Grossman wrote on 7/21/2009 10:59 AM:
>> At the same time, anything offered as SaaS have
>> common disadvantages and website VA is no different.
>
> Would a product such as yours still work when the target system is
> inaccessible from the internet?

Maybe I should have listed the potential disadvantage of SaaS as it
would appears the external position only allows it to scan Internet-
facing websites. There are SaaS-based website VA offerings, WhiteHat
Sentinel included, capable of supporting non-Internet-facing systems
such as in development and staging environments. This is achieved in
two possible ways.

1) Allow the SaaS offering IP-ranges through the firewall and/or route
them to the eventual destination.

2) Appliance proxy. Install a device behind the firewall, which then
connects out to the SaaS infrastructure thereby establishing a outside-
inside traffic conduit. Whatever the proxy is allowed to access, so
can the SaaS offering.

Both options are already fairly common in the managed security
services markets, IDS/IPS and network vulnerability scanning for
example.


Regards,

Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: jeremiahg

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list