[WEB SECURITY] Are there any disadvantage of Application Security SaaS offering?

Prasad Shenoy prasad.shenoy at gmail.com
Tue Jul 21 14:20:32 EDT 2009


Depending on the type of services you avail (premium, standard
etc...nomenclature vary with vendors) a couple of value-adds I see are
:

1. Added expertise - some vendors offer security assessment teams who
perform manual assessment on applications as part of the service. So
read more human power to identify logic abuse and other type of flaws
that cannot be defected by automated scanners (you save cost on hiring
a team of experts to do that)
2. State of the art research and timely updates provided as part of
the SaaS service
3. Up time and 24x7 availability of results and dashboard across the
globe (if you are globe trotting CISO)

Jeremiah might have more to add on this or correct me if need be :-)

Thanks & Regards,
Prasad N. Shenoy



On Tue, Jul 21, 2009 at 1:57 PM, Martin,
Christopher<chrismartin at firstam.com> wrote:
> Good examples that are similar would be ncircle and qualys VA appliances
> which operate according to #2.
>
>
>
> -----Original Message-----
> From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
> Sent: Tuesday, July 21, 2009 12:36 PM
> To: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Are there any disadvantage of Application
> Security SaaS offering?
>
>
> On Jul 21, 2009, at 10:15 AM, Bil Corry wrote:
>
>> Jeremiah Grossman wrote on 7/21/2009 10:59 AM:
>>> At the same time, anything offered as SaaS have common disadvantages
>>> and website VA is no different.
>>
>> Would a product such as yours still work when the target system is
>> inaccessible from the internet?
>
> Maybe I should have listed the potential disadvantage of SaaS as it
> would appears the external position only allows it to scan Internet-
> facing websites. There are SaaS-based website VA offerings, WhiteHat
> Sentinel included, capable of supporting non-Internet-facing systems
> such as in development and staging environments. This is achieved in two
> possible ways.
>
> 1) Allow the SaaS offering IP-ranges through the firewall and/or route
> them to the eventual destination.
>
> 2) Appliance proxy. Install a device behind the firewall, which then
> connects out to the SaaS infrastructure thereby establishing a outside-
> inside traffic conduit. Whatever the proxy is allowed to access, so can
> the SaaS offering.
>
> Both options are already fairly common in the managed security services
> markets, IDS/IPS and network vulnerability scanning for example.
>
>
> Regards,
>
> Jeremiah Grossman
> Chief Technology Officer
> WhiteHat Security, Inc.
> http://www.whitehatsec.com/
> Blog: http://jeremiahgrossman.blogspot.com/
> Twitter: jeremiahg
>
> ------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
> ******************************************************************************************
> This message may contain confidential or proprietary information intended only for the use of the
> addressee(s) named above or may contain information that is legally privileged. If you are
> not the intended addressee, or the person responsible for delivering it to the intended addressee,
> you are hereby notified that reading, disseminating, distributing or copying this message is strictly
> prohibited. If you have received this message by mistake, please immediately notify us by
> replying to the message and delete the original message and any copies immediately thereafter.
>
> Thank you.
> ******************************************************************************************
> FACLD
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list