• Support   |   Contact a Representative   |   Contact WhiteHat

• Website Risk Management
  • Asset Identification
  • Vulnerability Management
  • Reporting/Communication
  • Protection
• Sentinel Services
  • Cost-effective Solution
  • Benefits
  • Core Features
  • Unique Methodology
  • Selection Guidelines
  • Sentinel Premium Edition
  • Sentinel Standard Edition
  • Sentinel Baseline Edition
  • Sentinel for QA
  • PCI Compliance
  • Integration – via XML API
  • Certification Program
  • How Sentinel Works
  • WAF Integration
• Support Plus
  • Gold Service Level
  • Silver Service Level
  • Standard Service Level
  • Service Levels
• Education Services
  • Guidelines
  • Intro to Web App Security
  • Secure Coding for Java
  • .NET
• Events & News
  • News Coverage
  • Press Releases
  • Interviews
  • Awards
• Resources
  • Whitepapers
  • Webinars & Presentations
  • Jeremiah Grossman Blog
  • Website Statistics Report
  • Website Security Glossary
• Partners
  • Strategic Partners
  • Partner Application Form
  • Partner Portal Login
• About WhiteHat Security
  • Leadership Team
  • Board of Directors
  • Success Stories
  • Careers
  • Contact Us
  • Support

• Resources
• Whitepapers
• Webinars & Presentations
• Jeremiah Grossman Blog
• Website Statistics Report
• Sentinel Videos

Technical Brief

Software-as-a-Service (SaaS) vs "Do-it-Yourself" with a Web Application Scanner

Download a Complimentary Copy of this Brief ›››

Websites are the #1 Target – and They are Vulnerable
Having the most efficient website vulnerability management process possible is vital because if you research any industry vulnerability report or ask any security expert, they will tell you the Web application layer is the number one target for malicious attacks. The recently published SANS Top-20¹ for 2007 has this to say:

“Although half the total vulnerabilities reported in 2007 are in Web applications, it’s only the tip-of-the-iceberg. These data exclude vulnerabilities in custom developed Web applications. Compromised Web sites provide avenues for massive client-side compromises via Web browser, office documents, and media player exploits.”

WhiteHat Security’s own research² from weekly assessments of hundreds of the largest and most popular public-facing and pre-production websites confirms this fact: 9 out 10 websites have vulnerabilities. This hasn’t gone unnoticed by the credit-card brands as criminals are compromising websites and snatching card numbers by the millions. The Payment Card Industry Data Security Standard (PCI-DSS)³ has mandated application code reviews or application layer firewalls by June of 2008. To stay ahead of the bad guys and maintain compliance, there’s just one way – SaaS.

SaaS Scales, Scanning Tools do Not
Purchasing a Web application scanningtool and performing the work in-house is a common approach, mainly due to the mistaken belief that scanning websites is similar to scanning networks for vulnerabilities with products like Nessus. Corporate security teams assume the process is straightforward, fully automated, will point out the vulnerabilities, and where changes need to be made. They also believe that scanners allow them to retain control over the vulnerability management process. This is simply not the case.

Web application vulnerability scanners are sophisticated pieces of technology that require substantial of on-going customization and tuning, expertise to operate, and time spent analyzing results to reduce false positives and duplicates. It’s been well documented that scanners are not effective at identifing the OWASP Top Ten⁴. And, scanners fail to address about half of the assessment process because they can’t and don’t test for business logic flaws, which can only be identified by humans. It’s for these reasons and more that scanning tools have proven to be an ineffective solution for the enterprise. SaaS in general, and WhiteHat Sentinel in particular, was designed from the ground up to scale massively, support the largest enterprises, and offer the most compelling business efficiencies.

Think of it this way: With a scanner, a single qualified person might be able to set-up, scan, and analyze 3-5 websites per month (see graph above). It cannot scale. For organizations with dozens, hundreds, or even thousands of websites, using scanners in-house requires a major investment in hiring, training, and infrastructure building – not to mention software licensing costs. The enterprise demands something more efficient and comprehensive and the control that security professionals seek is not delivered with scanners like it is with SaaS.
Organizations can free-up their in-house resources to focus on fixing issues, not just finding the vulnerabilities. This is essential if they plan to make real, measurable improvements to their security posture.

Security, Efficiency, and Effectiveness
While SaaS seems an obvious choice, it does not come without its fair share of considerations. As in other markets, the typical SaaS benefits in website security are readily apparent—lower capital expenditures, no maintenance, and no additional head count. However, many companies are wary of entrusting the security of their websites, often a major revenue source and the gateway to personal customer data, to an outsourced service. Ironically, most websites are getting regular assessments from outsiders, namely hackers, on a daily basis.
Some organizations have policies prohibiting the use of third-party security firms for confidentiality reasons. While such a policy may be well intended, it means only the bad guys know the true security posture; and, the staff is prevented from seeking help from leading website security experts. Others are concerned about the fallout if the SaaS provider is hacked. The truth is: not all SaaS applications are created equally. So, it’s in the best interest of the customer to ensure the SaaS vendor’s security is equal to or greater than their own standards, i.e., networks are properly locked down, data physically guarded, and staff with access to customer data having passed background checks.

As a pioneer of SaaS in the Web application security market, WhiteHat has seen the attitudes of corporate security teams evolve. Often, developers and security teams fear losing control of the assessment process and their data. The reality is that website security in most companies is already out of control. It is nearly impossible to meaningfully manage website vulnerabilities in multiple websites without the SaaS approach. WhiteHat knows from its own experience and that of its customers, including many of the Fortune 500, that SaaS is the only scalable, repeatable means of providing oversight of corporate websites and instituting an effective and complete website vulnerability management program.

Footnotes:
1. SANS Top-20 2007
2. WhiteHat Security Website Security Statistics Report
3. PCI Security Standards Council
4. Automated Scanning vs the OWASP Top Ten