|
Software as a Service (Saas)
A Better Approach to Website Vulnerability Management
Benefits of Software-as-a-Service Model for Website Security
Securing Web applications is a complex process that is extremely difficult to manage. Large corporations typically have hundreds, and sometimes even thousands, of QA and publicly-facing websites to secure. New websites are constantly being created and the existing sites being changed all the time – with very little security oversight built into the process. The other challenge is the changing website security environment in terms of attacks. New Web hacking techniques are being discovered all the time – at least one new sophisticated attack vector is published every week.
The Scanner Conundrum - Not as Easy as it Seems
So, how do companies solve this complex and difficult problem? A common approach is to purchase a Web application scanning tool and perform the work in-house, mainly due to the mistaken belief that scanning websites is similar to scanning networks for vulnerabilities. Corporate security teams assume the process is straightforward, fully automated, and will point out the vulnerabilities and where changes need to be made. They also believe that scanners will allow them to retain control over the vulnerability management process. This is simply not the case.
Web application vulnerability scanners are sophisticated tools that require substantial ongoing customization and tuning, expertise to operate, and time spent analyzing results to reduce false positives and duplicates. It’s for these reasons and more that scanning tools have proven to be an ineffective solution for the enterprise. So what is the answer? At WhiteHat, we built WhiteHat Sentinel on a Software-as-a-Service (SaaS) model, designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies.
The Hidden Costs and Complexities of Scanner Management
Think of it this way: with a scanner, a single qualified person might be able to set-up, scan and analyze 3-5 websites per month. That’s roughly 36 – 60 per year. And, remember that’s only one scan per year per website; it is not adequate if the websites happen to change more than once a year. For organizations with dozens, hundreds, or even thousands of websites, using scanners in-house requires a major investment in hiring, training, and infrastructure building – not to mention software licensing costs. The control that security professionals seek is not delivered with scanners like it is with SaaS.
Further, you must be able to find, hire and retain those qualified people, which is very difficult in the Web application security arena. The vast majority of security professionals have backgrounds which are deeply rooted in network security, but who have very little experience with application security. And once found, experienced Web application security professionals can command top dollar, making the “investment” in application security much more costly.
The enterprise demands security solutions that are simple, efficient, effective and scalable. In the world of website vulnerability management, these benefits are only possible with a solution built on a SaaS vision. Companies need to have the ability to assess all of their websites on an ongoing basis - they can then free-up their in-house resources to focus on fixing vulnerabilities, not just finding them. This is essential if they plan to make real, measurable improvements to their security posture, which is the goal that all companies should be focused on achieving.
|
The Four Key Advantages of WhiteHat’s Software-as-a-Service Model
1. Scalability – A SaaS-based solution is the only solution that can scale to meet the needs of a large enterprise. A SaaS platform, by definition, is built to handle huge volume. In this case, WhiteHat’s SaaS-based technology platform can assess tens of thousands of sites simultaneously, while a scanning tool can typically scan only one site at a time.
2. Rapid technology improvement – A SaaS solution is specifically designed to excel in a rapidly-changing environment. Not only can the customer assess its websites every time they change, but SaaS enables rapid software updates as a key part of the delivery model. For WhiteHat Sentinel, code is typically updated every few weeks, as opposed to the normal commercial software development cycle of three to six months. For example, when a new attack vector is identified, a new check can be integrated into the code very rapidly, and within two to three weeks can be deployed in production to the benefit of the entire customer base. That is something only a SaaS solution can offer.
3. No additional staff or infrastructure – With a SaaS-based solution, a company does not have to bear the burden of an upfront investment in hardware, software and personnel. Not only is that costly, but, as mentioned above, it is very difficult to accomplish in today’s competitive security hiring environment. And all the costs involved in building a scalable infrastructure and technology are borne by WhiteHat Security.
4. Ease of implementation and management – A SaaS-based solution is easier to manage than scanning tools. With WhiteHat Sentinel, the entire process is driven via a secure Web-based customer interface, from the scheduling of scans, to the accessing of data, to the remediation of vulnerabilities. Plus, the data is accessible to all relevant constituencies from a centralized portal – 24x7, securely, from anywhere in the world.
|
