Software-as-a-Service (SaaS) vs "Do-it-Yourself" with a Web Application Scanner
Websites are the #1 Target – and They are Vulnerable
WhiteHat Security’s own research2 from weekly assessments of hundreds of the largest and most popular public-facing and pre-production websites confirms this fact: 9 out 10 websites have vulnerabilities. This hasn’t gone unnoticed by the credit-card brands as criminals are compromising websites and snatching card numbers by the millions. The Payment Card Industry Data Security Standard (PCI-DSS)3 has mandated application code reviews or application layer firewalls by June of 2008. To stay ahead of the bad guys and maintain compliance, there’s just one way – SaaS.
SaaS Scales, Scanning Tools do Not
Web application vulnerability scanners are sophisticated pieces of technology that require substantial of on-going customization and tuning, expertise to operate, and time spent analyzing results to reduce false positives and duplicates. It’s been well documented that scanners are not effective at identifying the OWASP Top Ten4. And, scanners fail to address about half of the assessment process because they can’t and don’t test for business logic flaws, which can only be identified by humans. It’s for these reasons and more that scanning tools have proven to be an ineffective solution for the enterprise. SaaS in general, and WhiteHat Sentinel in particular, was designed from the ground up to scale massively, support the largest enterprises, and offer the most compelling business efficiencies.
Think of it this way: With a scanner, a single qualified person might be able to set-up, scan, and analyze 3-5 websites per month (see graph above). It cannot scale. For organizations with dozens, hundreds, or even thousands of websites, using scanners in-house requires a major investment in hiring, training, and infrastructure building – not to mention software licensing costs. The enterprise demands something more efficient and comprehensive and the control that security professionals seek is not delivered with scanners like it is with SaaS.
Security, Efficiency, and Effectiveness
As a pioneer of SaaS in the Web application security market, WhiteHat has seen the attitudes of corporate security teams evolve. Often, developers and security teams fear losing control of the assessment process and their data. The reality is that website security in most companies is already out of control. It is nearly impossible to meaningfully manage website vulnerabilities in multiple websites without the SaaS approach. WhiteHat knows from its own experience and that of its customers, including many of the Fortune 500, that SaaS is the only scalable, repeatable means of providing oversight of corporate websites and instituting an effective and complete website vulnerability management program.
Software-as-a-Service (SaaS) is the efficient, modern way of delivering applications and securing them. Google, Salesforce.com, Amazon, and many other forward thinking companies have set the stage for SaaS adoption. Payroll, email, spam & malware filtering, CRM, financial services, order processing, and even network vulnerability management are popular solutions already rapidly taking advantage of the SaaS model. The economics and business efficiencies are simply too compelling to pass up. As the industry leader for website vulnerability management delivered via SaaS, WhiteHat Security is demonstrating its value to the enterprise.