A recent article from SD Times, Slipping In The Side Door With App Security Message, describes how web application security scanner (SPI Dynamics, Fortify, Watchfire, Secure Software, etc.) vendors approach the market and where they believe things are heading. While I agree with these guys on many issues, I disagree with most of their conclusions and predictions cited within. Before firing away let's make it totally clear that I am 100% biased when it comes to web application vulnerability assessment solutions. If my ideas make sense to you, great, if not, that's OK, you've seen the opposite view.
Article Main Points:
Customer’s who don't buy, don't get it.
Today's customers DO get it and those who don't WANT TO. Black Hat's record web application security presence and the thousands of attendees filling the speeches are one testament to that. Informative articles, books, reports, tutorials, technical conversations, and hacks are published daily educating the customer. However, customer education comes with increased expectations of vendors. Smoke and mirrors sales tactics are unimpressive to the well informed. And if a customer didn't buy, it doesn’t mean they don't take web application security seriously. It probably means the solution wasn't what they needed. Or wanted.
Developers don’t see security as part of their role.
(Yes they do)
A developer’s responsibility is converting design specifications into a software implementation. Asking developers to use additional tools that interfere with the programming process will never be mainstream. That premise is in direct conflict with a their role and interests of the business. Developer’s want security baked into the programming languages and software libraries they use. Think Java. Think dotNET. What they WANT is code that’s secure from the beginning, scanning or no scanning. If you have a product that speeds code creation that also happens to be secure, then you have something of real value. Interests are in alignment.
White-Box / Black-Box combo is greater than the sum of its parts.
I've talked about it before; White or black box scanning is only capable of testing for about half of the potential vulnerabilities. Mostly technical vulnerabilities like Cross-site Scripting and SQL Injection, and not even those all of the time. The contextual business logic issues remain ignored. Combining two incomplete solutions will not add up to something comprehensive. Besides, these tools largely overlap in what they find anyway. But I want to be fair, this type of tight product integration is new, so I guess we’ll wait and see what how the performance turns out.
The market is heading towards more tools.
(That's where some vendors are heading, not the market.)
Customers want solutions that find all the vulnerabilities all the time (the goal) before and after software release. Tools aren’t going to accomplish that. We know it only takes a single vulnerability to seriously impact an online business. And just as its happening(-ed) in the network VA space, the web application security vulnerability assessment market will be dominated by service providers. Customers and service providers figured out that finding vulnerabilities is just one small piece of the puzzle. It takes a lot of infrastructure to continuously assess dozens/hundreds/thousands of websites, manage the vulnerability remediation process, and fulfill compliance obligations with third-party validation.