Software as a Service (SaaS) for Website Vulnerability Assessment (VA) – all the cool kids are doing it. WhiteHat Security has been the pioneer of the model for the last several years, but only very recently did industry activity demonstrate validation of the market. Huge companies are jumping in, making their moves with acquisitions, and retrofitting technology towards SaaS. Customer demand is growing extremely fast as they grow to understand webappsec’s importance. I’m hoping everyone is noticing the same great uptick in webappsec VA that we are. Anyway, all of this makes a sense because many information segments followed similar evolutionary paths:
1) Technology starts off as someone’s pet project
2) Several variations work their way into first generation tools
3) They mature into enterprise product offerings
4) SaaS manifests as manageability, scalability, and economics become issues
This evolution occurred with the IDS, firewall, A/V, and network vulnerability assessment (VA) industries. Think of the parallels in network VA with SATAN, Nessus, eEye, ISS, Qualys, and everything in between. Today we’re witnessing it happening with website VA. The late 90’s and early 00’s saw the rise of scanners, proxies, and various tools like Whisker, Nikto, Elza, Achilles, and many others. Then Watchfire, SPI Dynamics, Cenzic, Acunetix, and NTOBJECTives raised the bar with commercial products. Of course it was only a matter of time before enterprises demanded better manageability, scalability, and economic options as the tools weren’t getting the job done. Enter SaaS.
WhiteHat Security recognized this need and decided early on to go the SaaS-only route. There are millions of websites out there that need continuous VA and simply not enough web security experts to go around. This required us to build a technology platform capable of scanning the world’s largest websites (1MM+ links), lots of them all at the same time (thousands, tens of thousands, etc.), plus develop an efficient process to suppress false-positives, and most importantly leverage the technology to create a streamlined expert-driven methodology to complete comprehensive assessments. Clearly this is no small task and one that takes serious development time and expertise to achieve. So let’s get to the bottom of who’s got what and what they’re doing.
Network VA SaaS pioneer, Qualys, plans to offer web application scanning in Q1 of 08’ and hired a couple of bright people to build the technology. This places Qualys in a similar position to ScanAlert (HackerSafe) which also does SaaS network VA and at least some web application scanning. Then also IBM and HP completed acquisitions of Watchfire and SPI Dynamics respectively. Attacking from both sides, published reports and insiders say that both behemoths are setting their sights on website VA SaaS, while at the same time AppScan/WebInspect R&D will push the products towards developers and QA testers. Finally, Core Impact and eEye are adding web application penetration testing to their product as well.
All this points to market momentum and healthy competition, great for the consumer and practitioner. It’s all about capabilities though.
For those who don’t already know, scanning a network for vulnerabilities has very little to do technologically with websites or web application VA. This is a big reason why no one has successfully combined multiple VA solutions. Qualys has a nice infrastructure capable of scanning really big networks. However, they must start from scratch to build the technology capable of scanning websites for vulnerabilities. Plus, they enter an arena where others are entrenched with a several year technology head start. They’ll have some proving themselves to do. The same reasoning applies to Scan Alert and both companies are big players in the PCI ASV market.
IBM and HP have the opposite problem. They have the vulnerability scanning capability from the product acquisitions, but must build out big web application scanning and assessment infrastructures to go with it. Converting desktop products into a SaaS platform, which must be a little to like turning MS Outlook/Exchange into Gmail, takes time. Neither Qualys, IBM, nor HP possess the ability to scale the people and process portion to complete an assessment. That’ll mean huge false-positives and limited coverage for customers, at least initially. For IBM and HP at least, they’ll be able to compensate using a consultant behind the curtain with a scanner and call it SaaS. This will have to work long enough for them to nail a process down, just like all the scanner product guys have been doing for the last year or two.
Like I said, WhiteHat Security started early and built the three-piece trifecta: web application vulnerability technology, large scanning infrastructure, and an efficient expert-driven assessment process. What’s new is the mega corps surrounding us on all sides competing for the same dollars, but I really look forward the challenge as its good for the market. And on the industry outskirts are still other big names like Symantec, McAfee, VeriSign, PWC, etc. who have teams of webappsec VA consultants, but lay dormant on SaaS side. One thing I’ve learned over the years is that superior solutions don’t always ensure market share victory - these competitors could win deals based on name recognition alone. The next 12 to 18 months are going to be a lot of fun and highly interesting.