Web application security vulnerability assessment delivered via Software-as-a-Service has really caught on. HP just announced a SaaS play with their Assessment Management Platform (AMP), acquired through SPI Dynamics, apparently web-hosted and fitted with a shiny new web-based GUI. They’ve probably had to do a lot of backend work ensuring the platform can handle the scan load of assessing thousands of extremely large sites at once like we have. This solution goes head to head against IBM AppScan Enterprise Edition OnDemand, acquired through Watchfire, and our WhiteHat Sentinel Service offering. Qualys will likely jump into the sandbox soon enough.
So all of this is very exciting stuff. Big players are jumping in which generates interest, shows a prosperous, emerging industry, and validates the market and business model. Competition is a good thing, especially for the customer. It can’t all be roses right? Well I found a TechTarget editorial by Neil Roiter, which pretty much just sticks to the facts, but included some very odd “expert” quotes mostly by Chenxi Wang of Forrester.
WARNING: VENDOR BIAS ALERT!
“The other significant application scanning SaaS player, WhiteHat Security, offers a very different model. “
Sure if by different you mean easier to deploy, more comprehensive, accurate, and scalable. Scanner-on-a-stick we are not.
“HP and IBM's offerings are designed primarily to leave application security primarily in the hands of the customer, complementing their internal software development lifecycle processes with their consulting and professional services expertise to help customers deploy and get the most out of their investment.”
Oh, I get it. They host the scanning servers for you! Customers still have to do all the VA work and then have to pay more for consultants to teach them how to use the vulnerability data. OK, so they are very different model. Excuse me.
“WhiteHat is a pureplay scanning service, conducting daily automated scans supported by human review.”
Oversimplified, but OK.
"HP and IBM will be working with companies that already have solid internal expertise on solving application security issues and outsource some scanning tasks," said Chenxi Wang, principal analyst at Cambridge, Mass.-based Forrester Research Inc.
So only customers that know what they are doing, have headcount at the ready, with everything under control will be able to take advantage of the solution. Ooooh Kaaaay.
“Wang said the HP and IBM models could scale better than WhiteHat's, whose human review element improves accuracy and reduces false positives, but, she said it is not as well-suited to deal with thousands of applications daily. IBM and, to a lesser extent, HP, have the huge consulting resources to meet that kind of demand.“
Did anyone else notice that this doesn’t make any sense? I think Chenxi said they are able to scale better than WhiteHat because we have humans validate the results, while they have A LOT of consultants that can come onsite. Er!? Perhaps the hundreds of assessments that we’re already performing every week without sending anyone onsite doesn’t count.
Gotta love infosec marketing. :)