Thursday, May 29, 2008

HP goes SaaS with WebAppSec VA

Web application security vulnerability assessment delivered via Software-as-a-Service has really caught on. HP just announced a SaaS play with their Assessment Management Platform (AMP), acquired through SPI Dynamics, apparently web-hosted and fitted with a shiny new web-based GUI. They’ve probably had to do a lot of backend work ensuring the platform can handle the scan load of assessing thousands of extremely large sites at once like we have. This solution goes head to head against IBM AppScan Enterprise Edition OnDemand, acquired through Watchfire, and our WhiteHat Sentinel Service offering. Qualys will likely jump into the sandbox soon enough.

So all of this is very exciting stuff. Big players are jumping in which generates interest, shows a prosperous, emerging industry, and validates the market and business model. Competition is a good thing, especially for the customer. It can’t all be roses right? Well I found a TechTarget editorial by Neil Roiter, which pretty much just sticks to the facts, but included some very odd “expert” quotes mostly by Chenxi Wang of Forrester.


“The other significant application scanning SaaS player, WhiteHat Security, offers a very different model. “

Sure if by different you mean easier to deploy, more comprehensive, accurate, and scalable. Scanner-on-a-stick we are not.

“HP and IBM's offerings are designed primarily to leave application security primarily in the hands of the customer, complementing their internal software development lifecycle processes with their consulting and professional services expertise to help customers deploy and get the most out of their investment.”

Oh, I get it. They host the scanning servers for you! Customers still have to do all the VA work and then have to pay more for consultants to teach them how to use the vulnerability data. OK, so they are very different model. Excuse me.

“WhiteHat is a pureplay scanning service, conducting daily automated scans supported by human review.”

Oversimplified, but OK.

"HP and IBM will be working with companies that already have solid internal expertise on solving application security issues and outsource some scanning tasks," said Chenxi Wang, principal analyst at Cambridge, Mass.-based Forrester Research Inc.

So only customers that know what they are doing, have headcount at the ready, with everything under control will be able to take advantage of the solution. Ooooh Kaaaay.

“Wang said the HP and IBM models could scale better than WhiteHat's, whose human review element improves accuracy and reduces false positives, but, she said it is not as well-suited to deal with thousands of applications daily. IBM and, to a lesser extent, HP, have the huge consulting resources to meet that kind of demand.“

Did anyone else notice that this doesn’t make any sense? I think Chenxi said they are able to scale better than WhiteHat because we have humans validate the results, while they have A LOT of consultants that can come onsite. Er!? Perhaps the hundreds of assessments that we’re already performing every week without sending anyone onsite doesn’t count.

Gotta love infosec marketing. :)


Anonymous said...

Qualys is launching a web app scan soon.

ae said...

By Chenxi's statements it sounds like WhiteHat could scale. By her reasoning the Sentinel Service bottleneck is humans. It sounds like if WhiteHat fires all their humans, and partners with a bunch of overpriced consultants who know very little about webappsec, they'll be able to scale exponentially.

Makes sense to me.

@Adam: Qualys has been saying this via their roadmap for what...a year now? No doubt they will, but the question is if Qualys, Scam Alert, and Ncircle can *lower the bar* for webappsec or not.

Jim Manico said...

Let's not forget that the scanning products are not capable of uncovering access control problems - which are often quite critical.

Scanning tools are only one (small) piece of the puzzle, but will the likes of IBM tell you that? No way! IBM claims close to 90% coverage! Scary (vendor) world!

Jeremiah, I've heard you are more honest about this topic - how do you communicate to your customers regarding what classes of vulnerabilities scanning is good for and what it's not good for?

Jeremiah Grossman said...

I've never hid the facts about the limitations/benefits of scanners as well as humans. Visibly I've used my blog as a vehicle to get the message out to all those who would or should care.

On the sales customer communication side, that's easy, we have a chart.

Jim Manico said...

A wise man once said, "As much as anything else, I view my job as helping customers make their websites as hard to break into as possible. If that requires scanning technology great... security experts, fine...WAFs, ok then. I just think its time to be pragmatic about what we can expect from each technology/process and measure them accordingly."

I appreciate your honest perspective on this topic, J.

Jeremiah Grossman said...

@Jim, thank you. :) Now that we'll start to get the technology in place, my next phase is measuring the impact. Customers will end up telling me what they need improved and its interesting cause its never quite what you'd expect.

Anonymous said...

“HP and IBM's offerings are designed primarily to leave application security primarily in the hands of the customer, complementing their internal software development lifecycle processes with their consulting and professional services expertise to help customers deploy and get the most out of their investment.”

That's actually funny. If you call HP you will find that they have zero to one person remaining in their actual web application services team. Everyone is gone. Good luck.

Rafal Los said...

@Jeremiah, et al...

So you can obviously see there is no such thing as a"non-biased analyst"... obviously, yikes.

I do take exception to the mis-representation of the HP service though, sir... and you should know better. Without getting into a marketing campaign here, "scanner on a stick, we are not" - is easily our motto as well...

This would be fun to discuss in an open forum as I see that even you have some mis-conceptions about the SaaS service that comes from HP... any ideas on where we could talk this over? :) AppSec in DC perhaps? (who sees "AppSec SaaS RoundTable" in the future?)

Thanks! It's great this is finally getting some press (both for you and everyone else...)

Rafal Los said...

@anonymous (troll)... oh really? I can name plenty of prof. services folks on staff... any time you'd like to talk to someone, let me know, be happy to clear up any misconceptions... as that is my current employer.

Rafal Los

Jeremiah Grossman said...

@Raf, fairly certain scanner-on-stick was accurate at one point... at least perhaps at the time of writing. Got an early description from an HP employee at the time and that is what it sounded like to me.

Your last comment: Does that mean your SaaS (heh) offering is pulling from the professional services side? Or does it carry its own services staff. Forgive me, I don't know how the organization is set-up to provide service.