Wednesday, August 19, 2009

Web Security is about Scalability

If today’s Web security challenges are to be overcome, then scalability is what we need. Scalability of people, scalability of process, and scalability of technology. The holy trinity of all IT solutions. Without the ability to scale globally, and Web security is a global issue, our problems will remain too costly to solve. Consider that there are 240+ million websites, millions more added every month, an unknown number of Intranet Web applications, 17+ million developers, and over one billion people on the Web. Any solution capable of making a real difference must be valued by its potential worldwide impact. Of course smaller niche solutions are still of value, we just can’t automatically expect them to work well for anyone or everyone else. Whether we are talking about source code review, developer education, compliance, etc. it is all about scale.

In the past I’ve “guesstimated” the billions of dollars, tens of thousands of experts, and time requirements for the aforementioned initiatives. Most of all though I’ve spent nearly a decade specifically focused on the scalability of website vulnerability assessment since founding WhiteHat Security. In the beginning, assessments were conducted by consultants performing largely manual one-time engagements. Productivity of a single expert was severely limited, completing no more than 20 - 50 sites per year. Nothing about this model scaled. Not the people, technology, or process. Rates of $20,000 to $50,000 per website assessment were typical. Obviously IT budgets could not justify covering a large website footprint, so selecting only a few of the most important (if that) was typical. The need for added scalability encouraged development of new technology, particularly dynamic scanners and other assistive tools like crawlers and proxies.

Organizations with dynamic scanners could assess larger volumes of websites, even with only minimal comprehensiveness, and more often than not with less experienced and expensive personnel. Value was received by some, but the best case for many was haphazard scans, incomprehensible reports, and no risk management strategy. This technology alone was not enough because it did not scale the people, where the real costs were hidden, nor the assessment process. Those with experience in attempting to manage the scans/assessments of as little as 10-20 websites (never mind hundreds or thousands) using these products know what I’m talking about. Additionally software licensing and hardware costs are significant. As before, the need for scalability opened up opportunities, namely for Software-as-a-Service (SaaS). As has been demonstrated in other markets, SaaS is better suited to scale technology than licensed software, which in turn enables the scalability of people and process necessary.

First introduced by WhiteHat Security (via Sentinel) and later followed by others, website vulnerability assessment delivered as a service provides a scalable, cost-effective, efficient alternative to point-in-time consulting engagements or legacy enterprise software. SaaS achieves better infrastructure scalability at a lower cost through multi-tenancy (i.e. customer applications run on the same unit of hardware and/or software). Also thanks to multi-tenancy, IT costs are reduced because the purchase, and maintenance of servers; physical security; and installation and maintenance of software is eliminated. Plus, subscription pricing is easier on budget than large upfront outlays. And, SaaS is less risky because you can change your subscription without losing the initial investment. Remember the shelfware problem? Last but not least, SaaS deployment is much faster as is access to innovation in the identification and remediation of vulnerabilities that is unavailable in traditional software release cycles.

Clearly vulnerability assessment is not the only area within the application security space witnessing scalable technology innovation. ThreadStrong (via Denim Group), high-end eLearning platform for secure coding, has the promise of being able to scale to meet the education needs of the masses. OWASP ESAPI (via Jeff Williams @ Aspect Security), makes it easier for developers the world over to guard design and implementation flaws. APIs like this are absolutely essential because let’s face it, without them everyone is going to roll their own, probably get it wrong, if they try at all. Source code reviews are now being offered SaaS style (via Fortify OnDemand), whose model has all the aforementioned benefits. WAF-in-the-Cloud as described by Alex Meisel (Art of Defence) to easy or make deployment possible.

As I’ve said before this is an exciting time to be in application security. Those who bring new ideas to the table that work, will be rewarded. The rest, part of what is already a storied history.

1 comment:

Alex said...

Jeremiah, thanks for sharing your thoughts on this issue. I found this post to be very interesting and I added some thoughts on my blog.

Flip the coin to protecting the applications once they’re live and in action, and your scalability point becomes painfully apparent. Web application firewall’s (WAF) are the industry standard for this purpose, however they are predominantly hardware. Hardware doesn’t scale – you have to buy another box. More boxes, more resource drain, less virtualized resources and on and on.