Securing Web applications is the No. 1 problem facing security professionals today. With 162 million Web sites in existence and millions more popping up each month, the sheer size of the problem is staggering — not to mention the fact that nine out of 10 Web sites have serious vulnerabilities that can put critical customer data at risk. In fact, a new malware-infected Web site is discovered every 14 seconds. So, why aren’t more companies solving this problem?
Securing Web applications is a complex process that is extremely difficult to manage. Large corporations typically have hundreds — and sometimes even thousands — of publicly facing Web sites to secure. New Web sites are constantly being created, and the existing sites being changed all the time — with very little security oversight built into the process. The other challenge is the changing Web site security environment in terms of attacks. New Web hacking techniques are being discovered all the time — at least one new sophisticated attack vector is published every week.
A common approach to this problem is to purchase a Web application scanning tool and perform the work in-house, mainly due to the mistaken belief that scanning Web sites is similar to scanning networks for vulnerabilities. Corporate security teams assume the process is straightforward, fully automated, and will point out the vulnerabilities and where changes need to be made. They also believe that scanners will allow them to retain control over the vulnerability management process. This is simply not the case.
No Scanning Tools Needed
Web application vulnerability scanners are sophisticated tools that require substantial ongoing customization and tuning, expertise to operate, and time spent analyzing results to reduce false positives and duplicates. It’s for these reasons and more that scanning tools have proven to be an ineffective solution for the enterprise. So what is the answer? Software as a Service (SaaS) solutions are designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies.
Think of it this way: With a scanner, a single qualified person might be able to set up, scan and analyze three to five Web sites per month. That’s roughly 36 to 60 per year. Remember that’s only one scan per year per Web site — it is not adequate if the Web sites happen to change more than once a year. For organizations with dozens, hundreds or even thousands of Web sites, using scanners in-house requires a major investment in hiring, training and infrastructure building — not to mention software licensing costs. The control that security professionals seek is not delivered with scanners like it is with SaaS.
Further, you must be able to find, hire and retain those qualified people, which is very difficult in the Web application security arena. The vast majority of security professionals have backgrounds which are deeply rooted in network security, but who have very little experience with application security. Once found, experienced Web application security professionals can command top dollar, making the “investment” in application security much more costly.
Making Measurable Improvements
SaaS is not only one of the most compelling solutions for Web site vulnerability management — it is the only solution, for a number of reasons:
- Scalability. A SaaS-based solution is the only solution that can scale to meet the needs of a large enterprise. A SaaS platform, by definition, is built to handle huge volume. In this case, a SaaS-based Web site vulnerability management platform can assess tens of thousands of sites simultaneously, while a scanning tool can typically scan only one site at a time.
- Rapid technology improvement. A SaaS solution is specifically designed to excel in a rapidly-changing environment. Not only can the customer assess its Web sites every time they change, but SaaS also enables rapid software updates as a key part of the delivery model. This means that SaaS code is typically updated every few weeks, as opposed to the normal commercial software development cycle of three to six months. For example, when a new attack vector is identified, a new check can be integrated into the code very rapidly, and within two to three weeks can be deployed in production to the benefit of the entire customer base. That is something only a SaaS solution can offer.
- No additional staff or infrastructure. With a SaaS-based solution, a company does not have to bear the burden of an upfront investment in hardware, software and personnel. Not only is that costly, but, as mentioned above, it is very difficult to accomplish in today’s competitive security hiring environment. And all the costs involved in building a scalable infrastructure and technology are borne by the SaaS provider.
- Ease of implementation and management. A SaaS-based solution is easier to manage than scanning tools. The entire process can be driven via a secure Web-based customer interface, from the scheduling of scans, to the accessing of data, to the remediation of vulnerabilities. Plus, the data is accessible to all relevant constituencies from a centralized portal — 24×7, securely, from anywhere in the world.
The enterprise demands security solutions that are simple, efficient, effective and scalable. In the world of Web site vulnerability management, these benefits are only possible with a SaaS solution.
Companies need to have the ability to assess all of their Web sites on an ongoing basis — they can then free up their in-house resources to focus on fixing vulnerabilities, not just finding them. This is essential if they plan to make real, measurable improvements to their security posture, which is the goal that all companies should be focused on achieving.
Stephanie Fohn is the chief executive officer of WhiteHat Security, a provider of Web site security services. Most recently, she was president and COO of SecurityFocus, which Symantec acquired in 2002.