SaaS: The Definitive Cliff Notes on Web Security Delivered - Following the White Rabbit Blog -
Following the White Rabbit Blog » SaaS: The Definitive Cliff Notes on Web Security Delivered
SaaS: The Definitive Cliff Notes on Web Security Delivered

Grab a cup of coffee, make some room on your calendar and read on.

...

 This whole thing started earlier when, while reading through the mass of posts on every mailing list I belong to, I came across a question about SaaS services on the WebAppSec "Web Security" mailing list.  This got me thinking and after someone responded I decided to chime in myself.  Given that there was little discussion about the topic until another vendor stepped into answer the question from their marketing angle I thought it would be appropriate to pitch HP's SaaS solution as well... and that's when things got interesting.  Immediately I got some responses from folks eager to understand what the differences were from SaaS to the newly labeled "Cloud Security" services (shoot me now, please?) and how that all differed from traditional service-oriented offerings.  Folks also commented off-list about some of the challenges they think this poses... so I thought it only prudent to address much of that and throw in a few remarks for clarity to round this all out.

The Backdrop

Let me start this conversation off by saying that we'll be focusing on Web Application Security testing/scanning ... if that wasn't obvious.  Now then, let me state that SaaS isn't really anything that hasn't been offered before, under a different name.  Software as a Service used to be known as the ASP model (Application Services Provider) or just plain services before that.  SaaS means that the customer gets a piece of software delivered, typically over the web, in a manner that does not require them to build out everything internally (but more on that in a minute) and in the process save on resources, time and money.  Software as a Service (SaaS for short) is heavily mis-understood in that many vendors call it different things, and worse-yet they try and throw many of their offerings into the SaaS bucket without really giving much thought to whether it's appropriate or not!  The SaaS offering from many vendors is a response to the recent economic downturn, and rightfully so as many companies simply can't afford the internal resources associated with web application security.  What customers simply aren't getting is the bigger picture - that there is much more to SaaS than cost-savings, and the ability to use operating budget vs. capital budget - which is a big distinction in places I've worked before, and many other large enterprises.  Allowing an enterprise to increase security and decrease risk by purchasing a service-based offering while drawing from the operating budget is a blessing many enterprise CISOs have been waiting for.

 

The SaaS Facts

  •  The financial angle:  As I hinted at above, the SaaS model has become very popular in the 18 months or so due to the rising need to cut costs, while trying not to cut [security] corners.  Security managers are being asked to save the company dollars, and reduce their budgets while the increasing risks from doing business over the web continue to mount.  Risks don't go away just because budgets shrink, so companies large and small are looking for ways to pinch the penny and figure out ways to quite literally do more with less.  The financial angle on SaaS makes a world of sense when you consider most enterprises count SaaS as part of a run budget, or operational expense.  The distinction of operational versus capital expenditures is a stick one.  Capital expenses mean that there is some good being delivered by a vendor... that good depreciates over time and there are soft costs associated with capital expenditures that are added by savvy CFOs to calculate the true cost of acquisition of some product.  Capital budgets, it's no secret, are drying up all over the place.  This leads CISOs hungry for answers and ways to mitigate their security risks (or at least identify them!) without having to spend from their captial budgets.  The true beauty of SaaS shows up when you start to address the product as a service.  What if... you could get everything you want and not have to pay for the product - but rather simply have it delivered as a service over the web?  This question often raises many CISOs eyebrows... What if...
    Being able to purchase a web application security scanning tool without having to pay for it all at once (and not having to finance it) begins to make sense quickly when you realize that this is an operational expense.  Much like keeping the servers powered and cool, or the Windows boxes up-to-date and patched... a SaaS expenditure means getting an on-going service that cheats and can actually deliver you product.  Saving money is top-of-mind all over, and if you're crunched on budgets and still want to talk web security... SaaS may be the saving grace you've been waiting for.
  • The resource angle:  Think this through - how many qualified web application security resources does your company have?  If you've answered anything above 1 you're already in the minority.  Given that most large enterprises have north of 1,500 web applications and less than 3 qualified web application security specialists that's a nasty 500:1 ratio.  How, then, does the job get done?  Your answer should be either automation or out-sourcing.  The next question is can you afford to outsource all the work to an equally qualified web application security vendor?  The answer is likely no... but then that usually doesn't matter because you pick the applications that are most critical, get those reviewed and move on thinking you're safe.  Wrong.  Remember that in all likelihood you're going to be in a mixed and shared hosting environment.  Having just one of your lower-class applications owned by some "evil hacker" means that the rest of the dominos are likely to fall as well.  This brings us back to the question - how do we get over the 500:1 ratio?  The answer is a combination of automation, oursourcing, and services... known affectionately, here at HP, as SaaS.  The ability to supplement an enterprise's internal staff, and provide on-the-fly scaled servics is something that most CISOs drool over, and if you can bundle that up with a world-class web application security scanning tool (we can say that, we have the awards to prove it) delivered over the web and accessible from anytime, anywhere... then you have a true winner.  Being able to augment the work your over-extended security team has on their plates is something SaaS vendors all strive for, but few do well.  In addition to your human resources, think of the investment in computer resources that have to be made to bring an enterprise-grade web application security scanning solution in-house.  Do you have $50,000 - $200,000 to spend on the infrastructure behind the web application security scanning solution you choose?  If you're like most enterprises... the answer is a firm "heck no".  So what SaaS offers here is the complete out-sourcing of the infrastructure to handle such a huge deployment including servers, operating systems, storage and all.  One complete bundle... pretty cool huh?
  • The unreal flexibility:  Would you like to have 1 monitored application?  How about several?  Whether you are looking for a single quarterly scan of your entire public web presence of a daily scan of everything you own, or an on-demand project-based service which grows and shrinks as demand does, or simply a fully-managed daily-use platform for your internal teams... it's all here in a complete SaaS offering.  Flexibility is one of the keys that makes a good SaaS offering something your company can live with, and grow with.  Forget being stuck with the all-or-nothing approach... demand that you get this kind of flexibility from your vendor and if they can't deliver switch.  Make sure you've got uptime guarantees, data storage redundancy, and 24x7 live human support... otherwise you're not getting your money's worth!

The Dangers

There are, of course, dangers to moving to this SaaS model.  Nothing is free of any downside so make sure you understand the risks!

  • non-local data storage -make sure your company policy allows for the non-local storage of critical company information (including a direct map to your most vulnerable assets)
  • vendor dependence - it's no secret that once you become dependent on a vendor you choose it's very difficult to migrate off that vendor keeping your data and processes intact
  • 3rd party access - since there will now be a 3rd party 'testing your web systems for vulnerabilities' make sure that your company policy allows for this, and has provisions for privacy and contingency for disclosure; your vendor of choice will have access to your most intimate secrets (where you're most vulnerable)

The Benefits

Let's face it, the benefits for a program like this are numerous so I'll attempt to name some of the major ones here...

  • cost savings - perhaps paramount to any good security program is the fact that SaaS has a high probability of saving you hard dollars
  • efficiencies - a SaaS solution from your vendor of choice, unlike your employees, does not sleep or require days off... it simply works and works to make sure that your company's web-based assests have defects identified and teed up for remediation
  • scalability - whilte your company can only scale so much internally with human and technology resources, your SaaS vendor does not operate on these same restrictions; this creates an extremely scalable solution
  • knowledge - a well-orchestrated SaaS solution will not only provide industry's finest technology but some of the best people out there as well, giving you access to knowledge, training, and security intelligence you simply could not afford to staff up internally
  • ROI - most security professionals don't talk ROI [Return on Investment] which is rather unfortunate as one of the nicest things about a SaaS offering [particularly from HP's Application Security Center] is that the ROI doesn't need to wait for servers to be built, software to be installed, people to be trained... you start getting real value out of your purchase almost immediately and that translates into a healthy return on investment calculation
  • value - everything considered... the amount you pay for a SaaS solution is generally a fraction of the cost of deploying this same solution internally... more for less translates to business value pure and simple!

 

If you've finished this, and are now wondering how you can get some more information on just how you can save money, and get more web security... feel free to contact me directly via the contact link in this blog... I'm happy to talk about our solution, or anything else floating around out there...

Posted 07-22-2009 12:53 AM by RafalLos
Filed under:

Comments

GK wrote re: SaaS: The Definitive Cliff Notes on Web Security Delivered
on 07-22-2009 6:13 AM

Hi RafaLos,

Enjoyed reading your post. In addition to disadvantages you mentioned, I would like to mention one more-

When you use SaaS model you are trusting one vendor, basically, you are putting all your eggs in one basket. Quality of security review becomes dependent on competency of vendor. Classically, you could use "ring token" topology to get flavor of what other vendors have to offer (by choosing different vendors for different applications).Therefore, it becomes very important to carefully choose SaaS vendor.

Cheers,

GK

Add a Comment

(required)  
(optional)
(required)  
Remember Me?

Type the numbers and letters above:
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems