Watchfire Corp., a provider of Web vulnerability assessment software and services, has introduced AppScan OnDemand, a service to detect and manage Web application vulnerabilities.
The promise of software as a service (SaaS) is a lower total cost of ownership and the ability to scale quickly for organizations that have limited resources or expertise to implement new or challenging technology. That is why Watchfire's David Grant, director of product management for the Waltham, Mass.-based company, says security on demand is a good fit for Web application security.
"Software as a service is in a growing period of adoption. Where we are in Web application security, a lot of organizations don't have the expertise in house or can't scale it. You can't hire people quick enough," he said.
In addition, he said, "Software as a service is a more regimented budgeted item; it's a known entity you can budget for every month." In addition, he said, "people like the idea because it puts the onus on the vendor to prove a worthy ROI."
Offering Web application security as a service "makes a lot of sense," said Neil MacDonald, vice president and distinguished analyst at Gartner Inc. in Stamford, Conn. "For companies that don't have the resources to buy or implement the tools themselves, it helps overcome the lack of skills they may have, or the lack of money or time. If they've got thousands of Web applications deployed and none have been tested, that's a huge bump to overcome."
The AppScan OnDemand service includes hosting and management of the software, technical administration, training and customizations, and testing analysis and issue prioritization.
Organizations can choose three different service offerings. With the managed service option, Watchfire hosts the software, runs the tests and manages the data. With the self-service option, Watchfire hosts the software and the customer manages the testing and reporting. And with the in-house offering, the software is deployed at the customer's location and Watchfire remotely manages the application.
"You may be wary of putting vulnerable data outside the organization, but you may want help to manage the infrastructure of the system. We're trying to cover all aspects of the service model," Grant said.
AppScan On-Demand is Watchfire's second foray into the SaaS area. It has offered an SaaS version of its WebXMT platform of products for assessing Web privacy, compliance and quality controls since 2002. The company has more than 50 clients using that service today, Grant said.
Other vendors addressing Web application security have also ventured into the SaaS area, MacDonald said, such as Cenzic and WhiteHat Security. He said he expects other Web application security vendors to roll out service offerings as well.
"I believe they'll have to; it's what the market demands," he said. "Not everybody has the capability to fix their own plumbing. You can bring in a managed service or keep tools around to fix the plumbing. But if you've inherited a leaky old substandard house, even if you had the tools, could you fix it up? If you have all of these applications that are vulnerable, which need to be tested, it's hard to go one by one when you've got 2,000 to test."
Service good for security auditors, QA
Initial use of AppScan On-Demand will most likely be security auditors, Grant said, "but QA are the next logical people to interact with the reports." However, he said use of the service isn't likely to be pushed further back into the application development life cycle, at least not for a while. "Developers should be catching problems earlier in the life cycle, but developers probably won't want a managed service in their environment," he said. Developers can make use of the reports and fix recommendation, he said.
Marketing a managed Web application security service does get "harder if you try to do it further back in the application development life cycle," MacDonald said. "You have to allow the managed service provider access to your developer network, which brings in a higher level of security concern. Organizations are more wary about early stage development access to their applications. But for applications that are already written, having a managed service in addition to tools is something vendors in this category should do."
MacDonald said he views this type of service as an extension of security audit, but that Web applications will need to be scanned more frequently than typical audits. "Web applications change a lot," he said. "People are always tweaking the UI or the back-end code, and the hacker's techniques also change, so you have to frequently retest. This truly does lend itself to a services offering."
Pricing for AppScan On-Demand starts at $4,500 per month for the self-service option and $7,500 per month for the managed service offering. The in-house option, in which Watchfire remotely manages the application, runs about the same price as an enterprise version plus remote management charges, Grant said.