GamaSec SaaS Web vulnerabilities scan services for all websites security

Software as a Service is the only solution for Web site vulnerability management, because of its scalability and ease of implementation, among other reasons.
By: Tom Rand
Aug. 13, 2009 - PRLog -- Securing Web applications is the No. 1 problem facing security professionals today. With 162 million Web sites in existence and millions more popping up each month, the sheer size of the problem is staggering -- not to mention the fact that nine out of 10 Web sites have serious vulnerabilities that can put critical customer data at risk. In fact, a new malware-infected Web site is discovered every 14 seconds. So, why aren't more companies solving this problem?

Securing Web applications is a complex process that is extremely difficult to manage. Large corporations typically have hundreds -- and sometimes even thousands -- of publicly facing Web sites to secure. New Web sites are constantly being created, and the existing sites being changed all the time -- with very little security oversight built into the process. The other challenge is the changing Web site security environment in terms of attacks. New Web hacking techniques are being discovered all the time -- at least one new sophisticated attack vector is published every week.

A common approach to this problem is to purchase a Web application scanning tool and perform the work in-house, mainly due to the mistaken belief that scanning Web sites is similar to scanning networks for vulnerabilities. Corporate security teams assume the process is straightforward, fully automated, and will point out the vulnerabilities and where changes need to be made. They also believe that scanners will allow them to retain control over the vulnerability management process. This is simply not the case.

No Scanning Tools Needed

Web application vulnerability scanners are sophisticated tools that require substantial ongoing customization and tuning, expertise to operate, and time spent analyzing results to reduce false positives and duplicates. It's for these reasons and more that scanning tools have proven to be an ineffective solution for the enterprise. So what is the answer? Software as a Service (SaaS) solutions are designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies.

Think of it this way: With a scanner, a single qualified person might be able to set up, scan and analyze three to five Web sites per month. That's roughly 36 to 60 per year. Remember that's only one scan per year per Web site -- it is not adequate if the Web sites happen to change more than once a year. For organizations with dozens, hundreds or even thousands of Web sites, using scanners in-house requires a major investment in hiring, training and infrastructure building -- not to mention software licensing costs. The control that security professionals seek is not delivered with scanners like it is with SaaS.

Further, you must be able to find, hire and retain those qualified people, which is very difficult in the Web application security arena. The vast majority of security professionals have backgrounds which are deeply rooted in network security, but who have very little experience with application security. Once found, experienced Web application security professionals can command top dollar, making the "investment" in application security much more costly.

Making Measurable Improvements

SaaS is not only one of the most compelling solutions for Web site vulnerability management -- it is the only solution, for a number of reasons:

•   Scalability. A SaaS-based solution is the only solution that can scale to meet the needs of a large enterprise. A SaaS platform, by definition, is built to handle huge volume. In this case, a SaaS-based Web site vulnerability management platform can assess tens of thousands of sites simultaneously, while a scanning tool can typically scan only one site at a time.

•   Rapid technology improvement. A SaaS solution is specifically designed to excel in a rapidly-changing environment. Not only can the customer assess its Web sites every time they change, but SaaS also enables rapid software updates as a key part of the delivery model. This means that SaaS code is typically updated every few weeks, as opposed to the normal commercial software development cycle of three to six months. For example, when a new attack vector is identified, a new check can be integrated into the code very rapidly, and within two to three weeks can be deployed in production to the benefit of the entire customer base. That is something only a SaaS solution can offer.

•   No additional staff or infrastructure. With a SaaS-based solution, a company does not have to bear the burden of an upfront investment in hardware, software and personnel. Not only is that costly, but, as mentioned above, it is very difficult to accomplish in today's competitive security hiring environment. And all the costs involved in building a scalable infrastructure and technology are borne by the SaaS provider.

•   Ease of implementation and management. A SaaS-based solution is easier to manage than scanning tools. The entire process can be driven via a secure Web-based customer interface, from the scheduling of scans, to the accessing of data, to the remediation of vulnerabilities. Plus, the data is accessible to all relevant constituencies from a centralized portal -- 24x7, securely, from anywhere in the world

Secure Your Business’s Website to Make Conversions

When you consider that recent studies of the past few years suggest that 84% of polled Internet shoppers don’t think that online retailers are putting enough effort into protecting customers (Forrester Research, Inc),

75% of customers left sites because they didn’t feel safe (Internet Retailer),

90% would have completed sales if they saw security logos on the website (Internet Retailer)

70% of online shoppers will not purchase from websites without viewing security seals or logos, the importance of website security should be glaringly obvious

But it’s not just a matter of simply protecting the data that your online business collects. It’s also about making your customers feel like they’re having a safe shopping experience and convincing them that you’re doing all that you can to protect them

For small and medium ecommerce businesses with less brand awareness, the level of consumer security concern is naturally higher, the range of conversion improvement achieved among ecommerce websites with average gains between 5 percent to 10 percent. An article by Internet Retailer (March 2006 issue)

So now that we know that the extra security might as well stand for increase confidence and sales, what are you currently doing to ensure that your customers are getting the right security signals from you?
try our free trial at :

# # #

GamaSec identifies application vulnerabilities ( e.g. Cross Site Scripting (XSS), SQL injection, Code Inclusion etc) as well as site exposure risk, ranks threat priority, produces highly graphical reports, and indicates site security posture and exposure.
Source:Tom Rand
Email:*** Email Verified
Tags:Website Security, Gamasec, Web Scanner, Website Scan, Online Web Security, Web Vulnerability Scan, Website Protection
Account Email Address Verified     Account Phone Number Verified     Disclaimer     Report Abuse

Like PRLog?
Click to Share