Re: [WEB SECURITY] Are there any disadvantage of Application Security SaaS offering?

[Christoph Gruber <list@xxxxxxx>]

Supata wrote:
> Just wanting to know your suggestions on what possible disadvantages  
> SaaS for app security has. From my side, one suggestion may be  
> sharing "application code/application details" to a third party may  
> pose a risk.
>
> Regards, Sutapa

Hi!

My personal experience to we application security filters:

The default filters are not satisfying, filtering only about 40% of  
the attacks to known vulnerabilities (tested myself).
Two main drivers for the costs are: Building filters for automatic  
attacks in the wild and adapting the filters to the application.
At the first point you can gain synergies, the second has to be done  
according to the development of the web-app. on your own.

Therfor SaaS makes not very much sense unless you are able to apply  
your own filters there.

The risks for SaaS are:

Giving the data for your web-traffic away, threating your visitors  
privacy.
Additionally when you use https, you have to giv away your secret keys.

Cheers!

--

Christoph Gruber
"If privacy is outlawed, only outlaws will have privacy." Phil  
Zimmermann


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA