Tuesday, July 17, 2007

WebAppSec Twilight Zone

1) Cenzic is recasting their Hailstorm ARC product as a central reporting dashboard for competing commercial web application vulnerability scanners (AppScan, WebInspect, Fortify, etc) A webappsec SIM? Organizations who buy copies of multiple scanners do so because during evaluation the reports were wildly inconsistent (the PCI Council noticed this as well). So some organizations buy it all to get “more coverage”. What seems odd is Cenzic is placing less emphasis on the value of their vulnerability identification and repositioning as a central UI previously described by Network Computing as “An Unpretty Face”.

2) Watchfire (now IBM), bastion of scanner products, is now promoting the enterprise value of Software-as-a-Service (Saas) for web application vulnerability assessment!!? Inconceivable! The equivalent would be if Qualys all of a sudden started offering a network scanner product and hyping the ROI of in-house scanning. I guess I should be flattered, since WhiteHat has been pioneering the model since 2003. The webappsec VA market is definitely moving towards services and the battle is going to be won on terms of ease of deployment/use/scale.

3) Google buys everything, even security companies apparently. So why would Google build their own black box fuzzing tool (its called Lemon) to scan their websites for XSS and SQL Injection? I mean, its not like they’re short of cash or anything. Maybe they decided rolling their own would be more effective than buying a commercial product. That would be telling. Or the purchase of Watchfire and SPI Dynamics, putting the stand-alone web application vulnerability scanner market in limbo, Google wants a piece of the action. I’m sure Chris Hoff would make me eat my words again if they did that. ;)

12 comments:

Christofer Hoff said...

Ummm...I...er...

Hey, I did say you were my interview "victim," didn't I. You will be happy to know that you represent the majority opinion on this matter, however misguided that may be... ;)

You know I love you, man. Besides, my aikido skills aren't what they used to be.

/Hoff

Jeremiah Grossman said...

AHAHAH!

Google sneezes and 50million comes out... man... with them I guess anything could happen. Fortunately Im no analyst. :)

Ory Segal said...

Jeremiah,

Watchfire has been offering a managed service since 2002:

http://www.watchfire.com/news/releases/8-22-02.aspx

Jeremiah Grossman said...

Fair enough, but it wasn't until 2005 that Watchfire added "security" to the managed service.

http://www.watchfire.com/news/releases/1-31-05.aspx

Claiming uniqueness in something WhiteHat had already been offering for nearly 2 years.

"WebXM 4.0 is the only enterprise-scale platform capable of identifying and reporting web application security vulnerabilities, one of the fastest-growing problems facing global organizations."

But then again, who could blame marketing for not being informed.

Ory said...

Let me see...

"WhiteHat Sentinel employs a unique approach to website vulnerability management: We probe and test your application the same way a valid user or potential attacker would – by going to the designated host name, possibly logging in, and then mapping out and testing the Web-application functionality that we find."

What can I say, that's a very unique approach to a web application security assessmenent.

:-)

In the 21st. century, you can't avoid marketing.

Jeremiah Grossman said...

Oh I'll fully stand behind Sentinel's uniqueness, but that marketing snippet only describes a 10,000 ft view of the service. To dig into the details one would need to read "How Sentinel Works". There is some cool stuff in there like vulnerability verification, new functionality detection, custom testing, etc.

Think of custom testing like creating up a script for every manual test an expert might try during an assessment. The benefit being they can be performed automatically with each successive scan.

James Wickett said...

Or, it could be that Google had people in house that wanted to build one. They definitely have the brain power in house and maybe IBM scooped them on Watchfire and HP on SPI... It is good to see the big dogs getting into the space.

But, Jeremiah, honestly tell us if google tried to pick up WhiteHat?

Jeremiah Grossman said...

Hey James, yah, that could be. Google might have wanted to give it a shot because of the sheer challenge. I can see that happening from their guys over there, but have no real idea one way or the other. I would highly doubt that IBM or HP might have outbid Google for something it wanted. :)

Normally, I'm pretty open about whats going on here at WhiteHat and how we do things. On the topic of acquisition, I have no choice but the say "no comment". It would be not be in the best interest of our company, shareholders, and the acquirer otherwise.

MustLive said...

Jeremiah, nice post.

But you need to fix title (and maybe url also).

Because your "twlight" zone, not so twilight ;-).

Jeremiah Grossman said...

ahaha, nice catch MustLive. Can't believe I missed that! Title changed, the URL.. don't know how to do that in blogger.

Davi said...

Hey, it's marketing. That stuff is never accurate. They always pretend to be the first at everything. Some kind of weird cultural obsession with first-ness. Apple is a good example of a company that doesn't care about firsts, just better engineering/design.

Perhaps Google built a system rather than bought because they needed something for their answers team to do? Or maybe they just did not want someone who does not stand in their cafeteria line knowing anything about their dirty laundry? They don't have anyone in charge of security so you really can't say it was part of a clear direction.

Jeremiah Grossman said...

But Apple WAS first! ;) j/k

yah, I hear ya. I just get touchy on that particular subject because we took a lot of flack when we first introduced the SaaS model to webappsec VA. Everyone from the VCs, competitors, analysts, experts, consultants, ....heck even customers... said it would NEVER work.

Now everyone is jumping in... which I think is cool actually... and we're proud of the pioneering we we've done. But what I don't like is people (marketers especially) attempting to rewrite the history since we earned it the hard way. However, I think the point you are trying to make is that everyone should be focused on making something GREAT, rather than worrying about first-ness. I whole-heartedly agree.