tag:blogger.com,1999:blog-13756280.post8481928333614531331..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: HP goes SaaS with WebAppSec VAJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-13756280.post-51424827404449713022009-07-24T13:22:01.285-07:002009-07-24T13:22:01.285-07:00@Raf, fairly certain scanner-on-stick was accurate...@Raf, fairly certain scanner-on-stick was accurate at one point... at least perhaps at the time of writing. Got an early description from an HP employee at the time and that is what it sounded like to me. <br /><br />Your last comment: Does that mean your SaaS (heh) offering is pulling from the professional services side? Or does it carry its own services staff. Forgive me, I don't know how the organization is set-up to provide service.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-46690589739371337272009-07-24T11:46:35.516-07:002009-07-24T11:46:35.516-07:00@anonymous (troll)... oh really? I can name plent...@anonymous (troll)... oh really? I can name plenty of prof. services folks on staff... any time you'd like to talk to someone, let me know, be happy to clear up any misconceptions... as that is my current employer.<br /><br />Rafal Los<br />HP ASC :)Rafal Loshttps://www.blogger.com/profile/18106347834259269413noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-52201568617913328522009-07-24T11:44:15.024-07:002009-07-24T11:44:15.024-07:00@Jeremiah, et al...
So you can obviously see th...@Jeremiah, et al...<br /><br /> So you can obviously see there is no such thing as a"non-biased analyst"... obviously, yikes.<br /><br /> I do take exception to the mis-representation of the HP service though, sir... and you should know better. Without getting into a marketing campaign here, "scanner on a stick, we are not" - is easily our motto as well... <br /><br /> This would be fun to discuss in an open forum as I see that even you have some mis-conceptions about the SaaS service that comes from HP... any ideas on where we could talk this over? :) AppSec in DC perhaps? (who sees "AppSec SaaS RoundTable" in the future?)<br /><br />Thanks! It's great this is finally getting some press (both for you and everyone else...)Rafal Loshttps://www.blogger.com/profile/18106347834259269413noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-60416062409753992422009-07-24T08:33:16.874-07:002009-07-24T08:33:16.874-07:00“HP and IBM's offerings are designed primarily...“HP and IBM's offerings are designed primarily to leave application security primarily in the hands of the customer, complementing their internal software development lifecycle processes with their consulting and professional services expertise to help customers deploy and get the most out of their investment.”<br /><br />That's actually funny. If you call HP you will find that they have zero to one person remaining in their actual web application services team. Everyone is gone. Good luck.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-11281709246282639992008-06-05T06:31:00.000-07:002008-06-05T06:31:00.000-07:00@Jim, thank you. :) Now that we'll start to get th...@Jim, thank you. :) Now that we'll start to get the technology in place, my next phase is measuring the impact. Customers will end up telling me what they need improved and its interesting cause its never quite what you'd expect.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-9201674176149895032008-06-04T22:23:00.000-07:002008-06-04T22:23:00.000-07:00A wise man once said, "As much as anything else, I...A wise man once said, "As much as anything else, I view my job as helping customers make their websites as hard to break into as possible. If that requires scanning technology great... security experts, fine...WAFs, ok then. I just think its time to be pragmatic about what we can expect from each technology/process and measure them accordingly."<BR/><BR/>I appreciate your honest perspective on this topic, J.Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43810342579970574612008-06-03T19:22:00.000-07:002008-06-03T19:22:00.000-07:00I've never hid the facts about the limitations/ben...I've never <A HREF="http://jeremiahgrossman.blogspot.com/2007/01/automated-scanner-vs-owasp-top-ten.html" REL="nofollow">hid</A> the <A HREF="http://jeremiahgrossman.blogspot.com/2006/07/5-challenges-of-web-application.html" REL="nofollow">facts</A> about the <A HREF="http://jeremiahgrossman.blogspot.com/2007/02/automated-scanners-vs-low-hanging-fruit.html" REL="nofollow">limitations/benefits</A> of <A HREF="http://jeremiahgrossman.blogspot.com/2007/09/business-logic-flaws-freshly-minted.html" REL="nofollow">scanners</A> as well as <A HREF="http://jeremiahgrossman.blogspot.com/2008/01/technology-helps-but-people-matter-most.html" REL="nofollow">humans</A>. <A HREF="http://jeremiahgrossman.blogspot.com/2006/11/we-don-know-what-we-dont-know.html" REL="nofollow">Visibly</A> I've used <A HREF="http://jeremiahgrossman.blogspot.com/2007/11/duplicates-duplicates-and-duplicate.html" REL="nofollow">my blog</A> as a <A HREF="http://jeremiahgrossman.blogspot.com/2007/07/are-web-application-scanners-ing.html" REL="nofollow">vehicle</A> to get the <A HREF="http://jeremiahgrossman.blogspot.com/2007/05/web-application-scan-o-meter.html" REL="nofollow">message out</A> to all those <A HREF="http://jeremiahgrossman.blogspot.com/2006/11/what-scanners-can-and-cant-find-who.html" REL="nofollow">who would or should care</A>.<BR/><BR/>On the sales customer communication side, that's easy, <A HREF="http://bp3.blogger.com/_JdybrokZBAk/SEX8P65By2I/AAAAAAAAA1s/9vHASlmAYiU/s320/scanner_vs_human.jpg" REL="nofollow">we have a chart</A>.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-19151398416226290772008-06-03T12:00:00.000-07:002008-06-03T12:00:00.000-07:00Let's not forget that the scanning products are no...Let's not forget that the scanning products are not capable of uncovering access control problems - which are often quite critical.<BR/><BR/>Scanning tools are only one (small) piece of the puzzle, but will the likes of IBM tell you that? No way! IBM claims close to 90% coverage! Scary (vendor) world!<BR/><BR/>Jeremiah, I've heard you are more honest about this topic - how do you communicate to your customers regarding what classes of vulnerabilities scanning is good for and what it's not good for?Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-15949350785190651482008-05-30T11:43:00.000-07:002008-05-30T11:43:00.000-07:00By Chenxi's statements it sounds like WhiteHat co...By Chenxi's statements it sounds like WhiteHat could scale. By her reasoning the Sentinel Service bottleneck is humans. It sounds like if WhiteHat fires all their humans, and partners with a bunch of overpriced consultants who know very little about webappsec, they'll be able to scale exponentially.<BR/><BR/>Makes sense to me.<BR/><BR/>@Adam: Qualys has been saying this via their roadmap for what...a year now? No doubt they will, but the question is if Qualys, Scam Alert, and Ncircle can *lower the bar* for webappsec or not.aehttps://www.blogger.com/profile/14222516847099872949noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-2250384914332133912008-05-29T17:39:00.000-07:002008-05-29T17:39:00.000-07:00Qualys is launching a web app scan soon.Qualys is launching a web app scan soon.Anonymousnoreply@blogger.com