Manage Learn to apply best practices and optimize your operations.

Cost-effective Web application security testing options take SaaS form

SaaS options for Web application security testing can help CIOs make a business case for vulnerability testing while not breaking the bank as hackers test website limits.

The consulting fee for a one-time Web application security penetration test can run up to $100,000 -- a sum that's out of reach for many midsized organizations. A more affordable option can be Web application security testing offered via the Software as a Service model, which costs tens of thousands of dollars less and can get you automated and continuous vulnerability testing.

"Some of the SaaS vendors have standard packages where you can buy 52 automated scans and use them all in one day or use them throughout the year for about $9, 000," said Joseph Feiman, an analyst at Gartner Inc. in Stamford, Conn. "For more advanced tests that require someone to go in manually for business logic testing, it ranges around $18,000 for the year."

That's still expensive for some midmarket companies, but the cost can be offset by the fact that costly and hard-to-find application security specialists do not have to be trained and kept on staff. The SaaS model also eliminates the costs of servers and infrastructure needed to house the vulnerability testing software used to do the vulnerability scans, Feiman said.

Online travel agency Orbitz LLC, which has hundreds of customer-facing websites, pays about $18,500 per site per year for WhiteHat Security Inc.'s Web security testing service. The program scans sites for vulnerabilities around the clock. IT can move the scans around to specified sites and the service includes manual business logic testing of Web applications.

Business logic testing requires human eyes to uncover more devious vulnerability scenarios such as hackers changing the price of a product from $22 to 2 cents upon checkout. Another hacker trick is using wish list options on websites to drill into the URL for personal information, including customer credit card numbers and addresses, to begin doing their own shopping under the customer's name.

"We reached a number [of websites] where it wasn't realistic to test for vulnerabilities ourselves," said Ed Bellis, vice president and chief security officer at Orbitz. With 10 full-time security team members, and the need to follow Payment Card Industry regulations since most of the company's websites have e-commerce components, Bellis estimates he would have had to hire about 30 security specialists to conduct the same level of vulnerability testing provided by WhiteHat.

With WhiteHat Security and competitors such as Cenzic Inc., users get a dashboard display of vulnerabilities for each site, a drill down into the vulnerabilities and recommendations for remediation, which vendor staff members walk the customer IT team through. Trending reports also display information such as which sites are being attacked more often and what types of vulnerabilities the sites have, to help IT teams prioritize remediations.

Other SaaS providers in the Web security testing space include  Veracode Inc. and Watchfire, which was acquired by IBM in 2007 and renamed IBM Rational.

Less expensive options for Web application security testing

SaaS-based Web application security testing programs can be scaled down to one-site or one-time vulnerability testing. With WhiteHat's baseline program, midmarket companies get automated vulnerability testing for about $3,000 a year. The lower cost comes from having to do more self-service to set up the service with WhiteHat, and it does not include manual business logic testing.

A standard program comes with a bit more service -- such as vulnerability scan service setup and configuration -- for about $9,000 per site, per year. It includes unlimited testing and remediation assistance but not business logic testing.

We reached a number [of websites] where it wasn't realistic to test for vulnerabilities ourselves.

Ed Bellis, vice president and chief security officer, Orbitz LLC

Cenzic's pricing typically costs from $2,000 to $20,000, with services ranging from one-time Web security testing to unlimited scanning for the year. At the lowest end, midmarket companies can sign up for seven assessments, for example, in which their sites will be checked for 103 attacks such as SQL injections and cross-site scripting vulnerabilities.

SQL injections, although nothing new, remain a hacker favorite and 90% of Web vulnerabilities in general were found in the code of commercial Web applications, according to Cenzic's vulnerability trend report for the first half of 2009.

Cenzic offers a one-time free health check to potential customers interested in testing its offering.

WhiteHat allows customers to compare their vulnerability ranking against any of the 1,500 websites that the vendor tests, including competitors. This helps CIOs and chief information security officers make a business case to add more testing or prevent the vulnerability testing budget from being downsized.

"The ROI for us is being able to show that our vulnerabilities in comparison to competitors has gone down and our overall ranking [across WhiteHat's customer base] continues to rise," Bellis said.

Let us know what you think about the story; email Christina Torode, News Director.

Dig Deeper on Small-business infrastructure and operations