WebAppSec for the little guy - courtesy of 403 Web Securityby Steve Ragan - Jul 25 2011, 18:00
As concern for Web Application Security grows, fueled by compliance demands and raw fear, there is a growing market for C-Level executives to explore. Yet, most of the WebAppSec market focuses on Enterprise operations.
What about the smaller organizations? They have the same fears and problems, but face limited resources and budgets. Are they just stuck in the middle?
Over the years, the number of organizations offering application-based services online has grown. Likewise, the number of application-based security problems has expanded as well. Just this week, security firm Imperva reported that attackers targeting Web Applications are able to do so at peaks as high as 7 attacks per second, or 25,000 per hour.
Some of the problems that plague Web Applications are well-known, such as SQL Injection (SQLi), Cross-Site Scripting (XSS), and Remote File Inclusion (RFI). Yet, others, such as a lack of authentication controls and restrictions, allowing attackers unlimited attempts to access a protected resource, hard coding elements such as passwords within a function, and logic flaws, are also problematic.
As mentioned, there is a growing market for WebAppSec related products and services. The catch, is that most of them are simply too expensive for many organizations to afford. Many of Web Applications online are maintained by companies that are small, falling well outside the definition of an Enterprise-level operation. They often do not have the resources to operate a regular development lifecycle that can include comprehensive security practices.
Rafal Los, an established WebAppSec specialist, offered a solid explanation a while back during an interview as to why application security issues were so common. As he put it, the cause is due to the nature of Web development itself. In short, developers are inherently paid to write code in a timely maner. While many skilled developers know how to include security in the design, theyíre often restricted by budgets and other business needs.
Recently, The Tech Herald was turned on to a company, located in our own backyard here in Indianapolis, who wants to address that problem. While they can work with large organizations, they prefer to focus on the smaller ones.
The companyís name of 403 Web Security, which will make some developers grin at the obvious play on words. Humor aside, 403ís pedigree comes from WDDinc, a company with 18-years of Web Application and Website development experience, focusing on Software Quality Assurance (SQA) and security that is included from the start.
403 can do straight application or website development, working with an organization at the start of a project from the ground up, or they can come in at the projectís end, offering security evaluations and remediation if needed.
Most organizations already have developed websites and applications, so more often than not, 403ís evaluation services are the starting point. The process begins with a free assessment, which includes a vulnerability audit and consultation. If problems are discovered, 403 will explain what they are, how they impact the organization, and how they can be addressed.
For a small company, with a mid-sized website and its own development team, 403 will work with the company's development team to identify the flawed portions of the website and help or instruct the company with remediation. The expected cost is normally less than $10,000 USD.
A small company with a moderately complex website, and no development team, can expect the cost to fall below $25,000 USD in most cases. If a company has no development staff and a serious need for security (as in no risk tolerance whatsoever), the end-to-end cost could run less than $50,000 USD. Each of these options would include 403 doing all of the development remediation, code reviews, and multiple security tests.
When compared to a WebAppSec appliance, which often requires an internal development staff to fix the code, in addition to upwards of $100,000 USD or more to spend, 403 comes in well within the budget for the smaller organizations.
Obviously, 403 is not the only company to offer this type service. However, after speaking to managing partner Alan Wlasuk, itís clear that they are more concerned with working alongside their clients, rather than over or around them. To 403, security and application development is a process, one that evolves over time. Itís not something that can be easily crossed off a checklist.
If anything, smaller organizations that find themselves concerned about application security, but face restricted budgets and resources, risk nothing by asking for a free assessment from 403. Itís time well spent.
Do you know of a vendor offering services aimed mainly at smaller organizations, with a focus on helping them address restrictions on business resources that impact security? Send us an email, firstname.lastname@example.org, and let us know who they are.