Industry View

Eyeballing the Security of Application Service Providers

Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, gives advice on vetting Application Service Providers to ensure security for your business

By Jeremiah Grossman

Page 3

How often is the web application code updated and is it security tested before each release?
Our web application code is typically updated every quarter with new features, performance enhancements, and security improvements. Using a variety of tools (vulnerability scanners, source code scanners, etc.), our internal QA process rigorously tests each new feature in combination with existing features for proper combined functionality and security.

*Assessing the security of web application may require tens-of-thousands or more tests (more than any expert could test manually). And since this type of hacking occurs usually through the browser, testing is very different than Windows security. As a result, comprehensiveness requires making use of special purpose scanning technology.

What are the security considerations for the use of third-party source code or remote services?
When third-party code or remote services are utilized by our websites, they must be held to the same (or higher) security standards as ourselves. To provide assurances, all products by third-party suppliers must undergo an in-depth security assessment by an independent audit firm. Any identified security vulnerabilities are promptly resolved before being implemented in a production.

*Independent web application security assessments can be performed by a number of firms. Choose a seasoned vendor because experience counts.

3) Security Assessment Procedures

It's important to ensure routine security assessments are performed on both the network infrastructure and web application software. This gives excellent visibility on what security is like 'today' rather than last year. Remember, a script-kiddie Nessus scan is simply not enough because full in-depth analysis is required. Verify that the security assessment reports specifically address web application security testing. This area is often overlooked by many ASPs and as I mentioned before represents a large portion of security risk.

Questions and Good Answers

Are security assessments performed internally or by a third-party? Also what security criteria are used for testing?
To validate our security posture, an independent audit firm performs a comprehensive security assessment on our Web applications and network infrastructure. Any identified security vulnerabilities are promptly resolved.

Are security assessments performed regularly and do they match the release schedule of the Web applications?
Our Web application code is updated routinely according to our product roadmap. During each release, Web application assessments are performed. Again, any identified security vulnerabilities are promptly resolved. This process ensures a high degree of security assurance for our customers.

May we review the latest security report?
Up-to-date security reports can be made available upon request.