Eyeballing the Security of Application Service Providers

Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, gives advice on vetting Application Service Providers to ensure security for your business

By Jeremiah Grossman

August 07, 2008CSO

A large number of banks, credit unions, product merchants, healthcare providers, and others are taking advantage of Application Services Providers (ASPs) to enhance their on-line offerings and reduce IT cost. Popular ASPs offer attractive service packages that include the necessary hardware and software infrastructure, such as fast, reliable machines, large bandwidth pipes, disaster-recovery policies, several layers of built-in fault tolerance, and support.

ASP customers don't have to build a complex web-enabled infrastructure or grow the staffing requirements to manage it. Customers are free to carry on with business core competencies without worrying about development overhead. What we must remember is that when you outsource your website to an ASP, you are also outsourcing your security.

Jeremiah Grossman: Security questions for application service providers

ASPs must be treated like a trusted business partner as they become the guardians of your website and sensitive customer information. Their security MUST be a priority requirement. If they are insecure, your business is insecure. It's just that simple.

Also see SAS 70 Explained


If and when your ASP hosted web site is hacked, you will likely suffer financial loss as a result of downtime or theft of intellectual property. Funds and merchandise may be illegally transferred. There is administrative overhead in responding to and investigating the incident that can cost your business time and money. Also, regulations like GLBA, HIPAA, SarBox, and the various security breach laws are an ongoing concern and complicate the matter.

Lastly, you may suffer unquantifiable brand damage when the situation is made known to the press, the Federal Trade Commission, your customers, your competitors, and your boss. When searching for an ASP that is right for your organization, you need to be aware of its security practices.

ASPs develop, deploy, and manage custom web application software that enable websites to conduct business online. Online storefronts using shopping carts, credit card processors, banks using wire transfer and bill-pay services are a few examples. Order tracking, customer service, service configuration, content management, and dozens of other outsourced service implementations are common as well. For these transactions, the ASPs web application code is running the show from front-end to back-end. From a security perspective this means that if the web application is vulnerable to any of the Web Application Security Consortium's (WASC)documented 24 classes of attack, including SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, your websites are at risk for compromise.

An ASP must provide security equal to or better than your company could achieve alone. It's vital that you are aware of threats risks that may occur and going to be out of your control. When selecting an ASP to protect and carry out your online business, it's in your best interest to do your homework. Information security needs to be approached by defense-in-depth and listed below are some web application security guidelines to consider during the review process. Essentially the list contains recommended questions combined with answers you might receive from 'good' security conscious ASP.

RESOURCE CENTER