SiegeWorks Solution Secures Web Applications

Take SiegeWorks, a solution provider that officially launched its Web application assessment services at last month's RSA Conference in San Francisco.

The offering, called Managed Application Assessment Services (MAAS), has three components: a best practices guide, developer training and ongoing assessments, said Jeff Bennett, CEO of SiegeWorks, based here. The training and assessments can be done on-site or remotely, depending on a customer's needs, he said.

The three-pronged offering makes up a sizable chunk of SiegeWorks' business, Bennett said. Pricing, which starts at about $20,000 per year, is based on an annual subscription and varies by the size of the application, he said.

With an increasing number of security breaches targeting Web applications, companies are realizing that it's critical to button down their code, Bennett said. "Hackers are finding that Web applications are the easiest way to get into a company," he said.

Most Web applications hook into a company's back-end systems, where intruders can find a treasure trove of customer data, credit-card numbers and other sensitive information.

Developers typically focus on features, functions and time to market rather than security, Bennett said. "They've got to get these applications out as fast as they can," he said. "It's always assumed the firewall will take care of application security."

Common Web application vulnerabilities that criminal hackers exploit include cross-site scripting and buffer overflows.

Customers were looking for a service rather than a tool to assess application vulnerability because they didn't always have the in-house expertise needed to use the tool, Bennett said. So SiegeWorks responded with MAAS, he said.

The best-practices component of that service is tailored specifically to a customer's application and can be used by that customer as a guideline for future development. The training piece educates developers on secure code practices, and the assessment component scours an app for security flaws.

SiegeWorks' ability to offer training and assessment remotely is a unique aspect of the service, Bennett said. A lot of application development is outsourced,often to distant locations such as India and Eastern Europe,and clients wanted a way to remotely assess that work.

"If [clients] wait until they get the code back and it's ready for production, it's too late," Bennett said. "The assessment service gets us into the game early. Security will be built into their application code from the get-go."

In its assessments, SiegeWorks uses homegrown tools, as well as AppScan, a tool from vendor Sanctum. Customers include financial services organizations and Net retailers.

Indeed, catching application flaws early in the development process is essential to protecting a company from a host of risks down the road, said Richard Dean, an analyst at research firm IDC. "Companies that can catch the problems up front have an advantage in the marketplace," he said, adding that he believes SiegeWorks is on track with MAAS.

IDC expects the worldwide information security services market to grow to $23.6 billion in 2007 from $9.1 billion in 2002.

Meanwhile, other companies also have gotten into the Web application assessment space.

The Enterprise Security Group at AMS, a consulting firm in Fairfax, Va., focuses entirely on app security and conducts Web app assessments on-site and remotely, said Jeff Johnson, vice president of the group.

"We do outside-in and inside-out assessments, so we see the application from both perspectives," he said.