Core, Qualys to enter Web apps scanning market

Core Security and Qualys say their entrance into the Web apps vulnerability testing market is a natural evolution of their products, expertise

The Web applications vulnerability testing market is about to get a little more crowded, as both Core Security and Qualys are entering the space with strategies to integrate the tools into their existing products and services.

On Tuesday, Core announced that it has added Web applications penetration testing to the latest version of Impact, its automated network and internal security scanning package.

Executives with Qualys, which markets hosted network vulnerability testing services, confirmed to InfoWorld that the company plans to begin offering its own Web applications scanning capabilities sometime during the first quarter of 2008.

In both cases, company leaders cited strong synergies with their existing business models and recent industry consolidation as drivers for jumping into the Web applications security segment.

Earlier this year, two of the largest players in the niche, Watchfire and SPI Dynamics, were acquired by IBM and HP, respectively.

And while both Watchfire and SPI continue to market their Web applications scanning technologies as their new parents integrate the tools into their larger software development platforms, executives with Core and Qualys contend that they have an opportunity to cash in on pent-up demand.

In Core Impact version 7.5, the company has added the ability for customers to search for security holes in Web applications and servers, and any databases sitting behind those systems, via SQL injection and remote file inclusion attack techniques.

The company said the new functions will be tightly integrated with the product's traditional features, which are used to probe for weaknesses in customers' external network defenses or internal employee security practices and launch proof-of-concept attacks that demonstrate how network or user-based vulnerabilities might be exploited by real attackers.

Extending Impact's ability to include Web applications testing is a natural fit for number of reasons, said Core Chief Executive Paul Paget.

"When we talk to customers today, they understand the process of crawling sites and fuzzing applications for weaknesses. But we can also give them the ability to auto-generate SQL injections and remote inclusion injections on the fly," said Paget. "The capability to create an exploit as we're carrying out penetration testing is a huge differentiator compared to what is out there. Once we compromise a server, we can plant our agent in the system and go deeper inside the network to illustrate just what real attackers would do."

Qualys CEO Philippe Courtot said his company's move into Web applications testing is a similarly natural evolution, both in terms of blending the capabilities into the vendor's existing network vulnerability scanning tools and in delivering the tests via its hosted software-as-a-service (SaaS) delivery model.

While IBM and HP are integrating their newly acquired vulnerability scanning technologies into their respective software platforms -- and thereby pushing developers to carry out additional testing before moving applications into production -- Courtot contends that the network security professionals already using Qualys' vulnerability testing services are actively looking for more tools to scan Web-based programs.

"We don't want to sell to developers -- that's more for HP and IBM. We think we can be complementary to what those companies are doing by providing a service to the security teams to audit their systems and ensure that attackers can't penetrate the network or the applications," Courtot said. "At the same time, we believe that customers are ready to embrace the idea of adding Web applications scanning as another service delivered under the hosted model for reasons of cost and simplicity."

Core and Qualys may end up competing for customers with their new Web applications scanning tools, but the companies also maintain an existing partnership, and the executives said the two firms can continue to build off of each other's strengths to win deals.

And while Courtot claims that Qualys will win business with its hosted delivery model -- whereby customers do not install software on their premises and instead pay for subscription-based online scanning services -- Paget contends that Core has a significant advantage in its ability to exercise real-world attack scenarios.

"I think both companies' eyes were opened to the opportunity here because we're selling to the same people, and they've been telling us that there was a need for us to offer this type of Web applications testing," said Paget. "But we feel we're taking the process to the next level; fuzzing a Web site is one thing, but being able to launch attacks is what truly pinpoints the real problems."

Both executives maintain that enterprise security teams are under increasing pressure to automate Web applications testing processes, a situation which they said should create opportunities for their new services, especially when considering the strategic changes being made to the marketing of Watchfire's and SPI's technologies by their new owners.

In a recent survey of roughly 500 IT security professionals, applications security software specialist Cenzic found that companies are increasingly concerned about data breaches carried out via remote attacks -- but that less than 20 percent of the organizations it interviewed had a full-time employee dedicated to the job of applications security testing.

With over 50 percent of respondents saying that they were afraid of losing their jobs over a successful attack on their employers' systems, and only 10 percent of those surveyed confident in the security expertise of their companies' applications developers, executives with the company said that the market for new Web scanning tools is clearly robust.

Despite the growth potential, Cenzic officials said it won't be easy for Core and Qualys to get up-to-speed quickly and build technologies that sufficiently address the complex dynamics of testing Web applications in today's environment.

"The new entrants are going to have limited capabilities in their products since their main focus has been networks and applications security is not an easy problem to solve," said Mandeep Khera, vice president of marketing for Cenzic. "If the customers want a complete solution to secure their Web applications, they'll have to go with a more experienced vendor."

However, industry experts said that the new products and services being developed by Core and Qualys -- along with other offerings from providers including WhiteHat Security and Veracode -- could increase pressure on more traditional applications security players, including Cenzic.

"The big picture trend is that there is increasingly a budget for this type of testing, which should benefit all these individual players, but there's also reason to believe that delivery of these capabilities as a service, or under the umbrella of wider security testing, could catch on," said Eric Ogren, president of Ogren Group, a security market research firm.

"In general, all this market activity reflects the fact that Web applications scanning is becoming a feature of an overall IT testing program, so it may make more sense to some companies to view it as a feature of a larger package, or as a service, as with Core or Qualys and some of these other players," Ogren said. "In the long run it might be harder for stand-alone providers to make a market for their products, which could drive a shift to more delivery via broader services models."

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform