Thanks for taking our pre-release easyVAPT™ SaaS for a spin. Any feedback would be greatly appreciated. And thank you for your interest in different vulnerability assessment fielding options. In this article, we discuss the pros and cons of doing binary vulnerability analysis in a SaaS vs. on-premises vs. in-situ. We also discuss how ObjectSecurity’s VAPT series is designed to support different use cases.
SaaS
A SaaS subscription undoubtedly has several benefits over other fielding options, esp. no upfront cost hurdles, no maintenance costs, low overall cost, convenience, flexible scalability etc. – and easyVAPT is no exception to the rule.
However, both our investor organization and trial users voiced obvious security concerns (your binaries are sent to the cloud), and concerns with being able to extract firmware from already-fielded (embedded) devices – including scenarios where internet connectivity is spotty or unavailable. While we at ObjectSecurity are taking security very seriously and have baked appropriate security feature into the SaaS hosting and application, these concerns remain valid for some users (esp. for government users).
As a consequence, ObjectSecurity has in fact focused most of our recent development efforts on alternative fielding options to support those requirements, which are described further below.
Portability
Some users need to test devices in situ, especially embedded systems that cannot just be removed (e.g. from a vehicle/vessel/aircraft etc.) – and sometimes there is not even a power outlet that can be used, creating the need for battery power.
Our VAPTBOX is a portable device combo that a non-expert user can carry on site and connect to an already-deployed embedded system via common external and internal connectors. VAPTBOX then automatically assesses the embedded system, and the user can view a “traffic light” (or advanced) report. It can also be used as an automated network penetration tester on site.
Offline
In the portable device fielding option above, sometimes internet is spotty or unavailable, so the device has to be able to operate offline. This creates technical challenges because all the heavy processing needs to be carried out on the portable device itself, and advanced preloading and synchronization features need to be available.
Our VAPTBOX™ portable device has been designed to support offline operation.
On-premises
Some users we have spoken to prefer to do vulnerability assessment on-premises, mostly for security reasons. While such deployments do not have to be portable, they in rare cases need to be offline (to avoid exfiltration).
Our VAPTBOX™ device has been designed to be deployable as an on-premises server (physical or virtual), with optional offline operation.
In conclusion, there is no “better” or “worse” way of doing binary vulnerability assessments – it depends on your organization’s particular requirements. Please talk to us about your experiences and/or requirements in this area, and please check back regularly as we have exciting features planned for the full VAPTBOX release.
Contact us. Let’s get the conversation started.
ObjectSecurity securely brings together data & analytics to create intelligence and automation.
We are leading experts in technologies and services to drive the information age in your organization – including:
cybersecurity, data analytics, supply chain risk analysis, and artificial intelligence.