On-Premises vs. Cloud-Based Application Security
Enterprises can assess the security of their applications with on-premises tools or through a cloud-based service. With on-premises tools, the enterprise’s security team installs and maintains an application security tool and manages the application assessment process in-house. With a cloud-based service, there is no equipment on-site, and a third party manages the enterprise’s application security assessment via the Internet.
On-Premises Application Security Tools
Although the trend is toward cloud-based application security and away from on-premises tools, some organizations still use on-premises tools, or a combination of on-premises tools and a cloud-based service. This more traditional approach typically appeals to organizations uncomfortable uploading code to the cloud to be assessed, or that want or need the control afforded by on-premises tools.
For organizations that need extensive and complicated system customization and integrations, some cloud solutions cannot address their needs. Most cloud solutions are configurable, but not necessarily able to be heavily customized and integrated with existing systems. Although, the ability to customize and integrate cloud-based services is improving.
For some large organizations, their industry, clients or business mandates where corporate data is held, and moving any data to the cloud might not be an option. Some organizations also feel that the cloud is less secure than an on-premises tool and want to keep their data on-site. In fact, it is risky software, rather than the cloud, that adds unnecessary risk when using a third party, and organizations should be more concerned about the security of the development processes of third parties rather than the security of the cloud. Regardless, for some organizations, keeping their data on-site is a priority.
The cons of an on-premises solution include the following:
- Need in-house security expertise: On-premises tools typically require specialized expertise to install and run. And security experts who can install, configure and maintain these tools, as well as respond to the information they return, are expensive and in short supply.
- Cumbersome to scale: When an on-premises application security program needs to be scaled, enterprises frequently need to track down more of these hard-to-find security specialists, in addition to installing more servers. This scaling issue is compounded by the rapid pace of business innovation today. With the traditional tool-based approach, it is nearly impossible to keep up with the speed of the digital economy. These tools slow down development, and ultimately leave an enterprise vulnerable because they can’t scale to address all the applications an enterprise builds, buys or downloads.
- Not ideal for remote/disparate teams: Today’s workforce is rarely located in one place, and the on-premises model makes it challenging to apply consistent policies, reporting and metrics across disparate teams.
- High upfront costs: Significant implementation and equipment costs upfront compared to cloud.
Cloud-Based Application Security Service
Simpler and more scalable than on-premises solutions, a cloud-based service lets enterprises start immediately, without hiring more consultants or installing more servers and tools.
It also allows enterprises with large and distributed development teams to create robust AppSec programs. With a cloud-based service, enterprises can have central policies and metrics for consistent controls across global BUs and development teams (or even outside software companies).
Unlike an on-premises tool, a cloud-based service is continuously gathering more information, learning and improving. For example, developers won’t get bogged down with false positives because our platform is continuously learning to adapt to evolving threats.
CA Veracode’s cloud-based service in particular offers a breadth of expertise and services that simply cannot be matched in a tool-based approach. Unique in the industry, CA Veracode’s cloud-based service combines all assessment techniques — binary static analysis (SAST), dynamic analysis (DAST), web application discovery and monitoring, behavioral analysis and software composition analysis — in one comprehensive platform. And our SOC-2 certification means we've implemented rigorous controls to ensure code uploaded to our platform is secure.
Ultimately, with a cloud-based service, enterprises have a centralized way to secure web, mobile and third-party applications across their global infrastructures — from development to production — without slowing innovation.
“Simpler. More Scalable.”: http://www.veracode.com/about/why-veracode
“Enterprise-Grade Security”: http://www.veracode.com/products/enterprise-grade-security