On-demand security issues raised

Software-as-a-service vendors need to allow customers to carry out penetration testing

Firms running on-demand applications on their networks could be exposing themselves to security risks because most on-demand software vendors do not allow access to their applications for testing, according to IT training specialist The Training Camp.

Although penetration testers are able to work with firms to spot weaknesses in the corporate network, legal restrictions mean that increasing areas of their customers' IT environments are out of bounds, explained The Training Camp's Nick Wells.

"It's not a massive issue because we've not seen a huge incident yet, but that's not to say it won't happen in the future," he added. "The potential is there for a massive breach to occur because people are not being allowed to go about their job in preventing it."

But Andy Kellett of analyst Butler Group argued that it is not practical for application service providers to be forced to provide access for their various customers. He added that allowing this to happen is not likely to increase the security of the service.

"Security is probably less a problem than in the end-user organisations because [on-demand app providers] are measured by the service they provide," Kellett argued. "I don't agree the end-user organisation's pen tester of choice should be doing the testing. The service provider should do it and make that information available."

Clarence So of Salesforce.com agreed, adding that most chief information officers today understand that software-as-a-service (SaaS) vendors are able to secure data more effectively than they can themselves.

"I'm sure training companies have their own motives for advocating the need for in-house skills such as penetration testing," he argued. "But any suggestions the SaaS model is less secure than client-server software are well wide of the mark."

But Daryl Cornelius of comms testing specialist Spirent Communications said that some on-demand apps providers could be shying away from allowing their customers to test their services in case it highlights any vulnerabilities.

"It could be quite a powerful weapon for businesses to have," he added. "It would be interesting to see customers start to demand more than just latency measurements but also performance under attack and other measurements."