We’ve recently been asked to look at the way that the Cloud is increasingly being used to provide external security testing services (such as AVS, Application Vulnerability Scanning). The argument of the proponents of such services is that security threats come from the cloud, and thus it makes most sense to embed the AVS in the cloud. However after very detailed examination of the options we have come to the conclusion that the Cloud it isn’t necessarily the right answer for many enterprises, and that the AVS service may best be delivered inside the datacenter.
Application Vulnerability Scanning is the process of exercising the external interfaces to applications (typically public-facing web applications) so as to make sure that there are no exploitable or potentially-exploitable security weaknesses. So, for example, you might want to log on to a system and check that the credentials aren’t just sent back to you in plain text in a cookie.