UK-based distributor Cloud Distribution has signed a deal to exclusively bring the on-demand web application penetration testing (APT) service of iViZ Security to the UK.

Through its reseller partners, the value-added distributor (VAD) is hoping to capture the market for vulnerability assessments among website and application owners who need to carry out regular APT processes to remain compliant with security and data protection requirements.

The iViZ software-as-a-service (SaaS) allows end users or their security consultants to submit web applications for penetration testing via a secure portal that automates vulnerability scanning using multiple scanners hosted on its own servers.

Scott Dobson, Cloud Distribution co-founder, told Cloud Pro the real difference with the iViZ service was the follow-up assessment of false positives and negatives caused by logical flaws, which can only be discovered by manual testing, and that is performed by the SaaS provider’s own security experts.

“Typically a larger client will have not just one or two websites or apps but hundreds, and employing a very big systems integration firm to carry out pen-testing can be very costly in terms of the time it takes to manually review reports and eliminate negative or positive results that are false,” he said.

“Having an scheduled, automated scanning and reporting process, that’s up-to-date with the latest vulnerability definitions and is then reviewed during a 12-hour window by the experts at iViZ before being made available for download, essentially saves the client time and money.”

The APT service is designed to combine both automated scanning and manual testing approaches to provide on-demand availability in a subscription based model that Dobson said would be as popular with end users as the security consultants and managed security service providers Cloud Distribution are aiming to bring it to the UK market with.

He added that the company and its partners identified a gap in the market: “We’re focusing on e-commerce websites initially; because of their transactional functions, they have to be regularly tested for security vulnerabilities according to regulations like the Payment Card Industry (PCI) standards.”

But the potential for this emerging area of cloud-based services could be far bigger, as well as complementary to his firm’s success in distributing Meraki’s cloud-based wireless network systems he contended.

“The more you test the better with websites,” he said. “It’s not so much that you look for viruses, but vulnerabilities that might be introduced the more code is developed and re-written. That’s when trapdoors and backdoors can be created where malicious code can be inserted. And it’s an area of development that’s constantly evolving.”

The iViZ compliance reports can also suggest areas that have security gaps and conform to standards through templates for PCI, ISO-27001, and the US Sarbanes-Oxley (SOX) accounting law.

iViZ also has offices in Boston, London and Bangalore.