IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

Executive Summary

The need for securing applications has never been greater. Security researchers see application vulner-

abilities as one of today’s most significant areas of security risk to enterprise interests and sensitive

information—and attackers increasingly recognize this exposure as well. Vulnerable applications

have been targeted not only to gain access to the information they manage, but to further propagate

and amplify attacks when they are exploited to host so-called “drive by” threats that target users of

otherwise legitimate—and sometimes well-recognized—Websites.

The challenge is that these applications are often developed and maintained by an enterprise’s own

development and management teams. This differs from so-called “commercial off-the-shelf ” or COTS

applications, which are typically maintained by a third-party software vendor that has a vested interest

in maintaining their security. The security of an enterprise’s own applications falls on the enterprise

itself—which means that the enterprise must take the lead in maintaining vigilance over this increasingly

exposed avenue of exploit. This has led businesses to make an increasing investment in application

security tools—but which ones deliver the needed set of capabilities for any one unique organization?

ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) coverage of Web application security

products begins in the same place that most companies begin their application security capabilities,

in Website Vulnerability Assessment. Website Vulnerability Assessment products are also commonly

called Black Box or Dynamic application vulnerability assessments products. However, for the purpose

of this report they will simply be referred to as Website Vulnerability Assessment (WVA) products.

WVAs are so called because they require no knowledge of application internals or the underlying code

base, but rather perform their analysis on the basis of the application’s observable real-time behavior.

This is an assessment run from an attacker’s view. In other words, the assessment is run from a user’s

perspective once an application is either deployed in a production environment, or has progressed far

enough in the Software Development Lifecycle (SDLC) to be considered production-ready. These

assessments are particularly useful because they allow companies to gain a better understanding of how

their applications look to an attacker.

Unfortunately, these types of assessments can be fairly difficult. This is primarily due to the dynamic

nature of the applications being assessed. WVAs typically work with highly volatile, constantly evolving

environments. Not only are the applications themselves dynamic, the relationships the applications

share with users, databases, infrastructure, systems, and other applications are also all subject to change.

This means that a Website vulnerability assessor must be aware of a large array of attack methodologies

as well as plausible vulnerabilities.

Furthermore, Web applications have proliferated in enterprise environments at an alarming rate. It

is not uncommon for Web applications to serve as both the backbone for internal processes and the

interactive public face of an enterprise. Indeed, Web applications have become a widely available,

critical aspect of nearly every enterprise in the world today. Of course this does not simplify the task

for assessors or security professionals.

Further complicating matters is the fact that it is impossible, even for the most seasoned assessors, to

create a scalable process to assess enterprise Web applications without the assistance of an automated

tool. It is therefore imperative that enterprises integrate Web application scanning technology that

allows them to create repeatable processes to understand how attackers see their Web applications.

However, with so many solutions for WVA on the market, the question arises: which tool will fit an

organization best?

EMA Radar Report: Website Vulnerability Assessment Q4 2009

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

This EMA report seeks to answer these questions by exploring the realm of application security and

WVA products. The report then defines leaders in the WVA product market and takes a deep dive into

the specific capabilities and values of each of the market players.

The Website Vulnerabilty Assessment Landscape

Unsophisticated defense, easily exploitable vulnerabilities, definable demographics and lucrative payoffs

characterize the attacker’s perspective of Web application security. Unfortunately, this means that the

defender’s perspective is bleak at best, with issues such as deficiencies in typical security countermea-

sures, a steep learning curve, and excessively difficult-to-remediate vulnerabilities becoming the battle-

grounds where application security is being won and lost. In a larger sense, these factors have made Web

application security one of the key domains in which the fight for IT security is being waged.

Further complicating matters is the continued proliferation of Web application vulnerabilities. It is an

unfortunate reality for IT security professionals that the mass production of Web applications has not

included the processes and procedures necessary to ensure that those applications are secure. This poses

very high risk in light of the fact that Web application security vulnerabilities also tend to be the easiest

to discover, due in large measure to the ease with which an attacker can access a Web application.

Attackers have noted all of these issues and are readily exploiting these weaknesses. Attacks against

applications and their users have become sophisticated and common. For an attacker there are several

advantages for targeting an application. First of all, most security countermeasures are not purposed

or capable of detecting application-related attacks. A malicious hacker can therefore test and exploit

vulnerable applications at will. Second, a single application can serve millions of people, which means

that an attacker can merely attack a single application to exploit millions of others by extension. Finally,

attackers can target specific demographics by attacking sites with particular user bases. For example,

an attacker could target a church in Orange County if they wanted to gain access to computer systems

of well-off American citizens. Orange County happens to be one of the wealthiest counties in the

US and the demographics that visit Orange County churches are typically Orange County residents,

and a church may not always have the resources or capabilities—let alone the awareness—to deal with

the threat as, say, an enterprise directly dependent on Web applications as a primary aspect of their

business. The combination of these three advantages of attacking application security has made Web

applications a prime target for organized criminals and opportunistic attackers.

There is no small correlation between these vulnerabilities and the proliferation of major incidents

in the IT world. Incidents such as major Web applications being hacked and repurposed to serve out

malware dedicated to stealing sensitive and personal data for the financial benefit of attackers has

become an altogether too familiar happening for IT security professionals. In an effort to address these

issues and curb the tide of attacks and vulnerabilities, most security champions within businesses have

begun searching for Web application security solutions. Most often the first stop for these searchers is

at WVA software.

The WVA product landscape is an extremely interesting and volatile arena. The landscape, which only

five years ago was almost totally dominated by professionals seeking to conduct better penetration

tests, has grown in maturity to become a critical aspect of security operations. These operations have

now become significant considerations in executive level decisions on capabilities and budget delega-

tions. The result has been the increased focus and entrance of major IT market players into the realm

of WVA.

EMA Radar Report: Website Vulnerability Assessment Q4 2009

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

Furthermore, as major IT vendors such as HP, IBM, and McAfee extend their capabilities into the

arena of WVA, smaller players such as Acunetix, Cenzic, WhiteHat, and NTOBJECTives (NTO)

increase their focus and target those disenchanted with the larger players. Of course, these strategies

may only be useful as a short term tactical strategy while HP, IBM, and McAfee continue to integrate

and offer more complete products and services.

All of these market competitors are currently jockeying for the leadership position in the WVA in an

effort to hopefully standardize the method to effectively begin solving Web application security issues.

Of course given the competitive nature of the landscape and the importance of selecting the proper

solution, assessing the various WVA solutions can be an extremely difficult task.

Assessing the Website Vulnerability Assessment Market

EMA tackled this task by breaking down solution characteristics preferred overall and determining

where the major market players currently reside with respect to their specific capabilities. Many IT

security vendors have ventured more recently than others into the realm of Web application security.

In some cases, however, these players have not necessarily matured enough to truly address the issues

faced by IT security professionals today. This made it somewhat difficult for EMA, as those newer

players are often the visionaries in the realm, but would not necessarily be a good buy for users specifi-

cally wishing to address some of the more practical or tactical aspects of Web application security

widely faced today. As a result, the companies that were assessed tend to be closer to the value leaders

area than would normally be seen in a ranking report. Regardless, these market players met the criteria

for inclusion in this report, and are therefore considered.

Conducting a hands-on assessment was also considered in creating this EMA Radar Report. However,

due to the variable, dynamic nature of the environments being assessed in WVAs, EMA felt that a

hands-on assessment could potentially confuse buyers. For example, EMA would not rank a vendors

product as a value leader because they are able to conduct the best assessments of Silverlight based

environments if the potential buyer is Adobe (who makes a competitive product in Flash). Thus, for

the general potential buyer environment a more general focus was taken.

Characteristics of a Preferred Solution

Selecting the proper WVA product can be difficult. In addition to the obvious implications of the overall

power of the solution, one must also consider how that solution will integrate into an environment.

WVA products do not solve the issues of application security, they merely highlight where the issues

lie so that organizations can implement the proper policies and procedures to address the issues. As a

result, Web application security rarely, if ever, works within a silo.

Therefore, those selecting WVA technologies must take into consideration the various aspects of their

dynamic company environment in order to find the most effective solution. Furthermore, potential

customers must also consider the technology implications of their selection. In other words, if an

organization only produces Flash Web applications, they are likely not going to want to purchase a

solution that only tests HTML pages. Due to the fact that most WVA solutions do not advertise which

technologies they evaluate, it becomes more difficult to determine when one might have a technological

alignment. The following are therefore a few of the characteristics considered in evaluating the market:

• Powerful: In selecting a WVA utility it is imperative to consider the overall strength of the

solution. Today the speed with which attackers are evolving their efforts is occurring at an

unprecedented rate. In order to keep up with these evolving attacks, assessors must be able

EMA Radar Report: Website Vulnerability Assessment Q4 2009

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

to determine what constitutes a vulnerability in their Web applications. This speaks directly to

the power of the product. As used in this sense, “power” means accuracy as well as depth in

vulnerability recognition, across the multiple technologies often integrated with modern Web

applications. By extension, a potential buyer will likely want to purchase a solution that has

a strong Research and Development (R&D) organization, as this is the area where product

strength tends to be born.

• Comprehensive: In order to effectively implement application security processes and procedures,

an organization must be able to comprehensively highlight the issues. Factors considered in

weighing the comprehensive nature of a product include technology coverage and granularity

in managing the solution. In other words, the solution must effectively be capable of assessing

the highest level of issues technically feasible and the users must be able to leverage the issues

in management capabilities.

• Feature Rich: In considering which products were capable of handling the dynamic situations

that each assessment would run into, it is necessary to consider the features that each product

has. Feature rich solutions are inclusive of multiple features that allow users and power users alike

to purpose the products to meet their specific needs. This may or may not include a community

repository of plug-ins and code.

• Integrated: As was mentioned, earlier application security processes almost never work within

silos. As a result, it is imperative that assessment capabilities integrate well with technologies

including those purposed for application defense, quality management, network assessments,

developer tools, and other technologies.

• Flexible: When a solution fails to adapt to the working processes of an organization, it may

not perform as expected, and ultimately may be rejected or shelved. Ineffective or difficult

implementations or deployments can be a death sentence to the usage of such technology. It is

therefore imperative that an organization select a solution with a deployment strategy that fits

their particular organization.

• Automated: The most effective method for conducting a WVA is to perform a full penetration

test against an application. However, this process is not scalable to large enterprises, nor can

most smaller companies afford the high costs of bringing in a third-party consultant to perform

these tests on a regular basis. It is therefore important that a solution can be automated, but still

include some capabilities for more specific or manual testing.

Evaluation Criteria

Defining evaluation criteria was a challenging task. The first question EMA asked was whether to

include system/network level vulnerability management solutions such as nCircle, Rapid7, and Qualys,

who all include a level of WVA capabilities in their product, but have not necessarily reached the level

of maturity that other industry leaders have. In the end, EMA decided that this report should be

focused directly on those market players who primarily or exclusively focus on Web application vulner-

abilities. The inclusion of McAfee Secure is likely to be cited as an exception to this rule, since it is an

additional aspect to the company’s Foundstone portfolio. This product, however, has a specific focus

on WVA, and was therefore included. Furthermore, Secure tests a deeper level of application security

related issues than other system-level Vulnerability Management competitors.

EMA Radar Report: Website Vulnerability Assessment Q4 2009

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

The next question EMA asked was how many tools should be included. There is a very large market

of WVA products available on the market today, but while many of those products are doing well

(primarily due to the demand for WVA products) a large number of them have failed to catch the

market’s attention. As a result, the major market players were selected based on market share. Other

inclusion and exclusion criteria can be found below.

Inclusion Criteria

• Conducts Web application security assessments without access to the code (unless reverse

engineered or conducted through bytecode analysis).

• Maintains a broad coverage of Web application security-related issues inclusive of but beyond

the Open Web Application Security Project (OWASP) Top 10.

• Solution must perform Web application spidering.

• Vendor organization must maintain a level of research and development into Web application

vulnerabilities and how to assess them.

• Maintains a high level of market presence

• Maintains industry recognized marketing capabilities

• Maintains a large portion of market share

Exclusion Criteria:

• Requires a third-party partnership to deliver black box application scanning.

• Does not comprehensively cover Web application security issues (e.g. limited to OWASP Top 10,

cross-site scripting [XSS], or SQL injection).

• Does not employ a significant Research and Development team.

• Does not maintain a high-level market presence.

• Lacks industry-wide recognizable marketing.

• Lacks the vendor strength to seem competitive in the radar

Notable Exclusion:

n-Stalker, founded in 2000, has a mature and capable product. However, n-Stalker was not reviewed in

this report because the metrics used to score the Vendor Strength component of this analysis were not

deemed competitive with the other vendors reviewed.

EMA Radar Report: Website Vulnerability Assessment Q4 2009

The value leaders in the WVA market have products with the most extensible

architectures and most complete feature sets while maintaining usability. These

leading products balance a strong product with ease of install, ease of adminis-

tration and reasonable price to provide the best overall value.

A combination of product integrations, product completeness, and focus on

R&D make IBM Rational AppScan the sole WVA Value Leader. IBM Rational

has set the standard for integrating acquired companies through their exemplary

handling of the acquisition of Watchfire. Since acquiring Watchfire, IBM Rational has quickly

developed a nearly complete solution that addresses Web application security at multiple levels in an

enterprise. Furthermore, IBM Rational has maintained a high-level of focus on the security market

with a strong focus on R&D that has included new capabilities to assess so-called “Web 2.0” technol-

ogies such as Asynchronous JavaScript and XML (AJAX) and Flash as well as SOA (Service Oriented

Architecture) applications.

EMA Radar Report: Website Vulnerability Assessment Q4 2009

Low

Cost Efficiency

Value Leader

Value

Leader

Strong

Value

Specific

Value

Limited

Value

Vendor

Strength

175

142

108

High

Medium

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

The EMA RADAR™

Website Vulnerability Assessment Products

IBM

Cenzic

White Hat

NTO

McAfee

Acunetix

175

142

108

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

Strong Value

Strong value vendors deliver effective technology and offer competitive options.

HP WebInspect is the primary competitor to the IBM Rational AppScan product

suite. While HP’s WebInspect has some distinct advantages over the AppScan

product suite in the realm of WVA, HP has largely failed to match the strategic

vision of the IBM Rational portfolio. As a result, HP is at the crest of the Strong

Value vendor category and they have the potential to enter the Value Leader

category with more investment and a well thought-out vision.

Cenzic Hailstorm is an up-and-coming competitor in the market place. Although Cenzic lacks the

financial power and horizontal integrations boasted by IBM, HP, and McAfee, Cenzic has done very

well to assert itself in competitive engagements. Cenzic has taken a pure-play security approach to gain

market share in engagements where security is at the forefront of purchasing decisions.

WhiteHat Sentinel. WhiteHat is a Strong Value because of their capability to deliver an excellent

solution in WVA. WhiteHat is not a Value Leader primarily due to their inflexible product delivery

model (SaaS only) and the smaller market share currently held by WhiteHat. It must be noted that

assessing WhiteHat’s product offering is difficult from within the context of a radar report. While

WhiteHat does produce a product in their SaaS offering Sentinel, WhiteHat is more of a services firm.

In other words, the primary competitive differentiator for WhiteHat is that they support a scalable

model for manual testing of an organization’s applications.

McAfee Secure holds a very large portion of the market, and does an excellent job of meeting compliance

requirements. However, their solution lacks the low-level capabilities to address many of the new attack

vectors. Like WhiteHat, McAfee does not support a flexible model for product delivery.

NTOBJECTivesNTOSpider has a very low-level technical focus that makes their product excellent as

an OEM solution. While NTO has done very well to enhance the capabilities of several horizontally

aligned products (e.g. TippingPoint IPS, eEye Retina, and Veracode), NTObjectives (NTO) has not

achieved recognition in the market or captured significant market share as they lack the capabilities of

the stronger competitors. NTO barely made it into the strong value category based on having a solid

technical foundation and strong integrations with other vendors. However, as NTO continues to lose

relevance in direct sales of their NTOSpider solution, NTO will continue to move towards the specific

value arena.

Specific Value

Specific value describes vendors whose products provide strong capabilities

in certain areas, but lack completeness or balance when considering product

strength with the cost to acquire and operate.

Acunetix Website Vulnerability Scanner (WVS) has a strong technology base;

however, the delivery model is not flexible enough to meet most enterprise needs.

While McAfee and WhiteHat lack flexibility, they are inflexible in their licensing

models which may not appeal to all enterprise buyers. Acunetix is limited by their

product architecture, as they only make a desktop product, and this is not suited for large enterprises

that require centralized control and reporting. This precludes Acunetix from addressing a significant

portion of the market.

EMA Radar Report: Website Vulnerability Assessment Q4 2009

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

Exceptional Characteristics

To recognize exceptional characteristics in the Website Vulnerability Assessment market, the following

products have been highlighted:

IBM Rational AppScan

IBM Rational has largely altered the perception of what

was formerly Watchfire by introducing a large number of

new deployment options for IBM Rational customers. This

model currently includes a Desktop delivery solution, a Client/Server delivery solution,

a SaaS (“Software as a Service”) delivery solution and an appliance-based delivery

solution (through integration with IBM Internet Security Systems). The addition of the appliance-

based solution has largely separated IBM Rational from the rest of the field. The flexibility of these

products is significant for organizations seeking to implement Website vulnerability assessment across

their organization in diverse areas like development and security.

HP Application Security Center

R&D teams may release work directly into the product,

through industry publications, or other vectors that

contribute directly to the security community. This was a

difficult call as HP’s major contender, IBM, was capable of producing scanning solutions

for Web 2.0 applications faster and continued integration with IBM ISS X-Force shows

a great deal of promise. However, IBM is quite frankly too quiet about their findings. What separates

HP R&D from IBM is the fact that HP R&D not only conducts cutting-edge vulnerability analysis

and produces solutions for assessing those vulnerabilities, but the fact that they share their analysis

and solutions with the world. HP R&D leaders play a large role in the overall evangelization of HP’s

position on application security. Furthermore, they generate market awareness through the release of

freeware tools such as Scrawlr and SWFScan. At this point, the market needs evangelization as most

organizations still do not fully understand the issue. Alternatively, IBM’s application security R&D

team has historically been relatively quiet on the market evangelization front. The fact that IBM’s R&D

team has remained silent in this realm places them firmly in second while other firms such as WhiteHat

deserve an honorable mention as they evangelize aggressively but do not invest as much as HP into

the realm of research.

WhiteHat Security Inc.

WhiteHat Security Inc. currently produces the most mature

SaaS model Website Vulnerability Assessement. The

inclusion of services to verify all of their report findings

has allowed WhiteHat to produce reports with little or no false positives. Furthermore,

WhiteHat currently offers an appliance-based solution for conducting internal scans of

Web applications. Other competitors have SaaS offerings but none of them have as mature of a service

oriented model as WhiteHat currently does. As a result, other competitors have begun to develop

additional offerings modeled after WhiteHat’s. Finally, many could argue that McAfee is the leader in

this space as they currently have the largest market share and an excellent integration with Foundstone,

however, the overall power of McAfee’s solution must be taken into consideration. Due to the fact

that McAfee’s scanning technology is weaker and they do not have a service oriented model, however,

WhiteHat is clearly the stronger SaaS offering.

EMA Radar Report: Website Vulnerability Assessment Q4 2009

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

Cenzic Hailstrom

All emerging technologies need their champions. In the

area of Website Vulnerability Assessment, those champions

are more typically security teams or security evangelists

within a business. It is therefore a major competitive differentiator for an organization

to maintain a heavy focus on security teams and their needs. Specific needs considered

include assessment engine capabilities, reporting granularity, and the ability to assist in assessment/

mitigation collaboration. Cenzic is the clear leader in producing products focused on meeting the

needs of security teams. Cenzic delivers a powerful solution with the granularity, reporting, and innova-

tions necessary for security teams to implement an effective process. IBM and HP have both begun

exploring and investing in system integration that may not diminish their products’ capabilities, but

certainly dilutes their organizational focus. As a result, WhiteHat is a runner-up in this category, due

largely to WhiteHat’s focus on replacing consultants as well as integrating into enterprise environments.

In comparison, Cenzic is specifically focused on delivering the best Website Vulnerability Assessment

product solutions to security teams, and it clearly shows in their products.

WhiteHat Security Inc.

WhiteHat partners with F5 to deliver a mixed-model

Web Application Firewall (WAF). The fact that WhiteHat

utilizes a service model in which humans verify vulner-

ability findings in a meaningful manner allows customers to be assured that the attacks

their WAF are blocking are actually exploitable vulnerabilities and not false positives.

Furthermore, the simplicity of using this technology is currently unrivaled in the market. The current

runner-up is NTO through its partnership with TippingPoint, however that technology is specifically

focused on SQL injection, cross-site scripting, and PHP file include attacks, which does not compre-

hensively cover the scope of threats.

IBM Rational AppScan

While other organizations certainly have service offerings,

no one currently has Website Vulnerability Assessment

service offerings on the scale of IBM. IBM is capable

of combining its Internet Security Systems (ISS) X-Force with the Rational team to

conduct more high-quality penetration tests than anyone on the market. Furthermore,

IBM also has capabilities to host, assess, and remediate applications on a scale well-beyond that of

any of their competitors. HP could potentially compete in this category; however, until it unifies HP

Application Security Center and EDS efforts in a meaningful way, it will still be behind in this realm.

This is a significant issue for organizations seeking to totally outsource their application security

capabilities and operations.

EMA Radar Report: Website Vulnerability Assessment Q4 2009

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

HP Application Security Center

The HP Application Security Center (ASC) currently boasts

a distinct integration with the market leader in application

quality management, the company’s Business Technology

Optimization (BTO) organization gained through the acquisition of the former Mercury.

The combination of the two has allowed HP ASC to move more products to organiza-

tions which maintain a quality focus on their applications and wish to extend that focus to be inclusive

of security. Other tools certainly integrate into HP’s BTO and former Mercury assets, but with the

combination of HP’s WebInspect and QAInspect, both of which have WVA engines, HP has a clear

advantage over their competitors.

McAfee Secure

McAfee currently boasts a SaaS solution that allows their

customers to scan for both Web application security

vulnerabilities and non-Web security vulnerabilities. The

inclusion of both of these technologies in an industry leading platform allows McAfee’s

target market to quickly and easily leverage the high-quality capabilities of their solution.

Runners-up include IBM ISS/IBM Rational, and NTO through its partnership with eEye. Both of

these solutions are strong alternatives; however, McAfee’s Foundstone recognition and leadership offer

a better up-sell opportunity for McAfee, who currently owns a larger space in the WVA market. This is

significant for customers who wish to specifically address section six of PCI compliance.

EMA Radar Report: Website Vulnerability Assessment Q4 2009

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

The EMA Radar Report™ Methodology

EMA defines criteria for the market to be evaluated and conducts primary research to develop a

list of vendors that meet these criteria. Initial product data is gathered through questionnaires and

vendor discussions. Basic data from relevant vendors is compiled into the EMA Solution Center for

the market evaluated.

EMA further defines a model client and uses this client perspective to conduct the Radar Report

evaluation. The list of vendors included in the Solution Center is narrowed to a final list based on:

1) product fit for the model client; 2) customer feedback; and 3) EMA perception of market impor-

tance. Additional vendor/product data is collected through a combination of lab evaluations, demos,

additional vendor discussions and/or interviews with reference clients.

Collected data is evaluated based on a weighted analysis of the market criteria from the perspective

of the model client. Evaluations are reviewed with vendors and adjusted as warranted to provide

an accurate view of the vendors and their offerings and strategies. Final scores generate a graphical

depiction of each vendor/product based on the following five key dimensions:

1. Ease of Deployment & Administration – This dimension rates vendors on start-up cost

and effort as well as ongoing operational cost and effort. Ease of Deployment is measured

by scoring implementation timeframe, support, professional services, training, and auto-

discovery factors. Ease of administration and automation of management are measured for

the Administration component.

2. Cost Advantage – Considering licensing models, price for license as well as maintenance costs,

this dimension scores products on their relative price advantage when compared to others in

the market. Low price, flexible licensing model and reasonable maintenance costs are awarded

the highest scores.

3. Architecture & Integration – This dimension assesses the strength and extensibility of the

core architecture as well as the ease of integration and availability of existing modules for

integration with other products.

4. Functionality – This dimension assesses the features of the products on a number of important

factors for the product category. Completeness of the product features as well as ease of use

are measured.

5. Vendor Strength – This dimension considers not just the vendor’s financial strength and

presence in the market, but also their vision, market credibility and partnerships/channels to

reflect their overall strength as a supplier.

Each of the five dimensions result in a score of 0 - 100, with the highest possible total vendor score

being 500.

To provide a market wide comparison, this data is summarized by contrasting the Product Strength

against the Cost Efficiency of the products evaluated. Product Strength is the combined scores for

Functionality and Architecture & Integration. Cost Efficiency is the combined scores for Ease of

Deployment & Administration and Cost Advantage.

The EMA Radar Report represents EMA analysis of how certain vendors measure against criteria for

that marketplace, as defined by EMA. EMA does not endorse any vendor, product or services, and

does not advise technology users to select only those vendors placed in the “Value Leaders” category.

EMA Radar Report: Website Vulnerability Assessment Q4 2009

About Enterprise Management Associates, Inc.

Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that specializes in going “beyond the surface” to provide deep

insight across the full spectrum of IT management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry

best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research,

analysis, and consulting services for enterprise IT professionals and IT vendors at www.enterprisemanagement.com or follow EMA on Twitter.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of

Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice.