Editor's note: Information security expert Chris Wysopal, co-founder and chief technology officer of security firm Veracode Inc., is contributing to SearchSecurity.com's special coverage of RSA Conference 2007. His column will appear daily throughout the conference.
Today I took some time to look at the different vendor booths on the expo floor. One thing I noticed was software as a service (SaaS) has made its way to the security world at RSA this year. (Disclosure: my company, Veracode Inc., offers on-demand automated application security reviews over the Web.) Qualys is promoting its SaaS model, which it have been at for a while, but now there are some new players in different fields.
Voltage Security is offering software-as-a-service email encryption. I have been disappointed at the uptake of email encryption, which has been around for ages, by the average user. The SaaS model makes many types of software easier to use and it looks like this may be a solution to the usability problem surrounding email encryption.
Qualys CEO Philippe Courtot spoke earlier this week extolling the virtues of SaaS in the security domain, and I agree. Much of security technology is unnecessarily complex and SaaS is a way to keep the complexity away from the user. Customers want simple interfaces and they don't want to install a lot of software.
The other big benefit of SaaS in the security space that I see is the way a customer can get value out of the anonymized data that other customers create in the system. When I was a consultant, customers would always ask me, "How am I doing compared to my peers or the world as a whole?" With the shared infrastructure of a SaaS provider, those questions can be answered. Increased data sharing helps everyone.