The Daily Dose: Security SaaS struts its stuff

Veracode co-founder and chief technology officer Chris Wysopal says there are signs all over the RSA Conference 2007 show floor that software as a service is finally being recognized within the information security community.

Editor's note: Information security expert Chris Wysopal, co-founder and chief technology officer of security firm Veracode Inc., is contributing to's special coverage of RSA Conference 2007. His column will appear daily throughout the conference.

Today I took some time to look at the different vendor booths on the expo floor. One thing I noticed was software as a service (SaaS) has made its way to the security world at RSA this year. (Disclosure: my company, Veracode Inc., offers on-demand automated application security reviews over the Web.) Qualys is promoting its SaaS model, which it have been at for a while, but now there are some new players in different fields.

RSA Conference 2007

Can't make it to the show? staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.
Cloudmark, the antispam company, has zero-hour AV blocking, based on their customer base marking attachments as bad. A model like this only works when you have a service running in a data center. I think we are going to see more intelligent security products by harnessing the intelligence of end users or end nodes across many customers. To some extent all AV companies do this, but Cloudmark has brought a new level of automation and connectivity to bear.

Voltage Security is offering software-as-a-service email encryption. I have been disappointed at the uptake of email encryption, which has been around for ages, by the average user. The SaaS model makes many types of software easier to use and it looks like this may be a solution to the usability problem surrounding email encryption.

Qualys CEO Philippe Courtot spoke earlier this week extolling the virtues of SaaS in the security domain, and I agree. Much of security technology is unnecessarily complex and SaaS is a way to keep the complexity away from the user. Customers want simple interfaces and they don't want to install a lot of software.

The other big benefit of SaaS in the security space that I see is the way a customer can get value out of the anonymized data that other customers create in the system. When I was a consultant, customers would always ask me, "How am I doing compared to my peers or the world as a whole?" With the shared infrastructure of a SaaS provider, those questions can be answered. Increased data sharing helps everyone.

<< Return to our special coverage of RSA Conference 2007

Read more on IT risk management