Security SAAS becomes a new business model
However, with 37 Fortune 100 companies among its enterprise customers and a groundswell of interest from smaller firms driving what he labeled as rapid growth at the privately-held firm, Courtot claims that security SAAS is moving quickly from an emerging phenomenon into a widely-accepted business model.
"When we needed venture funding in 2001, no one wanted to back SAAS for the enterprise in general, but the time when we needed to evangelize security SAAS for customers of any size is pretty much over, it's becoming commonplace," Courtot said. "People don't have technical or financial resources to deploy traditional on-premise solutions. They're being told to reduce cost and do a better job of securing their operations, all of which works in our favor."
As an example of the economies of scale offered by security SAAS technologies, Courtot said his company recently completed a roll-out of its services to a global auto manufacturer covering vulnerability testing for 180 different applications operated in 65 different countries -- in less than three months. Addressing the same applications scanning project using on-premise tools would have taken years, he said.
Qualys counts Nissan Motors and DaimlerChrysler among its automotive clients.
"What is driving security SAAS are a few simple reasons: At the low end of the market, companies don't need IT people to do the work, and at the high-end, CIOs are being pressured to reduce costs and have fewer security incidents," Courtot said.
"In the past, you had security people doing the perimeter work, and you can still build that infrastructure," he said. "But as soon as you move to protect a company from the inside, to provide defense in depth as is needed, the degree of difficulty is beyond even the most sophisticated companies."
Other security SAAS advocates point to pricing and delivery advantages of the model as drivers of continued adoption of the tools.
Veracode CEO Matt Moynahan said that one of the biggest selling points of his company's binary code analysis service is the fact that customers only pay for the tests that they run using its hosted testing engine and that they don't pay for the upgrades to the service that his company is constantly working on.
"We're trying to blur the line between broken pricing models, a lot of our rivals price by the number of lines of code they're scanning or charge per CPU, but we allow companies to simply give us a URL where their binary code is and we only test that, and it doesn't matter what type of scan or test is involved, it's all part of the subscription," he said.
While Veracode, only launched in January 2007, it has signed on several major customers, including one of the world's largest networking companies and a large Canadian ISP, said Moynahan. He estimates that the SAAS model allows the firm to undercut its competitor's prices by anywhere from 20 to 40 percent.
Longtime security software market leader Symantec has announced that it has already begun the work to create a SAAS iteration of nearly every one of its products. Company officials said that as the security giant goes through the transition it is gathering feedback from existing customers and trying to gauge the best opportunities for SAAS over the next several years.
"Any technology evolution like this has its early adopters, and then once there are enough proof points, people start to adopt them more broadly, but we're already seeing increased interest from customers of all sizes," said Chris Schin, director of product management for Symantec's hosted Symantec Protection Network.
"I don't think that the time is here for certain enterprises, and some may never embrace SAAS, and for securing and scanning the endpoint, we'll always likely see tools at the endpoint," he said. "But there will be a time when I think all enterprises at least consider SAAS for some operations and that this time may be coming soon; adoption does seem to be picking up speed as, opposed to some other highly-hyped technologies, the promise of SAAS appears to be backing up the hype."