Skip to main content

Security and Software as a Service (SaaS)

Interesting:

Features sell. Period. Under the SaaS model, software manufacturers add features incrementally and on-demand to satisfy client requests as well as remain competitive. This sounds like a good thing to both buyers and manufacturers. It is not, at least not under the current market circumstances.

The market incentive for software manufacturers is to add as many features as possible because features are part of the beauty contest among software applications. Security is not.

This means SaaS applications are guaranteed to have a continuous and relentless stream of ad-hoc features (over an above the rate at which features are added to their multi-instance cousins) each of which add more complexity to the application and the likelihood that one or more of those features contains a bug (at best) or a vulnerability (at worst).

Features then, are the distinguishing element among software manufacturers, SaaS or otherwise. So low-quality, feature-rich software tends to dominate, driving higher-quality, secure software from the market.

There is really no such thing as a "final release" in SaaS, making SaaS a particularly dangerous form of software. Features, and therefore potential vulnerabilities, tend to dominate. As such, buyers will never be free from acting as crash test dummies for the manufacturer (and paying handsomely for the privilege).

Link here (opens in new tab).

Alex is a technology CEO, with leadership, operating partner, investor, and board member roles at security firms including AutoLoop, Borland, Quarterdeck (now Symantec and Cisco WebEx), GFI/TeamViewer, Sunbelt Software (now ThreatTrack Security), BlueStripe Software, StopBadware, Knowbe4, Malwarebytes, and Runaware Holding AB. When CEO of Sunbelt he ran a security blog, and he still writes on security.