In the meantime Simmonds said that the chemicals behemoth will continue to seek out new SaaS security alternatives as they come to market.
Philippe Courtot, chief executive of Qualys, is recognized as one of the chief evangelists of security SaaS in general, just as Salesforce.com CEO Marc Benioff has become associated with pushing the hosted applications model into the enterprise software space.
Security SaaS becomes a new business model
However, with 37 Fortune 100 companies among its enterprise customers and a groundswell of interest from smaller firms driving what he labeled as rapid growth at the privately-held firm, Courtot claims that security SaaS is moving quickly from an emerging phenomenon into a widely-accepted business model.
"When we needed venture funding in 2001, no one wanted to back SaaS for the enterprise in general, but the time when we needed to evangelize security SaaS for customers of any size is pretty much over, it's becoming commonplace," Courtot said. "People don't have technical or financial resources to deploy traditional on-premise solutions. They're being told to reduce cost and do a better job of securing their operations, all of which works in our favor."
As an example of the economies of scale offered by security SaaS technologies, Courtot said his company recently completed a roll-out of its services to a global auto manufacturer covering vulnerability testing for 180 different applications operated in 65 different countries -- in less than three months. Addressing the same applications scanning project using on-premise tools would have taken years, he said.
Qualys counts Nissan Motors and DaimlerChrysler among its automotive clients.
"What is driving security SaaS are a few simple reasons: At the low end of the market, companies don't need IT people to do the work, and at the high-end, CIOs are being pressured to reduce costs and have fewer security incidents," Courtot said.
"In the past, you had security people doing the perimeter work, and you can still build that infrastructure," he said. "But as soon as you move to protect a company from the inside, to provide defense in depth as is needed, the degree of difficulty is beyond even the most sophisticated companies."
Other security SaaS advocates point to pricing and delivery advantages of the model as drivers of continued adoption of the tools.
Veracode CEO Matt Moynahan said that one of the biggest selling points of his company's binary code analysis service is the fact that customers only pay for the tests that they run using its hosted testing engine and that they don't pay for the upgrades to the service that his company is constantly working on.
"We're trying to blur the line between broken pricing models, a lot of our rivals price by the number of lines of code they're scanning or charge per CPU, but we allow companies to simply give us a URL where their binary code is and we only test that, and it doesn't matter what type of scan or test is involved, it's all part of the subscription," he said.
While Veracode, only launched in January 2007, it has signed on several major customers, including one of the world's largest networking companies and a large Canadian ISP, said Moynahan. He estimates that the SaaS model allows the firm to undercut its competitor's prices by anywhere from 20 to 40 percent.