by David Holmes

In New Zealand, one enterprising software-as-a-service (SaaS) firm has hit upon a successful business model by offering customers web application security from the cloud for the enticing sum of only $1,000 (NZ) dollars per year per site. Even though Australia and New Zealand are both hotbeds of global hacker activity, the market for application security for New Zealand’s four million inhabitants is in its infancy and begs the question: Does the aggressive pricing model signal a plan to secure the new market or will it just lay the foundation for a race-to-the-bottom down under?

North of the equator, web application security from the cloud is nothing new. For example, WhiteHat Security has been providing vulnerability scanning in the United States since 2001. In Europe, it has been Qualys, among others. Some vendors have offered scanning appliances but the trend has been to execute the vulnerability scanning from the cloud. Being based in the cloud means scanning technology can be improved rapidly without requiring a software push down to the appliance. And by scanning from outside the customer’s security perimeter, the scanners evaluate the very same threat surface that a would-be attacker is probing.

Once the scanning has been completed, a report can be pushed from the cloud to the web application firewall (WAF) appliance at the customer site perimeter. No vendor yet provides both a cloud-based vulnerability scanner and a WAF, but thanks to XML-formatted scanner reports, integration between the scanners and WAFs is effective between different vendors.

Yet none of the major scanning vendors have penetrated the small New Zealand market, providing an opportunity for the small firm to secure the market as it matures.

A typical customer in New Zealand is a state or local agency with several websites at a hosting provider. The sites provide agency services via a web front end over a back-end database. Global compliance drivers are forcing customers like these to secure their services, yet many are struggling.

Security resources are already at a premium globally. Unemployment among security professionals in the United States for example, is only one percent. Faced with this manpower deficit, the more mature security markets such as the United States and Europe have made significant progress in recruiting security-aware actors into white-hat security professionals. In Australia and New Zealand, this recruitment has not been as successful, and security-aware youth have turned to hacking instead of joining the security professional workforce. Until that imbalance is corrected, security manpower down under will remain scarcer than elsewhere in the world.

Making matters worse, for the small state agency website, the back-end database behind its government web services is often a legacy system. These databases can have known vulnerabilities yet they cannot be upgraded for anything less than millions of dollars. With a static budget, an expensive database upgrade that provides insignificant business value makes little sense for the small state agency.

Theoretically, any global firm with talent to integrate scanning and WAF technology could be taking advantage of these factors with a local sales force in New Zealand. Yet none of the global players have made the investment so the New Zealand SaaS application security firm continues signing up customers as fast as it can integrate them. When faced with that choice of spending $2 million to upgrade a legacy back-end database server, or $20,000 a year to protect all the sites that use it, the agencies are opting for the “virtual patch” from the cloud.

With such a target-rich environment of customers, another competitor may eventually step in to the New Zealand market. To lure business away from the current firm, it would have to offer even lower prices to get established. Will the rule of “you get what you pay for” result in a race-to-the-bottom of application security quality in New Zealand?

Fortunately, there’s another metric besides price that customers can use to evaluate a SaaS-based application security vendor: false positive rate. Web Application Security services provide the best user experience when they are invisible to the normal user. False positives can exacerbate a user’s experience because they can’t access the service. Degraded customer experience is usually quite visible and requires manual intervention on behalf of the site operator. A web application security customer can therefore track false-positive security events to evaluate the performance of the application security service.

Until that competition steps in, it’s boom times for that small New Zealand firm. The business dynamics of application security activity such as compliance initiatives (PCI-DSS), budget pressure, legacy systems, and scarce security resources are likely playing out in similar small markets around the globe.

David Holmes in the technical marketing manager at F5 Networks (Seattle, WA). www.f5.com