There are two fronts in the war on application security -- the software development life cycle (SDLC) and the production environment. Two industry giants -- IBM and HP -- recently made the first moves
With the announcements of IBM's intention to acquire Web application testing player Watchfire Corp. and HP's intention to buy SPI Dynamics, it appears consolidation of the market may be under way. Diana Kelly, vice president and service director at the Burton Group, based in Midvale, Utah, had expected the consolidation to have started earlier, though.
"I had expected to see more movement, then we had two acquisitions, boom, boom," she said. "I think we may see security folks moving on it, such as Symantec, McAfee, CA. Certainly one of those vendors could say application security is a critical component, or buy or develop one or more [products], but it's more likely they'd buy than develop."
Although Web application security has received a lot of attention over the past few years, the purchase of these standalone testing tools is "a huge data point," Kelley said. Compliance with the Payment Card Industry (PCI) Data Security Standard is also helping to drive the market, she said.
Penetration testing tools such as those offered by Watchfire and SPI are but one leg of what Kelley in a recent blog entry dubbed the application security "trifecta," which also includes static source code analysis tools and Web application firewalls. Although it is likely the market will consolidate there as well, Kelley said vendors "focusing very tightly on risk may continue down that path until 2008."
For Santa Clara, Calif.-based Cenzic, an application security assessment and risk-management solution provider and competitor to Watchfire and SPI Dynamics, the acquisitions are a huge validation for the application security market. "We believe this is a good thing for us," said Mandeep Khera, vice president of marketing at Cenzic.
There are two theories about the application security market, Khera continued. "Should it fit in the SDLC? That's what HP and IBM are going to do. We believe testing early in the life cycle is good, and we've integrated with HP and Borland."
At the same time, he said, statistics have shown that a vast majority of deployed applications have security vulnerabilities. "Our solutions are geared toward both [the SDLC and security sides]," Khera said.
Like Kelley, Khera also expects the security players to get involved. "Think about the [potential] suitors," he said. "On the SDLC side you have Microsoft and Compuware; on the security side you have Symantec/VeriSign/McAfee -- at some point some will probably start approaching [vendors]."
Khera said products like Cenzic's "belong more on the security side. The problem is huge on the production side. It does need be addressed on both sides, but I think the security guys can make a much bigger market out of this."
Asked if Cenzic will be the next to be acquired, Khera said the company has not said it is for sale. However, "at some point it might make sense; at any point if it has a huge value for shareholders we will have to say yes."
Increasing awareness for static analysis tools
For Fortify Software Inc., best known for its static source code analysis tool, the impending IBM/HP acquisitions could bring more awareness of the need for products like Fortify's, said Roger Thornton, founder and chief technology officer of the Palo Alto, Calif.-based company.
"Inside a lot of companies you have a hacking team; that group of people is who utilizes SPI, Watchfire, Cenzic, WhiteHat Security," Thornton said. "That part of the market is important; if they weren't proving there was a problem, nothing would be going on in software world. Fortify is behind those companies as they equip the user base; we have solutions to bring in the development team to fix the problem."
Still, Thornton said, only a small percentage of companies are actively addressing application security today, but with heavyweights like IBM nd HP getting involved it could help awareness.
"Having HP and IBM in that compliance and application assurance market should really ignite [it]; they will be able to reach the next tier of companies and build this awareness that the software we're running has problems. We expect our growth to follow suit," he said.
Burton's Kelley said IBM and HP could buy static code analysis tools as well. But Thornton said these products are typically used by different groups currently.
"Do pen testing and code-oriented products work together? They do, but they're used by different constituents in a company," he said. "Some of the security team uses our code review product during pen testing, but the majority of sales are to development organizations whose code will later be pen tested, and the use of pen testing products by coders and QA people is very limited."
Yet Thornton acknowledges that his segment of the market may eventually be a target for acquisition. "Mercury/Rational, would they want to consume our product line? My guess is at some point they probably will; we're partners with all of them," he said. However, Thornton raised the point that the platform players may not offer the broad support that a best-of-breed tool can provide.
"Security is a very horizontal problem," he said. "Say Microsoft did a good job solving security for its developers. That's great if you're 100% Microsoft, but most organizations have Java, .NET, Eclipse, etc. Having one vendor that takes care of the security problem and supports all platforms gives a big advantage. So we talk with those other companies every day, and there's no intent on our part to sell the company, yet everyone's got a price."