HP-SPI deal underscores apps security integration

As attacks on applications-level vulnerabilities increase, more enterprises are integrating security testing apps into their software development -- often via acquisition

One of the most significant benefits of adding SPI in particular is that it has both Web applications inspection and source code scanning tools in-house in the form of its WebInspect and DevInspect product lines respectively, along with its own QAInspect quality assurance tools, said the analyst.

SPI's combination of code and applications analysis software may give HP an advantage over its rivals, including IBM, Wang said, as she cited Watchfire's forte as based in pure Web applications assessment -- work typically done by quality and assurance testers -- not in technologies built specifically for use by applications developers.

"HP has a commitment to pushing this type of security technology deeper into the development lifecycle, integrating with Mercury now makes a lot of sense to their long-term vision," said Wang -- who has worked previously for the HP Labs research group as an independent consultant. "Having SPI's development-phase tools may give HP a leg-up over IBM-Watchfire; HP wants to be selling these types of tools directly to developers, not QA testers."

According to a report issued earlier this month by the National Institute of Standards and Technology, a federal agency that develops technology standards, some 92 percent of all IT security vulnerabilities exist in software applications, which Wang cited as an "astounding" figure.

With customers clamoring for a way to reduce their risk to such issues, HP and IBM have seen the business opportunity and moved to address it, she said.

Other industry watchers noted that it will become increasingly difficult for standalone applications security providers to compete with the tools being integrated by companies with powerful development arms like HP and IBM.

SPI Chief Executive Brian Cohen said he believes it will be hard for such companies to compete in light of the demand for integration with development platforms.

To highlight the point, the CEO alluded to the fact that it may have been tough for SPI to maintain its partnership with IBM -- with whom its products have also been packaged for sale and consumption -- in light of the Watchfire deal.

"Our belief was that the ultimate success of SPI would be to see our technology integrated into a broadly distributed platform sold to software developers, and it is clear that organizations such as HP feel the same way," Cohen said. "I don't see a standalone business long-term without integration for these types of technologies."

However, officials with SPI rivals like Cenzic said that while security testing is being built into the software development process, there are still millions of applications already in production that will need vulnerability assessment tools that aren't tied to one development platform or another.

"There are 50 to 100 million Web applications out there, and less than one percent is being tested for security vulnerabilities, so the scope of the opportunity is still huge outside of development," said Mandeep Khera, vice president of marketing for Cenzic. "Everyone in this industry has been hoping to have developers and quality assurance groups buying our products, but that's not really happening yet; there has been a big movement with more people budgeting for these tools over the last nine months, but there's still a long way to go."

Cenzic has existing relationships with both HP and IBM, and Khera said that he believes the firm will be able to continue to market itself to those companies' customers, in particular those firms who use both development platforms or want to keep applications security testing as a separate process.

HP officials said that the SPI buyout will not preclude it from continuing to work with its other existing vulnerability assessment partners.

While Khera said that there may come a time when Cenzic considers a sale to a larger software development or security player if the timing is right, the executive maintains that his company has no immediate plans to begin marketing itself for acquisition.

However, some industry watchers see the HP-SPI and IBM-Watchfire deals as a sure sign that additional consolidation is on tap across the applications security and software quality assurance segments.

"The game isn't over; there will probably be a few more acquisitions as the securing of applications is becoming a function of applications development, so it's likely that development platforms and tool suites become the home for more of these products and companies," said Jon Oltsik, analyst with Enterprise Strategy Group.

"It's hard to sell security testing tools after-the-fact. Customers and vendors really do want to introduce this into initial sale of development tools, it broadens your portfolio if you're HP or IBM, and you can push security up as a priority to developers," he said. "These companies had a tough time selling their tools as standalone products, and as a result, I'd expect to see more of these deals."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about BillionCenzicForrester ResearchGartnerHewlett PackardHewlett-Packard AustraliaHPIBM AustraliaLeaderLeaderMercury GroupWangWatchfire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Matt Hines

Latest Videos

More videos

Blog Posts