HP-SPI deal underscores apps security integration

As attacks on applications-level vulnerabilities increase, more enterprises are integrating security testing apps into their software development -- often via acquisition

Hewlett Packard's acquisition of Web applications security specialist SPI Dynamics on June 19 illustrates a growing demand among enterprise customers to have vulnerability-scanning tools integrated into their software development platforms.

Following closely behind IBM's June 6 acquisition of Watchfire, one of Atlanta-based SPI's closest rivals in the Web applications and software code-scanning space, the HP buyout highlights the rapidly emerging trend toward integration of security testing tools into the software development process.

HP, which acquired software development giant Mercury Interactive for $4.5 billion in cash in July 2006 in a move that greatly expanded its interests in the area, said that it plans to blend SPI's business and its 140 person staff into the software unit at its Technology Solutions Group, the division responsible for its server and storage products, as well as its IT consulting services.

In response to the growing threat of attacks on applications-level vulnerabilities, the company said, more customers than ever before are building security testing requirements into their development projects.

By folding applications security testing into its existing portfolio of tools, HP officials said, the company has added an increasingly strategic piece of the overall software development puzzle.

"This adds a new chapter to the applications side of the house; we think of applications and [IT] operations working together, and this adds the piece of security assessment from early on in the [software development] lifecycle all the way through to production," said Jonathan Rende, vice president of products for the Quality Management Software group at HP.

"This is a new dimension of that, that is so complementary because there is a whole set of users who are getting involved in security assessment in the lifecycle," Rende said on a conference call with media and analysts. "There are security experts who determine policies and prepare applications before they go live, but then there are also the developers and quality assurance professionals who need to ensure security before the applications go live."

In a research report published by market analysis firm Gartner in May 2007, industry experts said that by 2009, some 80 percent of major software development lifecycle vendors would offer source code security scanning tools as part of their platforms.

The company said that further that 60 percent of IT organizations will have made vulnerability detection an integral part of their development process by 2010.

HP's move to buy SPI and IBM's acquisition of Watchfire provide tacit evidence that those predictions are already coming to pass, said Joseph Feiman, the Gartner analyst who authored the report.

"In a span of two weeks, two of the largest applications security companies have been acquired by development platform providers, which proves that users of those platforms understand that having applications security as a discipline is as important to them as network or operational security," said Feiman. "This is the part of security that is being built into applications by customers, and it should be an integral part of these [software development] platforms to allow them to do that work."

In addition to appeasing customers who are already calling for integrated applications security testing tools, the HP-SPI and IBM-Watchfire deals should increase the trend toward software developers making security auditing part of their everyday work, the analyst said.

SPI has been a longtime partner of HP, which has offered its tools as a package with its Mercury and OpenView software development products -- just as Watchfire had been selling its applications security products packaged with IBM's Rational code-authoring tools before getting snapped-up by the firm.

Both platform providers' moves to bring security testing capabilities under their own control should benefit their individual marketing efforts and customers' development lifecycle plans, other analysts said.

"SPI had integration with Mercury from a partner standpoint, but that type of a relationship is never as tight as it is within a product suite produced by the same company, and SPI will now be able to take better advantage of HP's installed base of customers," said Dr. Chenxi Wang, analyst with Forrester Research.

"Mercury is the leader of the quality testing market, and customers are increasingly making vulnerability testing a part of that type of work, as opposed to an afterthought, so it makes a lot of sense of HP to make this type of deal," Wang said.

Page Break

One of the most significant benefits of adding SPI in particular is that it has both Web applications inspection and source code scanning tools in-house in the form of its WebInspect and DevInspect product lines respectively, along with its own QAInspect quality assurance tools, said the analyst.

SPI's combination of code and applications analysis software may give HP an advantage over its rivals, including IBM, Wang said, as she cited Watchfire's forte as based in pure Web applications assessment -- work typically done by quality and assurance testers -- not in technologies built specifically for use by applications developers.

"HP has a commitment to pushing this type of security technology deeper into the development lifecycle, integrating with Mercury now makes a lot of sense to their long-term vision," said Wang -- who has worked previously for the HP Labs research group as an independent consultant. "Having SPI's development-phase tools may give HP a leg-up over IBM-Watchfire; HP wants to be selling these types of tools directly to developers, not QA testers."

According to a report issued earlier this month by the National Institute of Standards and Technology, a federal agency that develops technology standards, some 92 percent of all IT security vulnerabilities exist in software applications, which Wang cited as an "astounding" figure.

With customers clamoring for a way to reduce their risk to such issues, HP and IBM have seen the business opportunity and moved to address it, she said.

Other industry watchers noted that it will become increasingly difficult for standalone applications security providers to compete with the tools being integrated by companies with powerful development arms like HP and IBM.

SPI Chief Executive Brian Cohen said he believes it will be hard for such companies to compete in light of the demand for integration with development platforms.

To highlight the point, the CEO alluded to the fact that it may have been tough for SPI to maintain its partnership with IBM -- with whom its products have also been packaged for sale and consumption -- in light of the Watchfire deal.

"Our belief was that the ultimate success of SPI would be to see our technology integrated into a broadly distributed platform sold to software developers, and it is clear that organizations such as HP feel the same way," Cohen said. "I don't see a standalone business long-term without integration for these types of technologies."

However, officials with SPI rivals like Cenzic said that while security testing is being built into the software development process, there are still millions of applications already in production that will need vulnerability assessment tools that aren't tied to one development platform or another.

"There are 50 to 100 million Web applications out there, and less than one percent is being tested for security vulnerabilities, so the scope of the opportunity is still huge outside of development," said Mandeep Khera, vice president of marketing for Cenzic. "Everyone in this industry has been hoping to have developers and quality assurance groups buying our products, but that's not really happening yet; there has been a big movement with more people budgeting for these tools over the last nine months, but there's still a long way to go."

Cenzic has existing relationships with both HP and IBM, and Khera said that he believes the firm will be able to continue to market itself to those companies' customers, in particular those firms who use both development platforms or want to keep applications security testing as a separate process.

HP officials said that the SPI buyout will not preclude it from continuing to work with its other existing vulnerability assessment partners.

While Khera said that there may come a time when Cenzic considers a sale to a larger software development or security player if the timing is right, the executive maintains that his company has no immediate plans to begin marketing itself for acquisition.

However, some industry watchers see the HP-SPI and IBM-Watchfire deals as a sure sign that additional consolidation is on tap across the applications security and software quality assurance segments.

"The game isn't over; there will probably be a few more acquisitions as the securing of applications is becoming a function of applications development, so it's likely that development platforms and tool suites become the home for more of these products and companies," said Jon Oltsik, analyst with Enterprise Strategy Group.

"It's hard to sell security testing tools after-the-fact. Customers and vendors really do want to introduce this into initial sale of development tools, it broadens your portfolio if you're HP or IBM, and you can push security up as a priority to developers," he said. "These companies had a tough time selling their tools as standalone products, and as a result, I'd expect to see more of these deals."