Providers of applications security testing tools say business is taking off, as more customers are building such capabilities into their development lifecycles and large platform providers have picked off some of their closest rivals.
When IBM and HP purchased two of the leading applications security specialists in the space of several months in mid-2007 - acquiring Watchfire and SPI Dynamics, respectively - other vendors in the space predicted they would also benefit from the exposure and shift in the competitive landscape.
Less than one year after the acquisitions, some customers and industry analysts agree that independent security testing providers are making hay as high-profile data leaks, compliance measures, and ceaseless malware attacks at the applications level push businesses to place greater emphasis on security testing tools.
While IBM and HP work to integrate the acquired technologies into their broader software development platforms - and try to affect a significant change in the way developers secure their code - IT security teams and software quality assurance (QA) specialists are still investing in the offerings of standalone providers such as Cenzic, Fortify, Ounce Labs, and WhiteHat.
"Right now most of the buying in this space is still being done by information security teams. Some companies are testing during QA, but developers are still too busy to do testing," said Mandeep Khera, vice president of marketing at Cenzic. "The idea that we remain focused on product innovation appears to be resonating with customers. They know that we're totally committed to this market, whereas for these other guys it's just a drop in the bucket as they move to integrate [these capabilities] into their development platforms."
Cenzic and WhiteHat's web applications testing tools are used to search for vulnerabilities in applications that have already gone live. But companies like Fortify and Ounce, which provide technology used primarily to scour code before it goes into production, say that they are experiencing similar growth.
"Companies are looking at integrated testing, which will be a smart way to approach things when the products are ready. IBM and HP will be tough competitors, but we're still seeing that customers want these technologies from providers that are purely focused on testing," said Roger Thornton, chief technology officer at Fortify.
"Companies know they need to apply many different types of code analysis and testing tools to approach the entire applications security process from a risk management perspective. While that concept is still relatively new, we're seeing growth in demand for our products," Thornton said.
At least one of Fortify's customers indicated that even once IBM and HP have finished integrating security testing into their development platforms, many companies will still look to independent providers to handle a good deal of the work. "I really think there will be a place for these companies. I'm concerned with seeing large vendors buy some of these tools and just let them evaporate. These other players are focused purely on security," said Grant Bourzikas, director of information security at online trading firm Scottrade.
"For these [independent providers], this is their number one bread-and-butter product, and I see better products coming out of them in the future," Bourzikas said. "That's not to say that IBM and HP don't have great products, but I don't think the same emphasis is being placed on the technology today as when these were standalones; for this type of work, I want a company focused on security, versus someone more concerned with selling me storage or services."
HP executives conceded that large, diversified IT vendors haven't always kept their promises to stay committed to the products they acquire. They said their long-term goal is to make SPI's web applications tools an integral piece of the company's Mercury development platform.
But in the meantime, HP is seeing continued growth in demand for SPI's existing technologies, and executives said the company will continue to market the tools in a standalone fashion.
"It's true that acquisitions sometimes don't work out as promised, but we are totally committed to furthering SPI while we integrate the technology into the development process," said Chris Whitener, chief strategist of the Secure Advantage business at HP. "Clearly our vision is that security testing will become a requirement of software developers, but there's a market for these products as they exist today, and we're still seeing strong demand."
Industry analysts said the process of driving security testing deeper into the development lifecycle remains nascent, while predicting that it may very well become the norm in the future.
However, there should be opportunities for both the independent providers and for their larger rivals as applications security continues to prove itself as a growth market, said Paul Roberts, an analyst with the 451 Group.
"Whenever big acquisitions happen, you always hear the business model validation argument from those left standing. I don't disagree that it's taking a long time for HP to fully digest SPI, and it's the same with IBM and Watchfire," Roberts said. "And even when they do, there's likely still a role for stand-alone tools at later points in the development cycle."
The analyst pointed out that the move to push security responsibilities onto developers may not be welcomed by some of those highly sought-after professionals.
"The larger question is, will there always be a role for smaller venture-funded companies to provide [applications security testing], or will it also get rolled up into larger diversified companies selling the development platforms," said Roberts.
"Both arguments are right, and it's not a zero-sum game; clearly HP and IBM bought those companies because they see a need for testing to move down the chain. But people who say that most code-writing shops aren't there yet are right, and there's also a dearth of development talent out there," he said.