Hewlett Packard's acquisition of Web applications security specialist SPI Dynamics on June 19 illustrates a growing demand among enterprise customers to have vulnerability-scanning tools integrated into their software development platforms.
Following closely behind IBM's June 6 acquisition of Watchfire, one of Atlanta-based SPI's closest rivals in the Web applications and software code-scanning space, the HP buyout highlights the rapidly emerging trend toward integration of security testing tools into the software development process.
HP, which acquired software development giant Mercury Interactive for $4.5 billion in cash in July 2006 in a move that greatly expanded its interests in the area, said that it plans to blend SPI's business and its 140 person staff into the software unit at its Technology Solutions Group, the division responsible for its server and storage products, as well as its IT consulting services.
In response to the growing threat of attacks on applications-level vulnerabilities, the company said, more customers than ever before are building security testing requirements into their development projects.
By folding applications security testing into its existing portfolio of tools, HP officials said, the company has added an increasingly strategic piece of the overall software development puzzle.
"This adds a new chapter to the applications side of the house; we think of applications and [IT] operations working together, and this adds the piece of security assessment from early on in the [software development] lifecycle all the way through to production," said Jonathan Rende, vice president of products for the Quality Management Software group at HP.
"This is a new dimension of that, that is so complementary because there is a whole set of users who are getting involved in security assessment in the lifecycle," Rende said on a conference call with media and analysts. "There are security experts who determine policies and prepare applications before they go live, but then there are also the developers and quality assurance professionals who need to ensure security before the applications go live."
In a research report published by market analysis firm Gartner in May 2007, industry experts said that by 2009, some 80 percent of major software development lifecycle vendors would offer source code security scanning tools as part of their platforms.
The company said that further that 60 percent of IT organizations will have made vulnerability detection an integral part of their development process by 2010.
HP's move to buy SPI and IBM's acquisition of Watchfire provide tacit evidence that those predictions are already coming to pass, said Joseph Feiman, the Gartner analyst who authored the report.
"In a span of two weeks, two of the largest applications security companies have been acquired by development platform providers, which proves that users of those platforms understand that having applications security as a discipline is as important to them as network or operational security," said Feiman. "This is the part of security that is being built into applications by customers, and it should be an integral part of these [software development] platforms to allow them to do that work."
In addition to appeasing customers who are already calling for integrated applications security testing tools, the HP-SPI and IBM-Watchfire deals should increase the trend toward software developers making security auditing part of their everyday work, the analyst said.
SPI has been a longtime partner of HP, which has offered its tools as a package with its Mercury and OpenView software development products -- just as Watchfire had been selling its applications security products packaged with IBM's Rational code-authoring tools before getting snapped-up by the firm.
Both platform providers' moves to bring security testing capabilities under their own control should benefit their individual marketing efforts and customers' development lifecycle plans, other analysts said.
"SPI had integration with Mercury from a partner standpoint, but that type of a relationship is never as tight as it is within a product suite produced by the same company, and SPI will now be able to take better advantage of HP's installed base of customers," said Dr. Chenxi Wang, analyst with Forrester Research.
"Mercury is the leader of the quality testing market, and customers are increasingly making vulnerability testing a part of that type of work, as opposed to an afterthought, so it makes a lot of sense of HP to make this type of deal," Wang said.