Providers of applications security testing tools say business is taking off, as more customers are building such capabilities into their development lifecycles and large platform providers have picked off some of their closest rivals.
When IBM and Hewlett-Packard purchased two of the leading applications security specialists in the space of several months in mid-2007 -- acquiring Watchfire and SPI Dynamics, respectively -- other vendors in the space predicted they would also benefit from the exposure and shift in the competitive landscape.
Less than one year after the acquisitions, some customers and industry analysts agree that independent security testing providers are making hay as high-profile data leaks, compliance measures, and ceaseless malware attacks at the applications level push businesses to place greater emphasis on security testing tools.
While IBM and HP work to integrate the acquired technologies into their broader software development platforms -- and try to affect a significant change in the way developers secure their code -- IT security teams and software quality assurance (QA) specialists are still investing in the offerings of stand-alone providers such as Cenzic, Fortify, Ounce Labs, and WhiteHat, industry players maintain.
"Right now most of the buying in this space is still being done by information security teams. Some companies are testing during QA, but developers are still too busy to do testing," said Mandeep Khera, vice president of marketing at Cenzic. "The idea that we remain focused on product innovation appears to be resonating with customers. They know that we're totally committed to this market, whereas for these other guys it's just a drop in the bucket as they move to integrate [these capabilities] into their development platforms."
Cenzic and WhiteHat's Web applications testing tools are used to search for vulnerabilities in applications that have already gone live. But companies like Fortify and Ounce, which provide technology used primarily to scour code before it goes into production, say that they are experiencing similar growth.
"Companies are looking at integrated testing, which will be a smart way to approach things when the products are ready. IBM and HP will be tough competitors, but we're still seeing that customers want these technologies from providers that are purely focused on testing," said Roger Thornton, chief technology officer at Fortify.
"Companies know they need to apply many different types of code analysis and testing tools to approach the entire applications security process from a risk management perspective. While that concept is still relatively new, we're seeing growth in demand for our products," Thornton said.
At least one of Fortify's customers indicated that even once IBM and HP have finished integrating security testing into their development platforms, many companies will still look to independent providers to handle a good deal of the work.
"I really think there will be a place for these companies. I'm concerned with seeing large vendors buy some of these tools and just let them evaporate. These other players are focused purely on security," said Grant Bourzikas, director of information security at online trading firm Scottrade.
"For these [independent providers], this is their number one bread-and-butter product, and I see better products coming out of them in the future," Bourzikas said. "That's not to say that IBM and HP don't have great products, but I don't think the same emphasis is being placed on the technology today as when these were standalones; for this type of work, I want a company focused on security, versus someone more concerned with selling me storage or services."