Looking to expand its software security offerings, Fortify
Software announced on 17 January plans to acquire Secure Software
.
With this acquisition, Fortify gains the rights to
Secure Software's CLASP (Comprehensive, Lightweight Application
Security Process) and expands its reach into the requirements and
design phases of the software development life cycle, said Fortify
CEO John M. Jack.
"Software security is not just about products. It's about
products and the process changes and methodologies it takes to
change the culture in a company from building products to building
secure products," Jack said. "Fortify's success has been to deliver
products but also to help our customers change their culture. The
combination of the two companies will help deliver that."
Jack added that an area where Secure Software brings expertise
is in source code analysis -- an area Fortify is well-known for.
"When you combine the two [companies], you'll have the most
powerful offering in the source code analysis marketplace," he
said.
Palo Alto, Calif.-based Fortify will also gain Secure Software's
own software and a greater integration with IBM's Rational Unified
Process (RUP) through the CLASP plug-in.
"This merger allows us to deliver to Fortify and Secure Software
customers a roadmap for rolling out software in their development
organizations and in their security organizations," Jack said.
"Secure Software was already doing that, and we were doing that,
but by combining we can bring software security to large
enterprises."
In addition, the acquisition of Mclean, Va.-based Secure
Software enables Fortify to expand its customer base and better
serve the federal market, Jack said. "We have many federal
customers, and we have a federal team. The fact that Secure
Software is in Mclean will help us expand that," he said.
From a technology perspective, Diana Kelley, service director of
Security and Risk Management Strategies at the Burton Group, said
this is a good move for Fortify, whose products include
Tracer, a testing product, and Defender, a monitoring tool.
"It will benefit both the Fortify and Secure Software
customers," she said. "The trick will be to integrate the offerings
smoothly and to ensure that existing Secure Software customers have
seamless transition to support."
The effect on the application security market
In terms of the market, there were three main competitors in the
security-focused static source code analysis field -- Fortify,
Ounce Labs and Secure Software -- and now there are just two.
SPI Dynamics Inc., though not a direct competitor of Fortify,
does compete in the application security space. However, Michael
Sutton, SPI Dynamics' security evangelist, says the move doesn't
threaten SPI Dynamics much.
SPI Dynamics is focusing on providing hybrid products that do
both black box testing and source code analysis, such as its
DevInspect 3.0. While Fortify's acquisition of Secure Software
will be a combination of the company's two products, Sutton
said.
"Both Fortify and Secure Software are competitors of ours, so
[the merger] creates a larger entity," Sutton said. "But again
Secure Software was a small player, and we see the future as being
with hybrid and that's where we're going."