Two weeks ago Web application security was a thriving
part of the industry, with a couple of big players and a few
smaller hopefuls. Now, for all intents and purposes, the market is
gone.
The two leaders, Watchfire and SPI Dynamics, have both been
acquired, leaving the handful of other companies with offerings in
this sector scrambling to find dance partners. The events of recent
weeks have customers wondering what to expect from their new
suppliers, and analysts and industry observers are equally curious
to see how the purchases affect the rest of the market.
IBM started this ball rolling two weeks ago when it announced
its
acquisition of Watchfire. The fact that Watchfire was being
acquired was hardly surprising. The company's AppScan offering is
among the more mature products on the market and has been in wide
use for more than five years. Watchfire acquired the technology
through its purchase of Sanctum back in 2004. Nor was it much of a
shock that IBM was the company that ponied up the proverbial
undisclosed sum to buy Watchfire. Big Blue has a long history in
security, dating back to its mainframe days, and also made a big
splash last year with its purchase of ISS.
IBM has done well in keeping much of ISS' senior management, as
well as a lot of its well-regarded X-Force research team. That may
all change once employment agreements begin to expire in the next
few months, but by then IBM's management will have a good handle on
how to run the business. In order for the Watchfire acquisition to
succeed, IBM will need to pull off the same trick. Watchfire has
its own internal research group, headed by Danny Allan, and it's
that team's knowledge that gives AppScan its intelligence. The
transition from a small, second-stage company such as Watchfire to
the rigid, hierarchical culture of IBM can be a difficult one and
it would not be surprising to see some defections. But IBM has done
dozens of acquisitions and knows how to get them done with minimal
interruptions to the target's business.
"It's a little daunting initially going from a company of 200
people to one of more than 350,000, but IBM is very good at these
and they have good processes and people in place," said Mike
Weider, chief technology officer and founder of Watchfire. "IBM
wants to make application security and compliance a complete part
of the application development lifecycle. It's going to be
integrated into design, development and QA."
Hewlett-Packard's purchase of SPI Dynamics, on the other, hand
seems to make much less sense. At first blush it looks like a
knee-jerk reaction to IBM's move. A way to keep pace with its old
rival as HP continues to try to recover from a series of internal
problems and scandals. Its product lineup has always been heavy on
the hardware side, and its acquisition record is less than stellar,
with the merger with Compaq being the most obvious example.
How HP will integrate SPI's application security offerings into
its quality management software portfolio remains to be seen.
Leaving the company largely intact and giving it access to HP's
huge customer list may be the right answer in the short term. But
that's unlikely to be the case in the long run. WebInspect and
SPI's other software likely will be integrated into some larger HP
solution down the road. But that picture is still developing.
What is clear is that having Web application security
capabilities built into development environments and other larger
offerings is a good thing for developers and customers. These
acquisitions by IBM and HP also have the potential to be big wins
for customers, but only time will tell.