Analysts say Hewlett-Packard Co. (HP) can greatly improve its
product security through the acquisition of SPI Dynamics Inc. But
some users say they've watched other vendors buy up good security
technology only to let it languish and hope HP won't make the same
mistake.
HP Tuesday announced a definitive agreement to acquire SPI
Dynamics and integrate its software as a unit in HP's
Technology Solutions Group. HP said the acquisition will help
bolster security in its business systems, such as e-commerce Web
sites or financial and supply chain applications. Atlanta-based SPI
Dynamics has 140 employees and serves more than 1,000 customers in
the federal government, financial services and healthcare
industries.
The news reflects the larger trend of consolidation in the IT
security market, as standalone security vendors struggle to survive
and big IT infrastructure providers use acquisitions to integrate
more security into its product development lifecycles. Monday
PatchLink Corp. said it would acquire endpoint security vendor
SecureWave and
IBM announced two weeks ago that it would acquire risk management
software vendor Watchfire Corp.
Analysts believe HP's acquisition of SPI Dynamics makes sense,
since customers are demanding that sharper security teeth be built
into the larger IT infrastructure. Joseph Feiman, a research vice
president with Stamford, Conn.-based Gartner Inc., said HP is
reacting to the same pressure IBM reacted to when it decided to buy
Watchfire. He said the acquisitions reflect Gartner's forecast that
large IT vendors will push to acquire application testing
capabilities.
"With things like firewalls and traffic encryption, you're not
dealing with application security, and so you need to embed
security into the application lifecycle," he said. "That's what IBM
did with Watchfire and that's what HP is doing with SPI
Dynamics."
As the trend continues, Feiman believes there's real potential
for the standalone application security market to disappear in
several years as the technology becomes a natural part of the
software development lifecycle for companies like HP, IBM,
Microsoft and Cisco.
Chenxi Wang, an analyst with Cambridge, Mass.-based Forrester
Research Inc., agrees the HP-SPI Dynamics deal reflects how
important application security has become.
 |
| Mergers and acquisitions at a
glance: | There have been many acquisitions and mergers
between IT security vendors and other companies in the last two and
a half years. Here is a look at some of them:
- JULY 2006: Secure Computing Corp. announces its acquisition of
messaging security firm
CipherTrust Inc. for $273.6 million.
|
|
| |
|
"The National Institute of Standards and Technology reports that
92% of all vulnerabilities found today are due to application flaws
rather than network or system flaws," Wang said in an email
exchange. "Many organizations now have Web-facing applications, the
security of which worries many. SPI's products are used to test the
security of Web applications and is a leader in the market."
The acquisition also makes sense given that SPI Dynamics
recently integrated its technology with HP's Quality Center
platform, which it acquired from Mercury Interactive in 2006. Wang
believes this latest acquisition is simply HP continuing what it
started with the Mercury acquisition.
"The integration between SPI and Mercury is a very compelling
one, even more compelling than IBM Rational and Watchfire," Wang
said. "This highlights HP's commitment to deliver quality software,
and its vision to extend quality control over all phases of the
software lifecycle."
She said the move also makes sense from SPI Dynamics' standpoint
because it can tap into HP's large install base.
Despite all this potential for good, some IT professionals see
cause for concern.
Robert Shullich, senior security technology advisor in the
corporate information security office at New York-based Bowne &
Co. Inc., said he worries about what he calls the Computers
Associate (CA) effect across the IT security market. "CA just
gobbled up companies and drained them, fed the good ones and
starved the bad ones," he said in an email. "IBM is a big and good
company, but you worry whether service will get better or worse.
Will the products and services at least continue to be developed
and supported at the same levels or higher that were in effect
before the acquisition?"
Keith Gosselin, an IT officer for Biddeford Savings Bank in
Biddeford, Maine, uses HP ProLiant file servers and all the
company's desktops come from the vendor. He said HP has been less
than stellar in the past about informing customers of product
updates and he hopes the company's increased focus on security will
change that. But he too worries about SPI Dynamics technology
getting butchered.
"
Symantec bought good technology from BindView and others and
just killed the technology," he said. "I'd like to see companies
follow IBM's lead, because
IBM did a nice job when it acquired Internet Security Systems
(ISS)," Gosselin said. "They absorbed ISS into their corporate
infrastructure while giving ISS independence to continue as is.
That's how I hope HP goes about it with SPI Dynamics."
During a press conference Tuesday morning, executives from HP
and SPI Dynamics promised that this integration will be what users
are hoping for. For starters, they said, users can expect HP to
retain the talented staff of SPI Dynamics.
"You don't have intellectual property if you don't have the
people," said Jonathan Rende, HP's VP of products and software
quality management. "We have no intention of doing anything bur
fuel the fire."
SPI Dynamics CEO Brian Cohen said HP is particularly eager to
tap into his company's research base.
"SPI has a far larger research commitment than anyone else," he
said. "We virtually owned the security application track at Black
Hat last year and I believe we will this year. Early on in our
talks with HP they saw our lab as critical in this deal. I have no
reason to believe it won't continue and indeed grow."