The security industry for years has faced a serious
overpopulation problem. There are hundreds of vendors vying for
attention, each with a product it claims is best-of-breed and an
analyst report in hand testifying to that fact. But, as in real
life, the evolutionary process eventually takes over and weeds out
the weak, the slow and the short-of-cash.
That process has been accelerating of late as the years-old
consolidation trend in the security market gains momentum again
with
IBM's purchase of Watchfire and
HP's acquisition of SPI Dynamics. There are surely more
dominoes set to fall in the next few months, and trying to predict
which companies are next in line for acquisition is the favorite
parlor game of security industry veterans. But, given the
unpredictability of these deals and the myriad ways they can
unravel at the last minute (Check Point-Sourcefire), instead of
guessing which companies will be cashing out next, I've come up
with a list of security mergers I'd like to see happen, either for
sheer entertainment value or actual value to the customers.
Oracle acquires NGS Software
Odds: 500:1
New product: None. It's none of your business what Oracle
does with its acquisitions. Got it?
This one would likely have to happen while Mary Ann Davidson is
on sabbatical. NGSS founders David and Mark Litchfield have spent
the last few years hammering Oracle's products, finding dozens of
vulnerabilities and making quite a name for themselves in the
process. The brothers' work has drawn the ire of Davidson, Oracle's
CSO, who does not like to see vulnerabilities discussed in public
and has been sharply critical of the Litchfields in the past.
Despite all that, the deal could actually make some sense. David
Litchfield is among the top database security experts in the world,
and having that kind of expertise in-house would be a boon to
Oracle's efforts to build more secure products. It's always better
to find those vulnerabilities before the product ships. Plus, the
weekly meetings between Davidson and the Litchfields would make for
a great reality show.
Microsoft acquires Symantec
Odds: 750:1
Combined company name: OzzieManDias
Microsoft has been elbowing its way into the security market for
several years now, and Symantec CEO John Thompson has made no
secret of his dislike for the company's tactics. He's been
dismissive of Microsoft's security technology as well. It's hard to
tell whether anyone in Redmond has even noticed, but what they
surely have noticed is the tens of millions of PCs running Norton
AntiVirus. Those are machines that Microsoft wants to be protected
by its own security software, which has gotten mixed reviews so
far. An easy way to accomplish that goal is to buy Symantec, which
would have the effect of giving Microsoft a death grip on the
antivirus market overnight. The Department of Justice might have
something to say about this one, though.
Matasano, Immunity and Veracode merge
Odds: 100:1
New service: L0phtCamp. Lamers and script kiddies pay $5,000
to live in a South Boston warehouse for a week, dodging rats and
angry Mark Wahlberg lookalikes while they try to bring down a Star
Trek-fan BBS using Windows 95 boxes on a dial-up connection.
This mash-up would create the Frankenstein's monster of security
boutiques. It would be a one-stop shop for all of your security
testing needs. You'd have Immunity's CANVAS tool to test the
security of your network, Veracode's SecurityReview service to test
your binaries for vulnerabilities, and Matasano's DeploySafe
service to check the seaworthiness of the products you're deploying
in your environment. What else do you need? Okay, so it doesn't
make a lot of business sense. But at the very least it would
reunite many of the key players from @stake: Chris Wysopal,
Christien Rioux and Chris Eng from Veracode; Matasano's Dave
Goldsmith (and former Matasano employees Dino Dai Zovi and Window
Snyder); and Dave Aitel from Immunity. How's that for some brain
power under one roof?
Apple acquires Errata Security
Odds: No line
New product: iRobot. Originally designed to stand in for
Steve Jobs at MacWorld speeches, this lifelike bot is redeployed to
deliver anonymous talks on new zero-days at security conferences,
thereby shielding researchers from angry vendors and conference
organizers.
Apple announces the acquisition, but gives only a few details,
frustrating shareholders and federal regulators. Shareholders then
demand that Apple sue itself after Errata's Dave Maynor gets tired
of waiting for Apple executives to disclose the deal and posts the
details on his blog .
You're more likely to see Steve Jobs listening to a Zune while
wearing a suit and tie than you are to see this deal go down. But
with Apple set to make a little more headway in the enterprise with
the iPhone and the release of Safari for Windows, they could always
use some more security help. Why not bring in a guy who's just as
irreverent as Jobs himself?