The security industry for years has faced a serious overpopulation problem. There are hundreds of vendors vying for attention, each with a product it claims is best-of-breed and an analyst report in hand testifying to that fact. But, as in real life, the evolutionary process eventually takes over and weeds out the weak, the slow and the short-of-cash.
That process has been accelerating of late as the years-old consolidation trend in the security market gains momentum again with IBM's purchase of Watchfire and HP's acquisition of SPI Dynamics. There are surely more dominoes set to fall in the next few months, and trying to predict which companies are next in line for acquisition is the favorite parlor game of security industry veterans. But, given the unpredictability of these deals and the myriad ways they can unravel at the last minute (Check Point-Sourcefire), instead of guessing which companies will be cashing out next, I've come up with a list of security mergers I'd like to see happen, either for sheer entertainment value or actual value to the customers.
Oracle acquires NGS Software
New product: None. It's none of your business what Oracle does with its acquisitions. Got it?
This one would likely have to happen while Mary Ann Davidson is on sabbatical. NGSS founders David and Mark Litchfield have spent the last few years hammering Oracle's products, finding dozens of vulnerabilities and making quite a name for themselves in the process. The brothers' work has drawn the ire of Davidson, Oracle's CSO, who does not like to see vulnerabilities discussed in public and has been sharply critical of the Litchfields in the past. Despite all that, the deal could actually make some sense. David Litchfield is among the top database security experts in the world, and having that kind of expertise in-house would be a boon to Oracle's efforts to build more secure products. It's always better to find those vulnerabilities before the product ships. Plus, the weekly meetings between Davidson and the Litchfields would make for a great reality show.
Microsoft acquires Symantec
Combined company name: OzzieManDias
Microsoft has been elbowing its way into the security market for several years now, and Symantec CEO John Thompson has made no secret of his dislike for the company's tactics. He's been dismissive of Microsoft's security technology as well. It's hard to tell whether anyone in Redmond has even noticed, but what they surely have noticed is the tens of millions of PCs running Norton AntiVirus. Those are machines that Microsoft wants to be protected by its own security software, which has gotten mixed reviews so far. An easy way to accomplish that goal is to buy Symantec, which would have the effect of giving Microsoft a death grip on the antivirus market overnight. The Department of Justice might have something to say about this one, though.
Matasano, Immunity and Veracode merge
New service: L0phtCamp. Lamers and script kiddies pay $5,000 to live in a South Boston warehouse for a week, dodging rats and angry Mark Wahlberg lookalikes while they try to bring down a Star Trek-fan BBS using Windows 95 boxes on a dial-up connection.
This mash-up would create the Frankenstein's monster of security boutiques. It would be a one-stop shop for all of your security testing needs. You'd have Immunity's CANVAS tool to test the security of your network, Veracode's SecurityReview service to test your binaries for vulnerabilities, and Matasano's DeploySafe service to check the seaworthiness of the products you're deploying in your environment. What else do you need? Okay, so it doesn't make a lot of business sense. But at the very least it would reunite many of the key players from @stake: Chris Wysopal, Christien Rioux and Chris Eng from Veracode; Matasano's Dave Goldsmith (and former Matasano employees Dino Dai Zovi and Window Snyder); and Dave Aitel from Immunity. How's that for some brain power under one roof?
Apple acquires Errata Security
Odds: No line
New product: iRobot. Originally designed to stand in for Steve Jobs at MacWorld speeches, this lifelike bot is redeployed to deliver anonymous talks on new zero-days at security conferences, thereby shielding researchers from angry vendors and conference organizers.
Apple announces the acquisition, but gives only a few details, frustrating shareholders and federal regulators. Shareholders then demand that Apple sue itself after Errata's Dave Maynor gets tired of waiting for Apple executives to disclose the deal and posts the details on his blog . You're more likely to see Steve Jobs listening to a Zune while wearing a suit and tie than you are to see this deal go down. But with Apple set to make a little more headway in the enterprise with the iPhone and the release of Safari for Windows, they could always use some more security help. Why not bring in a guy who's just as irreverent as Jobs himself?
This was first published in June 2007