Two weeks ago Web application security was a thriving part of the industry, with a couple of big players and a few smaller hopefuls. Now, for all intents and purposes, the market is gone.
The two leaders, Watchfire and SPI Dynamics, have both been acquired, leaving the handful of other companies with offerings in this sector scrambling to find dance partners. The events of recent weeks have customers wondering what to expect from their new suppliers, and analysts and industry observers are equally curious to see how the purchases affect the rest of the market.
IBM started this ball rolling two weeks ago when it announced its acquisition of Watchfire. The fact that Watchfire was being acquired was hardly surprising. The company's AppScan offering is among the more mature products on the market and has been in wide use for more than five years. Watchfire acquired the technology through its purchase of Sanctum back in 2004. Nor was it much of a shock that IBM was the company that ponied up the proverbial undisclosed sum to buy Watchfire. Big Blue has a long history in security, dating back to its mainframe days, and also made a big splash last year with its purchase of ISS.
IBM has done well in keeping much of ISS' senior management, as well as a lot of its well-regarded X-Force research team. That may all change once employment agreements begin to expire in the next few months, but by then IBM's management will have a good handle on how to run the business. In order for the Watchfire acquisition to succeed, IBM will need to pull off the same trick. Watchfire has its own internal research group, headed by Danny Allan, and it's that team's knowledge that gives AppScan its intelligence. The transition from a small, second-stage company such as Watchfire to the rigid, hierarchical culture of IBM can be a difficult one and it would not be surprising to see some defections. But IBM has done dozens of acquisitions and knows how to get them done with minimal interruptions to the target's business.
"It's a little daunting initially going from a company of 200 people to one of more than 350,000, but IBM is very good at these and they have good processes and people in place," said Mike Weider, chief technology officer and founder of Watchfire. "IBM wants to make application security and compliance a complete part of the application development lifecycle. It's going to be integrated into design, development and QA."
Hewlett-Packard's purchase of SPI Dynamics, on the other, hand seems to make much less sense. At first blush it looks like a knee-jerk reaction to IBM's move. A way to keep pace with its old rival as HP continues to try to recover from a series of internal problems and scandals. Its product lineup has always been heavy on the hardware side, and its acquisition record is less than stellar, with the merger with Compaq being the most obvious example.
How HP will integrate SPI's application security offerings into its quality management software portfolio remains to be seen. Leaving the company largely intact and giving it access to HP's huge customer list may be the right answer in the short term. But that's unlikely to be the case in the long run. WebInspect and SPI's other software likely will be integrated into some larger HP solution down the road. But that picture is still developing.
What is clear is that having Web application security capabilities built into development environments and other larger offerings is a good thing for developers and customers. These acquisitions by IBM and HP also have the potential to be big wins for customers, but only time will tell.