Fortify expands its application security offerings with Secure Software acquisition

Fortify Software's acquisition of Secure Software increases its source code analysis offerings and expands its presence into the requirements and design phases of the SDLC.

Looking to expand its software security offerings, Fortify Software announced on 17 January plans to acquire Secure Software .

With this acquisition, Fortify gains the rights to Secure Software's CLASP (Comprehensive, Lightweight Application Security Process) and expands its reach into the requirements and design phases of the software development life cycle, said Fortify CEO John M. Jack.

"Software security is not just about products. It's about products and the process changes and methodologies it takes to change the culture in a company from building products to building secure products," Jack said. "Fortify's success has been to deliver products but also to help our customers change their culture. The combination of the two companies will help deliver that."

Jack added that an area where Secure Software brings expertise is in source code analysis -- an area Fortify is well-known for. "When you combine the two [companies], you'll have the most powerful offering in the source code analysis marketplace," he said.

Palo Alto, Calif.-based Fortify will also gain Secure Software's own software and a greater integration with IBM's Rational Unified Process (RUP) through the CLASP plug-in.

"This merger allows us to deliver to Fortify and Secure Software customers a roadmap for rolling out software in their development organizations and in their security organizations," Jack said. "Secure Software was already doing that, and we were doing that, but by combining we can bring software security to large enterprises."

In addition, the acquisition of Mclean, Va.-based Secure Software enables Fortify to expand its customer base and better serve the federal market, Jack said. "We have many federal customers, and we have a federal team. The fact that Secure Software is in Mclean will help us expand that," he said.

From a technology perspective, Diana Kelley, service director of Security and Risk Management Strategies at the Burton Group, said this is a good move for Fortify, whose products include Tracer, a testing product, and Defender, a monitoring tool.

"It will benefit both the Fortify and Secure Software customers," she said. "The trick will be to integrate the offerings smoothly and to ensure that existing Secure Software customers have seamless transition to support."

The effect on the application security market
In terms of the market, there were three main competitors in the security-focused static source code analysis field -- Fortify, Ounce Labs and Secure Software -- and now there are just two.

SPI Dynamics Inc., though not a direct competitor of Fortify, does compete in the application security space. However, Michael Sutton, SPI Dynamics' security evangelist, says the move doesn't threaten SPI Dynamics much.

SPI Dynamics is focusing on providing hybrid products that do both black box testing and source code analysis, such as its DevInspect 3.0. While Fortify's acquisition of Secure Software will be a combination of the company's two products, Sutton said.

"Both Fortify and Secure Software are competitors of ours, so [the merger] creates a larger entity," Sutton said. "But again Secure Software was a small player, and we see the future as being with hybrid and that's where we're going."

Read more on Hackers and cybercrime prevention