Watchfire will help IBM build application security

WASHINGTON -- Analysts at the Gartner IT Security Summit have been pushing their Security 3.0 concept this week, saying security must be embedded into the larger IT infrastructure produced by the likes of Microsoft, Cisco and IBM. These vendors have been acquiring security firms to make it happen, and Gartner conference attendees have speculated on who's next.

I expect IBM will probably integrate Watchfire's technology into its workflow and quality testing tools. Joseph Feiman, vice presidentGartner Inc.

The question was answered Wednesday when IBM announced its acquisition of Watchfire Corp., a risk management software vendor, for an undisclosed sum.

Of interest to analysts here is that IBM's Rational software division is taking on the acquisition rather than its security division. The Rational development platform provides tools for developers to model, design and build Web-based architectures for SOA, systems and applications. Gartner research vice president Joseph Feiman said IBM has had absolutely no application security capability, and so the Watchfire acquisition makes perfect sense.

Waltham, Mass.-based Watchfire develops AppScan, Web application vulnerability assessment software, and WebXM for Web site risk assessments.

"I expect IBM will probably integrate Watchfire's technology into its workflow and quality testing tools," Feiman said. "To make application developers adopt security, actions like this are necessary."

Watchfire: Application Security: Watchfire's AppScan 7.0 Web services represent security's next battlefront: The evolution and mainstream use of Web services has placed the nascent technology in the crosshairs of attackers, and one firm in particular says it can mitigate the threats. Watchfire buys Sanctum: Watchfire expands its portfolio with its Sanctum purchase in 2004.

IBM would seem to agree, saying the Watchfire technology will extend its governance and risk management strategy. "Watchfire with IBM Rational software will help customers integrate Web application security and compliance early on and throughout the software development process," IBM said in a statement. "As a result, customers will now be able to define, test and track the compliance of their applications with security, legal and corporate requirements."

IBM said it also expects Watchfire technology to complement existing IBM Tivoli identity, access and compliance management software offerings and ISS by extending security and compliance testing as an integrated element of the application development lifecycle. IBM acquired ISS for $1.3 billion last year.

For Gartner, the acquisition is an example of how IBM is following the Security 3.0 concept that is the theme of this year's conference. Monday, Gartner analyst John Pescatore said that in the old days, IT could restrict the user. Then came the age of Security 2.0, where IT struggled to keep up with a deluge of new point technologies. New technology came into widespread use far faster than the ability of IT to secure it all. At the same time, the bad guys picked up on flaws in all the emerging technology and began to exploit it. He said another huge change is underway in how companies are using technology to do business.

"With the consumerization of IT, through the use of blogs, wikis, etc., things are changing again in a fundamental way," he said in his keynote address to conference attendees. "The bad guys are finding a rich target environment and are using attacks that run quiet and deep."

He noted how attackers are using malware hidden within things like screen savers and Web sites to go after specific parts of a company's infrastructure, with the goal of stealing critical data. As a result, he said, we've seen the steady stream of data breaches in the past two years.

Pescatore said Security 3.0 is about staying ahead of evolving threats by integrating security into the larger IT infrastructure. "It's about moving from whack-a-mole to a chess game where we can deploy security in one place so the attacker has to move in another direction," he said. "The idea isn't necessarily to win, but to always be a couple steps ahead of the bad guys and force them into a stalemate."

Wednesday, Feiman put the theme in context with IBM's Watchfire acquisition. "[Gartner has] projected that by next year, 80% of the big vendors will make security an integral part of its development process," he said. The Watchfire acquisition, therefore, is part of IBM's effort to bolster its own security development lifecycle, he said.