Will HP do the right thing with SPI Dynamics?

Analysts say Hewlett-Packard Co. (HP) can greatly improve its product security through the acquisition of SPI Dynamics Inc. But some users say they've watched other vendors buy up good security technology only to let it languish and hope HP won't make the same mistake.

HP Tuesday announced a definitive agreement to acquire SPI Dynamics and integrate its software as a unit in HP's Technology Solutions Group. HP said the acquisition will help bolster security in its business systems, such as e-commerce Web sites or financial and supply chain applications. Atlanta-based SPI Dynamics has 140 employees and serves more than 1,000 customers in the federal government, financial services and healthcare industries.

The news reflects the larger trend of consolidation in the IT security market, as standalone security vendors struggle to survive and big IT infrastructure providers use acquisitions to integrate more security into its product development lifecycles. Monday PatchLink Corp. said it would acquire endpoint security vendor SecureWave and IBM announced two weeks ago that it would acquire risk management software vendor Watchfire Corp.

Recent security acquisitions:   IBM, HP reshape Web app security market: As Executive Editor Dennis Fisher explains, developers and customers could stand to benefit with Web security tools built into larger development suites. Watchfire will help IBM build application security: IBM agreed to acquire Waltham, Mass.-based Watchfire Corp. to add Web application and compliance testing tools into Big Blue's Rational development platform. Endpoint fears drive PatchLink-SecureWave merger: Experts say the PatchLink-SecureWave merger makes sense since IT pros want a better way to protect their endpoint devices. But PatchLink's market supremacy is far from assured.

Analysts believe HP's acquisition of SPI Dynamics makes sense, since customers are demanding that sharper security teeth be built into the larger IT infrastructure. Joseph Feiman, a research vice president with Stamford, Conn.-based Gartner Inc., said HP is reacting to the same pressure IBM reacted to when it decided to buy Watchfire. He said the acquisitions reflect Gartner's forecast that large IT vendors will push to acquire application testing capabilities.

"With things like firewalls and traffic encryption, you're not dealing with application security, and so you need to embed security into the application lifecycle," he said. "That's what IBM did with Watchfire and that's what HP is doing with SPI Dynamics."

As the trend continues, Feiman believes there's real potential for the standalone application security market to disappear in several years as the technology becomes a natural part of the software development lifecycle for companies like HP, IBM, Microsoft and Cisco.

Chenxi Wang, an analyst with Cambridge, Mass.-based Forrester Research Inc., agrees the HP-SPI Dynamics deal reflects how important application security has become.

Mergers and acquisitions at a glance: There have been many acquisitions and mergers between IT security vendors and other companies in the last two and a half years. Here is a look at some of them: FEBRUARY 2007: EMC Corp. announces a definitive agreement to acquire data security firm Valyd Software. JANUARY 2007: Symantec Corp. signs a definitive agreement to acquire IT management software vendor Altiris Inc. for approximately $830 million. JANUARY 2007: Cisco Systems Inc. announces plans to buy Internet security gateway appliance vendor IronPort Systems for $830 million. JANUARY 2007: Fortify Software Inc announces its acquisition of Secure Software Inc. DECEMBER 2006: IBM announces plans to acquire Consul Risk Management Inc., whose software tracks employee behavior and unauthorized records access. SEPTEMBER 2006: EMC Corp. announces its $175 million acquisition of security event management vendor Network Intelligence Corp. AUGUST 2006: IBM announces the $1.3 billion acquisition of Internet Security Systems Inc. (ISS) to bolster its position in the managed security services market. JULY 2006: Secure Computing Corp. announces its acquisition of messaging security firm CipherTrust Inc. for $273.6 million. JUNE 2006: EMC Corp. announces plans to acquire RSA Security Inc. for just under $2.1 billion. DECEMBER 2004: Symantec acquires Veritas Software, maker of data backup and storage programs, for more than $13 billion.

"The National Institute of Standards and Technology reports that 92% of all vulnerabilities found today are due to application flaws rather than network or system flaws," Wang said in an email exchange. "Many organizations now have Web-facing applications, the security of which worries many. SPI's products are used to test the security of Web applications and is a leader in the market."

The acquisition also makes sense given that SPI Dynamics recently integrated its technology with HP's Quality Center platform, which it acquired from Mercury Interactive in 2006. Wang believes this latest acquisition is simply HP continuing what it started with the Mercury acquisition.

"The integration between SPI and Mercury is a very compelling one, even more compelling than IBM Rational and Watchfire," Wang said. "This highlights HP's commitment to deliver quality software, and its vision to extend quality control over all phases of the software lifecycle."

She said the move also makes sense from SPI Dynamics' standpoint because it can tap into HP's large install base.

Despite all this potential for good, some IT professionals see cause for concern.

Robert Shullich, senior security technology advisor in the corporate information security office at New York-based Bowne & Co. Inc., said he worries about what he calls the Computers Associate (CA) effect across the IT security market. "CA just gobbled up companies and drained them, fed the good ones and starved the bad ones," he said in an email. "IBM is a big and good company, but you worry whether service will get better or worse. Will the products and services at least continue to be developed and supported at the same levels or higher that were in effect before the acquisition?"

Keith Gosselin, an IT officer for Biddeford Savings Bank in Biddeford, Maine, uses HP ProLiant file servers and all the company's desktops come from the vendor. He said HP has been less than stellar in the past about informing customers of product updates and he hopes the company's increased focus on security will change that. But he too worries about SPI Dynamics technology getting butchered.

"Symantec bought good technology from BindView and others and just killed the technology," he said. "I'd like to see companies follow IBM's lead, because IBM did a nice job when it acquired Internet Security Systems (ISS)," Gosselin said. "They absorbed ISS into their corporate infrastructure while giving ISS independence to continue as is. That's how I hope HP goes about it with SPI Dynamics."

During a press conference Tuesday morning, executives from HP and SPI Dynamics promised that this integration will be what users are hoping for. For starters, they said, users can expect HP to retain the talented staff of SPI Dynamics.

"You don't have intellectual property if you don't have the people," said Jonathan Rende, HP's VP of products and software quality management. "We have no intention of doing anything bur fuel the fire."

SPI Dynamics CEO Brian Cohen said HP is particularly eager to tap into his company's research base.

"SPI has a far larger research commitment than anyone else," he said. "We virtually owned the security application track at Black Hat last year and I believe we will this year. Early on in our talks with HP they saw our lab as critical in this deal. I have no reason to believe it won't continue and indeed grow."