Security Watch | Matt Hines » Is Watchfire deal bad for SPI?

June 06, 2007 | Comments: (0)

Is Watchfire deal bad for SPI?

TAGS: Security

When I met with SPI Dynamics CEO Brian Cohen last week, we talked a great deal about the ongoing shift among internal development teams who are now finally adopting his company's Web applications vulnerability scanning tools.

This shift -- detailed in my analysis of the trend posted earlier today -- is a sharp transition from the past several years when developers primarily accessed SPI's Assessment Management Platform (AMP) -- used to track and measure Web applications security risks -- via integration with major software development platforms.

Prior to seeing the emergence of a direct market through which it is now reaching developers over the last 6-9 months, SPI was largely dependent on its integration via partnerships with Microsoft, Mercury Interactive (owned by HP) and, you guessed it, IBM, to get its tools into software coders' hands, Cohen said.

"The message just didn't resonate with end users unless it was something built directly into one of the popular development platforms," Cohen said. "Now we're finally seeing more development groups ask for this technology for themselves; at a high level, organizations would prefer just to block vulnerabilities after the fact, but they've finally learned that they can't afford to maintain that type of approach."

As part of our conversation, which had been spurred with a discussion on the same topic with Mike Weider -- founder and chief technology officer of rival Watchfire, Cohen stated his belief that Watchfire's move to add developer-specific tools to its own AppScan 7.5 product line was inspired by SPI's move to do so several years ago.

(Although some might argue that Watchfire's acquisition of apps security pioneer Sanctum in mid-2004 gave it a pretty early stake in the business.)

With today's news that IBM is buying Watchfire, one has to wonder how the deal affects SPI and other providers.

IBM is known for maintaining long rosters of partners, even when it owns technologies that compete with some of those companies' products. But, will the company integrate Watchfire into its development platforms, potentially displacing SPI for those deals, or continue to market it as a standalone product, or both?

Based on the idea that developers are beginning to buy applications vulnerability scanning tools direct, it would seem that SPI shouldn't have much to worry about. But if the market tilts back toward integration, SPI might be losing one of its largest OEM partnerships, or at least losing some of its status position inside Big Blue.

For his part, Weider -- who kept the IBM deal under wraps so tightly his PR agency claims they had no idea it was being drawn up -- said that he expects development teams to increasingly "weave security testing in as a critical requirement along with quality assurance, functionality and performance."

Could this be a not-so-subtle pitch for integration with other development tools?

"These have been key requirements for applications developers for years and security is finally making it in, companies are seeing it as a fundamental element of their software development lifecycle," Weider said. "The quality assurance engineer needs to do applications testing to play their role in ensuring security."

According to a May 2007 report from Gartner:

-By 2008, leading source code security vulnerability scanning vendors will combine features of source code vulnerability detection with Web application vulnerability detection into a single tool.

-By 2010, 40% of organizations will use a single vendor that provides both source code security scanning and Web application security scanning features along the software development lifecycle (SDLC).

-By 2009, 80% of the major SDLC vendors will offer source code security scanning tools as part of their platforms.

-By 2010, 60% of IT organizations will make security vulnerability detection an integral part of their SDLC processes.

Gartner said that the market for source code security vulnerability testing (SCSVT) tools will experience "significant changes" in the coming years, with the commoditization of some capabilities, features and products, and the delivery of scanning as a service on tap.

The research company also predicted that emerging integration of SCSVT "at little or no cost" into development platforms should drive a tightening of the sector.

"Vendor selection should be tactical and contract terms shortened to reflect this turmoil," said the report. "The SCSVT market risks disappearing as a stand-alone market during the next five to seven years as the major platform providers supply their own technologies or acquire existing products."

It should be noted that Web scanning applications -- SPI's forte -- are not the same thing as pure SCSVT tools.

However, if SPI is losing one of its biggest OEMs, and the market doesn't embrace the non-integrated model as expected, you have to wonder how this deal will affect them and other standalone applications testing technologies.

Stay tuned.

Posted by Matt Hines on June 6, 2007 09:41 AM

RATE THIS ARTICLE: