HP will acquire SPI Dynamics, a vendor of dynamic Web application security testing technologies, indicating growing industry understanding that application security should be an integral part of software life cycle platforms.
On 19 June 2007, HP announced a definitive agreement to acquire SPI Dynamics, a vendor of Web application security testing software and services, for an undisclosed sum. The deal should close in 3Q07.
HP’s acquisition of SPI Dynamics is the right step. With it, HP demonstrates that security is an important foundational element of software quality and makes security a peer offering in HP's triad of quality, performance and now security testing.
HP's announcement comes only two weeks after IBM announced it would buy application security testing vendor Watchfire (see "Watchfire Will Strengthen IBM Development Platform Security" ). Market demand for application security testing has grown rapidly during the past three years, and is expected to reach nearly $200 million by YE07. HP and IBM rightfully rushed to capitalize on this trend (see “MarketScope for Web Application Security Vulnerability Scanners, 2006" ).
In G00144800 "Key Technology Trends in Application Security Testing Markets," we explained the need for vendors of software life cycle (SLC) tools — such as IBM, Microsoft, HP (Mercury Interactive) and others — to incorporate security testing tools natively into their platforms. We predicted that 80% of major SLC vendors would offer dynamic application security testing (DAST) or static application security testing (SAST) tools as part of their SLC platforms by 2008. The nearly simultaneous acquisition of two application security testing vendors by two of the largest SLC vendors confirms this trend. Look for Microsoft, Borland, Oracle and SAP to equip their SLC platforms with similar technologies within next 18 months.
Application security should be:
A separate security discipline as important as network and operating system security disciplines.
An integral part of SLC processes and platforms.
HP’s acquisition of SPI Dynamics fills its primary need for DAST capabilities with the WebInspect tool, which is a good fit within quality assurance.
On the positive side, WebInspect and DevInspect can provide a hybrid testing approach that correlates results of static and dynamic testing, potentially increasing overall accuracy of testing. Both tools were designed for native integration into HP’s (Mercury's) QualityCenters.
For clients lacking expertise in application security, HP's services division should develop security scanning as a service, using WebInspect to scan clients’ applications remotely.
HP should also evolve WebInspect’s into full-fledged SAST tool or acquire robust SAST technology, including binary security testing.
Developers using HP application testing technologies should consider WebInspect and DevInspect as strong candidates for dynamic and static security testing of Web-facing application.
Developers currently using SPI Dynamics tools within the IBM SLC platform should re-evaluate their commitment and consider IBM/ Watchfires’AppScan as an alternative for dynamic testing — unless HP commits to support WebInspect’s integration with IBM’s Rational Application Developer and Eclipse.
HP QualityCenter customers should pressure HP to demonstrate leadership and vision by lowering the cost to build secure applications. Security should be "baked into" development tools at little or no extra cost in enterprise versions of its tools.
Enterprises searching for a full-fledged SAST tool should evaluate tools other that DevInspect, which is aimed at basic static security testing of Web-facing applications only.
Enterprises evaluating development environments should make it a priority that they must include integrated SAST and DAST capabilities, ideally both using hybrid analysis techniques.
"Market Definition and Vendor Selection Criteria for Source Code Security Testing Tools” — Source code security testing enables security vulnerability detection early in the application life cycle, making remediation inexpensive compared to detection and remediation later in the life cycle. By Neil MacDonald and Joseph Feiman
"Application Security Testing: Strengths, Weaknesses, Opportunities and Threats” — Enterprises should start looking for technologies capable of detecting security vulnerabilities earlier in the life cycle so security controls can be built into applications. By Joseph Feiman
(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)