HP's SPI Dynamics Buy Sets Trend in Application Security Testing

G00149777

Analyst(s): |

  Free preview of Gartner research

Summary

HP will acquire SPI Dynamics, a vendor of dynamic Web application security testing technologies, indicating growing industry understanding that application security should be an integral part of software life cycle platforms.

News Analysis

Event

On 19 June 2007, HP announced a definitive agreement to acquire SPI Dynamics, a vendor of Web application security testing software and services, for an undisclosed sum. The deal should close in 3Q07.

Analysis

HP’s acquisition of SPI Dynamics is the right step. With it, HP demonstrates that security is an important foundational element of software quality and makes security a peer offering in HP's triad of quality, performance and now security testing.

HP's announcement comes only two weeks after IBM announced it would buy application security testing vendor Watchfire (see "Watchfire Will Strengthen IBM Development Platform Security" ). Market demand for application security testing has grown rapidly during the past three years, and is expected to reach nearly $200 million by YE07. HP and IBM rightfully rushed to capitalize on this trend (see “MarketScope for Web Application Security Vulnerability Scanners, 2006" ).

In G00144800 "Key Technology Trends in Application Security Testing Markets," we explained the need for vendors of software life cycle (SLC) tools — such as IBM, Microsoft, HP (Mercury Interactive) and others — to incorporate security testing tools natively into their platforms. We predicted that 80% of major SLC vendors would offer dynamic application security testing (DAST) or static application security testing (SAST) tools as part of their SLC platforms by 2008. The nearly simultaneous acquisition of two application security testing vendors by two of the largest SLC vendors confirms this trend. Look for Microsoft, Borland, Oracle and SAP to equip their SLC platforms with similar technologies within next 18 months.

Application security should be:

  • A separate security discipline as important as network and operating system security disciplines.

  • An integral part of SLC processes and platforms.

HP’s acquisition of SPI Dynamics fills its primary need for DAST capabilities with the WebInspect tool, which is a good fit within quality assurance.

The acquisition also provides some basic SAST capabilities with the DevInspect tool. DevInspect is a static security analyzer that scans C#, VB.NET and JavaScript codes — but only in the context of Web-facing applications, which are then tested with DAST capabilities using hybrid analysis. HP is not a development tool vendor. As such, DevInspect is not a full-fledged SAST tool and somewhat of a misfit in the HP offering without integration into other vendor's development environments.

On the positive side, WebInspect and DevInspect can provide a hybrid testing approach that correlates results of static and dynamic testing, potentially increasing overall accuracy of testing. Both tools were designed for native integration into HP’s (Mercury's) QualityCenters.

Recommendations

  • For clients lacking expertise in application security, HP's services division should develop security scanning as a service, using WebInspect to scan clients’ applications remotely.

  • HP should also evolve WebInspect’s into full-fledged SAST tool or acquire robust SAST technology, including binary security testing.

  • Developers using HP application testing technologies should consider WebInspect and DevInspect as strong candidates for dynamic and static security testing of Web-facing application.

  • Developers currently using SPI Dynamics tools within the IBM SLC platform should re-evaluate their commitment and consider IBM/ Watchfires’AppScan as an alternative for dynamic testing — unless HP commits to support WebInspect’s integration with IBM’s Rational Application Developer and Eclipse.

  • HP QualityCenter customers should pressure HP to demonstrate leadership and vision by lowering the cost to build secure applications. Security should be "baked into" development tools at little or no extra cost in enterprise versions of its tools.

  • Enterprises searching for a full-fledged SAST tool should evaluate tools other that DevInspect, which is aimed at basic static security testing of Web-facing applications only.

  • Enterprises evaluating development environments should make it a priority that they must include integrated SAST and DAST capabilities, ideally both using hybrid analysis techniques.

Recommended Reading

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)

© 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Not a Gartner Client?

Want more research like this?
Learn the benefits of becoming a Gartner client.

Contact us online

  Research

More  

Why Gartner

Gartner delivers the technology-related insight you need to make the right decisions, every day.

Find out more