IBM has become the first major player to buy into the web application security testing space with its offer to buy Watchfire.
The deal, which is expected to close later this quarter, would bring in tooling that performs ethical hacking of web apps based on a database of known vulnerability signatures.
We will move security detection and remediation closer to the developer cycle, said Danny Sabbah, head of IBM’s Rational Software business unit. A theme in Rational is our integration with Tivoli where we bridge development and operational deployment organizations. Watchfire is a great fit in that they play on both sides of that divide.
Watchfire has two product lines: AppScan, which subjects web apps to a gauntlet of hack attacks, and WebXM, which tests new and existing web apps for specific compliance violations against HIPPA, Gramm-Leach-Bliley and other regulations.
It has a fairly impressive, 800-strong customer base, which is concentrated in financial services, healthcare, and government. Nine of the top 10 global banks are Watchfire customers.
Under the proposed deal, IBM would absorb the 190-person company, into Rational. As one of the proposed benefits of the deal, IBM would expand the 10-year old company’s market, outside its 88% North American revenue base.
Over the past year, Watchfire has extended its coverage to tracking security holes in Ajax by simulating end user rich browser interactions; employee privilege spoofing, where workers sign on with their supervisor’s credentials to gain unauthorized access to data; and to introspect WSDL web service descriptions.
More importantly, it inked a deal with Fortify which performs so-called white box testing that complements Watchfire’s black box approach. That is, Watchfire has signatures of web security vulnerabilities that don’t drill down to code level, and is typically used just before a web app is placed into production.
By contrast, Fortify comes in earlier in the process to exercise the source code. Under the alliance, signed last August, both can feed results into each other’s consoles. At the time, both promised to work on back end links, but nothing has happened there yet.
But according to Fortify CEO John Jack, about half of his company’s 200-odd customer base is Watchfire users.
What’s interesting is that Fortify has also been an IBM Ready for Rational partner since 2005, with its ties into the Rational Application Developer IDE. Fortify’s Jack estimates that roughly a quarter of his company’s customer base uses Rational tools.
IBM and Fortify each stated that they expect to continue the Rational relationship, and although IBM could not comment on what it would do with Watchfire, it’s likely that the Watchfire-Fortify alliance would also continue after closing. (Fortify could present yet another IBM acquisition candidate.)
In IBM’s picture of the software delivery lifecycle, it views the AppScan offering fitting into the assessment stage, where you check the health of existing code, and in the implement and manage phases, where it would interact with Rational Quality and Security Control Center, and with Tivoli Security Operations Manager.
For now, that leaves static analysis of code (a task that Fortify addresses) as an area not yet addressed. For now, Rational Application Developer has some static code analysis capabilities, although they don’t directly cover security.
According to Sabbah, IBM would leverage these and other capabilities, and work with partners to address static security analysis of code. As to binaries, to which an organization could be exposed if it consumes web services, Sabbah said he wasn’t ready to address how IBM will deal with those security vulnerabilities yet.
The acquisition makes lots of sense for IBM, as it tackles a piece of software development that has traditionally fallen through the cracks. That’s because security has long been considered a special skill that’s resided in operations, rather than development. However, with the growing interconnectedness that is promoted by web, and especially SOA, organizations can less afford to address security after the app gets deployed.
And yes, this is the first household name in software development and IT management to invest into the space. So maybe it’s not surprising a rival spin this, no only as validation for what had been a niche market, but also for the likelihood that other acquisitions will follow.
This will trigger a wave of consolidation, predicted Mandeep Khera, vice president of marketing for Watchfire rival Cenzic.
So let’s follow that train of logic for a moment. Application life cycle providers like Compuware have ventured into application performance as well, so adding a gauntlet for security testing into its QA Center would fill a logical gap in the development life cycle.
But for Cenzic itself, the links to HP/Mercury itself look more interesting. Roughly half of Cenzic’s base uses Mercury testing tools, which probably isn’t surprising given Mercury’s dominance of the segment. Cenzic’s tools are certified for integration with Mercury Quality Center.
Furthermore, when you also consider that testing security holes makes sense, not just during development but also once apps are placed into service, such a linkup looks almost inevitable. After swallowing Mercury, HP has presence at software development and inside the data center (thanks to what used to be called OpenView). So it makes sense that HP/Mercury should make a play for Cenzic or its rival SpiDynamics.
Maybe it’s poker face or maybe HP has other meat on its plate, but Cenzic’s Khera maintained that both companies have not had any marketing-related discussions since HP completed the Mercury acquisition.