Hewlett-Packard's move this week to buy Fortify software focuses attention on the increasingly important, but still mostly underutilized category of application security products, security experts say.
Privately-held Fortify will provide HP with a set of technologies for on-premise testing of applications through all stages of the development process through deployment.
The planned acquisition complements HP's 2007 purchase SPI Dynamics, a vendor of Web application security products. Fortify will also give HP the means to match IBM's range of static and dynamic analysis tools that help companies test applications during the coding and testing stages, as well as the deployment phase.
The Fortify acquisition is the latest move in efforts by IBM and HP to build competitive application security portfolios mostly via acquisition. HP's purchase of SPI Dynamics for instance, followed IBM's acquisition Web application security vendor Waterfire. And HP's purchase of Fortify follows last year's IBM acquisition of Fortify competor Ounce Labs.
The acquisitions by the two technology giants are lending credibility to an important market segment, said Joshua Corman an analyst with The 451 Group and co-founder of RuggedSoftware.org, a group trying to raise awareness about secure coding practices.
Despite increased hacker attacks at the application level, companies continue to pour most of their security dollars into projects to secure network defenses, Corman said. Of the estimated $50 billion that companies spent on security products and services last year, barely $500 million was spent to shore up application security, he noted.
Corman theorized that IT executives comtinue to lack awareness of a growing need to better secure applications. "Software has become infrastructure, just like cement and steel. But unlike concrete and steel, it's not nearly as reliable," Corman said. "We have just never had a culture that software needs to be not just fast, but also secure."
Another reason for the slow adoption of application security products has been confusion about how best to use them. Some vendors maintain that the tools should be used to scan every line of code to identify vulnerabilities throughout application development projects. Others argue that the tools are best used to identify and fix problems on executable code.
Corman said that having tools available from both HP and IBM should lead to more enterprise investments in such technologies. "Very few companies will adopt technologies from small vendors in a nascent market," he said.
"What (IBM and HP) are saying is, there is a time and place for every technique," said Pete Lindstrom, an analyst with Spire Security. The moves show that "there is good value in both interactive and static tools for various reasons," he added.
The investments by HP and IBM in application security products and highlight the importance that these vendors are attaching to this space, said Dave Peterson, chief marketing officer at Coverity, a maker of security tools. "We look at it as a validation that software integrity has a home in the software development lifecycle," he said.