Applications security: Cenzic stands alone

With a new product fresh out the door and its two largest rivals recently acquired by massive IT bellwethers, applications security testing specialist Cenzic contends that it's ready to reap the rewards of remaining independent.

Ever since IBM announced that it was buying rival applications vulnerability scanning provider Watchfire in June, and HP followed suit by picking off competitor SPI Dynamics later the same month, Cenzic has been playing up its status as the largest independent player left in this red-hot segment.

Researchers at Stamford, Conn.-based Gartner are predicting the applications security testing market will grow to over $200 million in revenue in 2007, compared to $125 million in 2006 and just $70 million in 2005.

Cenzic has been promoting its place as the only major stand-alone provider left in the space as a major advantage: The company launched an official swap-out program aimed at convincing Watchfire customers to move to its products, and also introduced a new set of tools this week that promises to integrate testing data taken from both Watchfire's and SPI's vulnerability scanning systems.

Company leaders maintain that Cenzic can grow rapidly at the expense of its newly acquired rivals by virtue of its not being tied to a specific software development framework -- both IBM and HP are working to meld their acquisitions into their respective Rational and Mercury platforms -- and turning its products into a virtual console that can pool scanning results with those of other vendors' tools.

While Watchfire and SPI may become de facto testing systems for new applications being produced using HP and IBM's development platforms, many more customers are still in need of scanning programs that can scrutinize programs that are already live, said John Weinschenk, chief executive of Santa Clara, Calif.-based Cenzic.

In larger enterprises that use multiple development frameworks there will also be a need for tools that cross-reference and compile applications' vulnerability data from all the available platforms, the CEO said.

That confluence of factors, along with superior testing capabilities in Cenzic's testing products and services, Weinschenk predicted, will lead to unparalleled growth of the firm.

"These acquisitions may help a lot of people involved in testing during pre-production, but there's still a much larger market for testing applications that are already out there," Weinschenk said. "People want to compare results across these systems and that's still painful to do using multiple products; our ability to port-in data via XML from both Watchfire and SPI gives us an advantage with those types of customers."

On a more fundamental level, IBM and HP are betting that customers want to begin transferring vulnerability testing responsibilities from security teams over to software developers -- a dramatic shift that will need time to take root, Weinschenk said.

As the two massive companies work to fold the acquisitions into their frameworks for use by quality assurance teams and developers, Cenzic will continue to market itself to the security professionals that are buying such tools today -- and already have the budget to do so, he said.