HP-SPI deal underscores apps security integration

Hewlett Packard's acquisition of Web applications security specialist SPI Dynamics on June 19 illustrates a growing demand among enterprise customers to have vulnerability-scanning tools integrated into their software development platforms.

Following closely behind IBM's June 6 acquisition of Watchfire, one of Atlanta-based SPI's closest rivals in the Web applications and software code-scanning space, the HP buyout highlights the rapidly emerging trend toward integration of security testing tools into the software development process.

HP, which acquired software development giant Mercury Interactive for $4.5 billion in cash in July 2006 in a move that greatly expanded its interests in the area, said that it plans to blend SPI's business and its 140 person staff into the software unit at its Technology Solutions Group, the division responsible for its server and storage products, as well as its IT consulting services.

In response to the growing threat of attacks on applications-level vulnerabilities, the company said, more customers than ever before are building security testing requirements into their development projects.

By folding applications security testing into its existing portfolio of tools, HP officials said, the company has added an increasingly strategic piece of the overall software development puzzle.

"This adds a new chapter to the applications side of the house; we think of applications and [IT] operations working together, and this adds the piece of security assessment from early on in the [software development] lifecycle all the way through to production," said Jonathan Rende, vice president of products for the Quality Management Software group at HP.

"This is a new dimension of that, that is so complementary because there is a whole set of users who are getting involved in security assessment in the lifecycle," Rende said on a conference call with media and analysts. "There are security experts who determine policies and prepare applications before they go live, but then there are also the developers and quality assurance professionals who need to ensure security before the applications go live."

In a research report published by market analysis firm Gartner in May 2007, industry experts said that by 2009, some 80 percent of major software development lifecycle vendors would offer source code security scanning tools as part of their platforms.

The company said that further that 60 percent of IT organizations will have made vulnerability detection an integral part of their development process by 2010.

HP's move to buy SPI and IBM's acquisition of Watchfire provide tacit evidence that those predictions are already coming to pass, said Joseph Feiman, the Gartner analyst who authored the report.