"In a span of two weeks, two of the largest applications security companies have been acquired by development platform providers, which proves that users of those platforms understand that having applications security as a discipline is as important to them as network or operational security," said Feiman. "This is the part of security that is being built into applications by customers, and it should be an integral part of these [software development] platforms to allow them to do that work."
In addition to appeasing customers who are already calling for integrated applications security testing tools, the HP-SPI and IBM-Watchfire deals should increase the trend toward software developers making security auditing part of their everyday work, the analyst said.
SPI has been a longtime partner of HP, which has offered its tools as a package with its Mercury and OpenView software development products -- just as Watchfire had been selling its applications security products packaged with IBM's Rational code-authoring tools before getting snapped-up by the firm.
Both platform providers' moves to bring security testing capabilities under their own control should benefit their individual marketing efforts and customers' development lifecycle plans, other analysts said.
"SPI had integration with Mercury from a partner standpoint, but that type of a relationship is never as tight as it is within a product suite produced by the same company, and SPI will now be able to take better advantage of HP's installed base of customers," said Dr. Chenxi Wang, analyst with Forrester Research.
"Mercury is the leader of the quality testing market, and customers are increasingly making vulnerability testing a part of that type of work, as opposed to an afterthought, so it makes a lot of sense of HP to make this type of deal," Wang said.
One of the most significant benefits of adding SPI in particular is that it has both Web applications inspection and source code scanning tools in-house in the form of its WebInspect and DevInspect product lines respectively, along with its own QAInspect quality assurance tools, said the analyst.
SPI's combination of code and applications analysis software may give HP an advantage over its rivals, including IBM, Wang said, as she cited Watchfire's forte as based in pure Web applications assessment -- work typically done by quality and assurance testers -- not in technologies built specifically for use by applications developers.
"HP has a commitment to pushing this type of security technology deeper into the development lifecycle, integrating with Mercury now makes a lot of sense to their long-term vision," said Wang -- who has worked previously for the HP Labs research group as an independent consultant. "Having SPI's development-phase tools may give HP a leg-up over IBM-Watchfire; HP wants to be selling these types of tools directly to developers, not QA testers."
According to a report issued earlier this month by the National Institute of Standards and Technology, a federal agency that develops technology standards, some 92 percent of all IT security vulnerabilities exist in software applications, which Wang cited as an "astounding" figure.
With customers clamoring for a way to reduce their risk to such issues, HP and IBM have seen the business opportunity and moved to address it, she said.