Thursday, June 21, 2007

The web application security market is hot, hot, hot.

Since the acquisitions of SPI Dynamics and Watchfire, several people have asked me the same two questions: When is WhiteHat going to get acquired and what does this mean for the web application security market?

1) Obviously the acquisition question isn’t something I’d be able to comment freely about even if I wanted to. I’ll politely hide behind no comment.

I did want to congratulate both companies, especially the SPI Dynamics founders (and long time employees) whom I’ve known a long time. Caleb, Brian, Brian, and Erik put a lot in - dedicating many years of their lives to building a great company. By all accounts the acquisition will be successful for them, which I believe is also a first for the web application security market. Well-done guys! Don’t spend it all in Vegas during Black Hat :)

2) IBM and HP purchased Watchfire and SPI technology respectively to extend their enterprise software development offerings. The deals are not really seen as a leading to a “security play” by either of acquirers, whom Mike Rothman says IBM and HP don’t have security strategies anyway. As company/product integration takes place, the scanning technology probably will become built-in features of larger enterprise software development packages. Standalone vulnerability scanner innovation taking a backseat (or disappear) in favor of the pure SDLC aspects that’ll be in the hands of developers and QA types.

Solutions for detecting vulnerabilities in web applications are separated into two distinct and complimentary markets, vulnerability assessment (VA) and developer/QA tools for security within the SLDC. VA is served by WhiteHat (SaaS), a myriad of small to large consulting shops, and by some extent Qualys and ScanAlert (SaaS) who’ve recently started their webappsec initiatives. The VA focus will be website security oversight focusing on scale, ease of deployment, and lowering TCO. The tools as always will assist in the production of quality code.

What's clear though is web application security is finally considered a "real" market segment.

No comments: