With malware code writers creating an increasing number of attacks aimed at exploiting vulnerabilities in software applications, in addition to their threats that target operating system flaws, longtime partners Symantec and Microsoft are both attempting to stake major claims in the application security market.
While Symantecs play is more straightforward, having targeted the sector with a range of products and services since 2005, Microsoft is believed to be readying a slew of offerings it will market to third-party software developers to help those firms drum potential vulnerabilities out of their products.
Microsofts failure to identify weak points in its own software, specifically its Windows OS, has been a highly publicized issue for many years, but the company claims to have turned over a new leaf.In the process of building its newly launched Windows Vista OS, the Redmond, Wash.-based software maker employed a new vulnerability detection process labeled SDL (Security Development Lifecycle), that claims to have greatly reduced the number of holes in its products, and which will also serve as a foundation for the firms nascent applications security business.
Thus far, the full extent of Microsofts plans in the segment remain unclear, but it is already providing information about SDL to other developers through one-on-one consulting sessions, along with publishing details of its work online and in a book.
Company officials offer few details of the software makers long-term strategy in applications security, but Microsoft has made it abundantly clear over the past year that it is set on growing its presence in the larger security software arena.
"Microsoft realizes that security researchers and malicious attackers will not confine themselves to Microsoft products," company representatives said in a statement. "Our efforts are resulting in significant improvements in the security of our software, and we have every confidence that, together with our industry partners, well continue to meet the constantly evolving challenge to help our customers and the industry to become more secure."
However, some experts contend that Microsoft is also developing products that will compete directly with those made by companies such as Symantec, based in Cupertino, Calif., including SDL-based software tools used to scan third-party applications for security flaws.
"Microsoft is moving into applications security in a big way, with source code scanning tools in the works," said Ed Adams, chief executive of Security Innovations, an applications risk management consulting firm based in Wilmington, Mass. "They want to take SDL and roll out services and solutions around it to market to other software developers, and that could become a pretty big business."
Microsofts August 2006 leap into Symantecs home turf in the consumer anti-virus market, with the launch of its OneCare product line, is presently one of the biggest stories in the security market, with the increased competition pushing longtime market leader Symantec to explore new market opportunities as one of its leading sources of revenue comes under pressure.
Adding another wrinkle to the potential rivalry developing between the two firms in the applications security market are the companies respective relationships with consultant Accenture.
Symantec announced a joint initiative with the Hamilton, Bermuda-based company in October 2006, dubbed Accenture and Symantec Security Transformation Services. Microsoft has long maintained close bonds with Accenture, with the partners having operated their Avanade joint venture together since 2000.
One of the three areas the Symantec-Accenture tie-up is focusing on is applications security, along with regulatory compliance and security monitoring.
"Symantecs partnership with Accenture could be an interesting point of strain for Microsoft," Adams said. "Anything Microsoft creates in terms of security applications services will likely go through partners like Accenture; Microsoft could end up being troubled by the work with Symantec if theyre counting on Accenture to roll out those types of services."
Officials from Accenture working on the Security Transformation Services project downplayed any competitive issues arising from the companys various partnerships, but recognized the advantage that the group feels it will have over anything launched by Microsoft in the applications security market, that being, the ability to work with the many developers building products not designed to run on Microsoft systems.
"Few organizations have a monoculture around development platforms, and were most often in the position of supporting Microsoft-based components along with everything else that you find out there," said Jesse Bowen, managing director of the Accenture-Symantec initiative.
"We work with Microsoft a lot, and will continue to do so, and there may be cases where customers of [the Symantec venture] are Microsoft focused that we will look to them for support," Bowen said. "But security is not our primary focus with Microsoft, as opposed to Symantec, who brings market-leading capabilities to our joint initiative."
Industry analysts said Accenture will likely drive a lot of business from both vendors, with the only real area of competition between Microsoft and Symantec arising in the market for applications security tools designed to be used with Windows applications and other Microsoft-oriented programs.
However, Symantecs core business has long been built around providing products that secure Microsoft technologies, said John Oltsik, an analyst with Enterprise Strategy Group, Milford, Mass. Despite that, the analyst said there should be room for both Microsoft and Symantec to expand their presence in the applications security market.
"Microsoft will focus on Windows, and Symantec will focus on heterogeneous environments, and Accenture will play both cards, so even though there may be some competition, everyone will look to find a niche and exploit it," Oltsik said.
"Accenture wins, but Microsoft will make sure to align with someone else like EDS or BearingPoint; Symantec needs to build a business and hope Accenture will play, [Symantec] will have to drive things if that effort is going to grow."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.