If application security has to be baked into the development process, source code analysis tools are the technological equivalent of oven mitts—making their providers natural targets for acquisition, some analysts predicted.
"Theres a lot of interest in this space because of [the Payment Card Industry Data Security Standard]," said Nick Selby, an analyst with The 451 Group. "Were seeing an exponential increase in the number of software-as-a-service providers who are doing vulnerability assessments either for Web applications or for traditional network applications or network vulnerability assessment.
"Those companies are branching into application vulnerability assessment and were seeing a move at a high level to push code analysis and security assessment into the development stage of coding as opposed to where it is now, which is in the quality assurance and in production," Selby said.
Click here to read about a Web application testing tool from Core Security Technologies.
The past year saw two major acquisitions related to application security testing: Hewlett-Packards purchase of SPI Dynamics and IBMs acquisition of Watchfire. The acquisitions, coupled with an increase in the number of providers offering vulnerability assessments, are indicators of a growing emphasis on increasing security in the development process.
One driver behind any acquisitions in the space may simply be competition. Ironically, though, the number of acquisitions that have already taken place may mean there are fewer on the table for 2008, Gartner analyst John Pescatore said. Still, some of the larger vendors, like Fortify Software, are likely to be targets of companies that compete with IBM and HP in the software development space, he said.
"Microsoft already has its own technology, as do Compuware and Parasoft—CA, Borland," he said. "Serena Software would be the largest [of the] application development vendors who might acquire a software vulnerability testing firm. Fortify is doing a lot of work with Oracle, so that might be a potential acquirer for them."
Forrester Researchs Chenxi Wang noted that IBMs Rational portfolio spans more phases in the development life cycle than the technology HP acquired when it purchased Mercury Interactive. As a result, many expect IBM to become a more comprehensive application security vendor than HP, Wang said. She added she would not be surprised if HP made a bid for a development-phase product to solidify its position in the application security market.
"I think more acquisitions are definitely in the cards for 2008," Wang said. "Security testing, as a functionality, is gradually being considered more as part of the app development life cycle rather than an independent component. How quickly the acquisitions will happen will depend on the market acceptance of development-phase—as opposed to testing-phase—security products. So far, the market acceptance has been somewhat slow."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.