With malware code writers creating a growing number of attacks aimed at exploiting vulnerabilities in software applications—in addition to threats that target operating system flaws—longtime partners Symantec and Microsoft are both trying to stake claims in the applications security space.
While Symantecs play is more straightforward, having seeded the sector with a range of products and services since 2005, Microsoft is thought to be readying a slew of offerings it will market to third-party software developers to help them drum potential vulnerabilities out of their products.
In the process of building its newly launched Windows Vista operating system, Microsoft, of Redmond, Wash., employed a new vulnerability detection process labeled Security Development Lifecycle that it claims has greatly reduced the number of holes in its products, and which will serve as a foundation for the companys nascent applications security business.
The full extent of Microsofts plans remain unclear, but it is already providing information about SDL to other developers through one-on-one consulting sessions and is publishing details of its work online and in a book.
“Microsoft realizes that security researchers and malicious attackers will not confine themselves to Microsoft products,” company representatives said in a statement. “Our efforts are resulting in significant improvements in the security of our software, and we have every confidence that, together with our industry partners, well continue to meet the constantly evolving challenge to help our customers and the industry to become more secure.”
However, some experts say Microsoft is also developing products that will compete directly with those made by companies such as Symantec. “Microsoft is moving into applications security in a big way, with source-code scanning tools in the works,” said Ed Adams, CEO of Security Innovations, an applications risk management consultancy in Wilmington, Mass. “They want to take SDL and roll out services and solutions around it to market to other software developers, and that could become a pretty big business.”
Adding another wrinkle is the companies respective relationships with Accenture, of Hamilton, Bermuda. Symantec announced a joint initiative with Accenture in October, dubbed Accenture and Symantec Security Transformation Services. Microsoft has long had close ties with Accenture, jointly operating their Avanade venture since 2000.
“Symantecs partnership with Accenture could be an interesting point of strain for Microsoft,” Adams said. “Anything Microsoft creates in terms of security applications services will likely go through partners like Accenture; Microsoft could end up being troubled by the work with Symantec if theyre counting on Accenture to roll out those types of services.”
Officials from Accenture downplayed any competitive issues arising from the companys partnerships, and indicated a need for a multivendor approach to security. “Few organizations have a monoculture around development platforms, and were most often in the position of supporting Microsoft-based components along with everything else that you find out there,” said Jesse Bowen, managing director of the Accenture-Symantec initiative.
Analysts said Accenture will likely derive a lot of business from both vendors, with the only real area of competition between Microsoft and Symantec arising in the market for applications security tools for use with Windows applications and other Microsoft-oriented programs.
However, Symantecs core business has long been built around providing products that secure Microsoft technologies, said Jon Oltsik, an analyst with Enterprise Strategy Group. Despite that, Oltsik said there should be room for both Microsoft and Symantec in applications security.