Watchfire Buys Web App Security Pioneer

The company's acquisition of Sanctum may serve as a milestone in the Web application security market.

Sanctum Inc., one of the pioneers of the Web application security market, was acquired Monday by enterprise software provider Watchfire Inc. The companies are not detailing the financial terms of the transaction.

Sanctum had been the subject of acquisition rumors for more than a year, with many industry observers suggesting that Microsoft Corp. or any of a number of security companies would be a good fit.

The acquisition may serve as a milestone marking the end of the beginning for Web application security. Sanctum helped define both the term and the sector in 1999 when it introduced its AppShield application firewall, which was the first product of its kind. It took some time for enterprises to warm up to the idea of buying a separate firewall to protect their Web applications, but the emergence of sophisticated attacks targeting those applications helped the product gain a foothold.

The next year, Sanctum introduced its AppScan solution, which helped companies find flaws in their applications by scanning the code for security vulnerabilities. Since then, Sanctum has devoted much of its resources to AppScan, developing separate editions of the product for developers and quality assurance engineers.

/zimages/2/28571.gifClick here to read eWEEK Labs review of AppScan.

Watchfire officials said they plan to integrate AppScans functionality into WebXM, Watchfires flagship solution for scanning Web sites for privacy, compliance and quality problems. Customers had been asking the company to include some security capabilities in the platform for some time, and Watchfire executives decided there was no need to build that functionality when Sanctum had already done the work.

The two companies share a common investor in Goldman Sachs and began having conversations late last year, but it wasnt until this spring that the acquisition talks heated up.

"Wed had a couple of conversations last year, but we were both busy with other things. But we gradually got to talking in April and it just began to make all kinds of sense," said Peggy Weigle, CEO of Sanctum, based in Santa Clara, Calif. "They were getting inquiries about security and we were going to build a central console, which they already had."

/zimages/2/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

The two companies research and development organizations have been working together for several weeks in anticipation of the merger, and Weigle and Mike Weider, founder and chief technology officer of Watchfire, said the work has gone well enough that Watchfire plans to release a version of WebXM with the AppScan functionality in the fall. The company plans to continue developing all of Sanctums other products as separate offerings for the foreseeable future.

Weigle said she will stay on during the transition period, but plans to leave after the merger is complete. Weider estimated that about 60 of Sanctums 90 employees have agreed to join Watchfire, which is based in Waltham, Mass.

"Our respective competitors will be very concerned about this. And if theyre not, then they should be," Weigle said.

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page