Analysts say Hewlett-Packard Co. (HP) can greatly improve its product security through the acquisition of SPI Dynamics Inc. But some users say they've watched other vendors buy up good security technology only to let it languish and hope HP won't make the same mistake.
The news reflects the larger trend of consolidation in the IT security market, as standalone security vendors struggle to survive and big IT infrastructure providers use acquisitions to integrate more security into its product development lifecycles. Monday PatchLink Corp. said it would acquire endpoint security vendor SecureWave and IBM announced two weeks ago that it would acquire risk management software vendor Watchfire Corp.
Analysts believe HP's acquisition of SPI Dynamics makes sense, since customers are demanding that sharper security teeth be built into the larger IT infrastructure. Joseph Feiman, a research vice president with Stamford, Conn.-based Gartner Inc., said HP is reacting to the same pressure IBM reacted to when it decided to buy Watchfire. He said the acquisitions reflect Gartner's forecast that large IT vendors will push to acquire application testing capabilities.
"With things like firewalls and traffic encryption, you're not dealing with application security, and so you need to embed security into the application lifecycle," he said. "That's what IBM did with Watchfire and that's what HP is doing with SPI Dynamics."
As the trend continues, Feiman believes there's real potential for the standalone application security market to disappear in several years as the technology becomes a natural part of the software development lifecycle for companies like HP, IBM, Microsoft and Cisco.
Chenxi Wang, an analyst with Cambridge, Mass.-based Forrester Research Inc., agrees the HP-SPI Dynamics deal reflects how important application security has become.
"The National Institute of Standards and Technology reports that 92% of all vulnerabilities found today are due to application flaws rather than network or system flaws," Wang said in an email exchange. "Many organizations now have Web-facing applications, the security of which worries many. SPI's products are used to test the security of Web applications and is a leader in the market."
The acquisition also makes sense given that SPI Dynamics recently integrated its technology with HP's Quality Center platform, which it acquired from Mercury Interactive in 2006. Wang believes this latest acquisition is simply HP continuing what it started with the Mercury acquisition.
"The integration between SPI and Mercury is a very compelling one, even more compelling than IBM Rational and Watchfire," Wang said. "This highlights HP's commitment to deliver quality software, and its vision to extend quality control over all phases of the software lifecycle."
She said the move also makes sense from SPI Dynamics' standpoint because it can tap into HP's large install base.
Despite all this potential for good, some IT professionals see cause for concern.
Robert Shullich, senior security technology advisor in the corporate information security office at New York-based Bowne & Co. Inc., said he worries about what he calls the Computers Associate (CA) effect across the IT security market. "CA just gobbled up companies and drained them, fed the good ones and starved the bad ones," he said in an email. "IBM is a big and good company, but you worry whether service will get better or worse. Will the products and services at least continue to be developed and supported at the same levels or higher that were in effect before the acquisition?"
Keith Gosselin, an IT officer for Biddeford Savings Bank in Biddeford, Maine, uses HP ProLiant file servers and all the company's desktops come from the vendor. He said HP has been less than stellar in the past about informing customers of product updates and he hopes the company's increased focus on security will change that. But he too worries about SPI Dynamics technology getting butchered.
"Symantec bought good technology from BindView and others and just killed the technology," he said. "I'd like to see companies follow IBM's lead, because IBM did a nice job when it acquired Internet Security Systems (ISS)," Gosselin said. "They absorbed ISS into their corporate infrastructure while giving ISS independence to continue as is. That's how I hope HP goes about it with SPI Dynamics."
During a press conference Tuesday morning, executives from HP and SPI Dynamics promised that this integration will be what users are hoping for. For starters, they said, users can expect HP to retain the talented staff of SPI Dynamics.
"You don't have intellectual property if you don't have the people," said Jonathan Rende, HP's VP of products and software quality management. "We have no intention of doing anything bur fuel the fire."
SPI Dynamics CEO Brian Cohen said HP is particularly eager to tap into his company's research base.
"SPI has a far larger research commitment than anyone else," he said. "We virtually owned the security application track at Black Hat last year and I believe we will this year. Early on in our talks with HP they saw our lab as critical in this deal. I have no reason to believe it won't continue and indeed grow."