The application vulnerability assessment market was just starting to hit its stride, when HP and IBM shook things up last summer, acquiring leading vendors SPI Dynamics and Watchfire in rapid succession, leaving Cenzic as the largest remaining independent player.
Developments in these technologies attract intensified interest, given the proliferation of Web applications and growing concern over automated attacks, coupled with strong compliance pressure, largely from PCI-DSS.
So, it's no surprise that HP announced its first major upgrade to the former SPI product line and included a software-as-a-service (SaaS) component of its HP Assessment Management Platform. IBM/Watchfire already offers its flagship product as a service, AppScan Enterprise Edition OnDemand.
The other significant application scanning SaaS player, WhiteHat Security, offers a very different model. HP and IBM's offerings are designed primarily to leave application security primarily in the hands of the customer, complementing their internal software development lifecycle processes with their consulting and professional services expertise to help customers deploy and get the most out of their investment. WhiteHat is a pureplay scanning service, conducting daily automated scans supported by human review.
"HP and IBM will be working with companies that already have solid internal expertise on solving application security issues and outsource some scanning tasks," said Chenxi Wang, principal analyst at Cambridge, Mass.-based Forrester Research Inc. "Internally, they are holding on to some of the resolution part. HP and IBM come in and do professional services to help solve problems."
Wang said the HP and IBM models could scale better than WhiteHat's, whose human review element improves accuracy and reduces false positives, but, she said it is not as well-suited to deal with thousands of applications daily. IBM and, to a lesser extent, HP, have the huge consulting resources to meet that kind of demand.
In addition to the service, which will be available in August, HP announced enhancements to its three major product components, WebInspect, its core application security scanning tool, and DevInsspect and QAInspect, which uncover in security flaws within the developer and quality assurance environments respectively.
DevInspect 5.0 features "hybrid analysis." That is, it takes the results of static scans and feeds it into successive dynamic scanning, which helps pinpoint major flaws more accurately and improve the tool's efficiency. QAInspect 5.0 integrates with HP Quality Center software, a platform that helps prioritize and manage remediation through the software development lifcycle.
HP said one its strengths is presenting security defects in a way developers and QA personnel can grasp intuitively.
"When we said these are just software defects, that we're essentially building tools to help you find automatically security software defects, we really got a lot of buy-in" said Mark Sarbiewski, HP senior director of product marketing. "It's tailored to make it very comfortable for developers and QA professionals to handle security defects."
WebInspect 7.7 features faster runtime and improved accuracy for detecting major flaws, especially cross-site scripting and SQL injection vulnerabilities, HP said.
One question to watch: With two industry giants in this market, will customers be drawn to the company they favor, or focus on the product capabilities on their own merit? Forrester's Wang thinks it depends on the customer.
"If they are existing customers for their software lifecycle products such as Mercury or Rational, it probably makes sense to look at their security products," she said. "But, independent evaluators of products tend to be a little less concerned about buying into the HP product portfolio or IBM product portfolio, partially because these are market-leading products, and customers are looking for best of breed technologies."