Watchfire will help IBM build application security

By Bill Brenner, Senior News Writer 06 Jun 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

WASHINGTON -- Analysts at the Gartner IT Security Summit have been pushing their Security 3.0 concept this week, saying security must be embedded into the larger IT infrastructure produced by the likes of Microsoft, Cisco and IBM. These vendors have been acquiring security firms to make it happen, and Gartner conference attendees have speculated on who's next.

I expect IBM will probably integrate Watchfire's technology into its workflow and quality testing tools. Joseph Feiman, vice president, Gartner Inc.

The question was answered Wednesday when IBM announced its acquisition of Watchfire Corp., a risk management software vendor, for an undisclosed sum.

Of interest to analysts here is that IBM's Rational software division is taking on the acquisition rather than its security division. The Rational development platform provides tools for developers to model, design and build Web-based architectures for SOA, systems and applications. Gartner research vice president Joseph Feiman said IBM has had absolutely no application security capability, and so the Watchfire acquisition makes perfect sense.

Waltham, Mass.-based Watchfire develops AppScan, Web application vulnerability assessment software, and WebXM for Web site risk assessments.

"I expect IBM will probably integrate Watchfire's technology into its workflow and quality testing tools," Feiman said. "To make application developers adopt security, actions like this are necessary."

Watchfire: Application Security: Watchfire's AppScan 7.0 Web services represent security's next battlefront: The evolution and mainstream use of Web services has placed the nascent technology in the crosshairs of attackers, and one firm in particular says it can mitigate the threats. Watchfire buys Sanctum: Watchfire expands its portfolio with its Sanctum purchase in 2004.

IBM would seem to agree, saying the Watchfire technology will extend its governance and risk management strategy. "Watchfire with IBM Rational software will help customers integrate Web application security and compliance early on and throughout the software development process," IBM said in a statement. "As a result, customers will now be able to define, test and track the compliance of their applications with security, legal and corporate requirements."

IBM said it also expects Watchfire technology to complement existing IBM Tivoli identity, access and compliance management software offerings and ISS by extending security and compliance testing as an integrated element of the application development lifecycle. IBM acquired ISS for $1.3 billion last year.

For Gartner, the acquisition is an example of how IBM is following the Security 3.0 concept that is the theme of this year's conference. Monday, Gartner analyst John Pescatore said that in the old days, IT could restrict the user. Then came the age of Security 2.0, where IT struggled to keep up with a deluge of new point technologies. New technology came into widespread use far faster than the ability of IT to secure it all. At the same time, the bad guys picked up on flaws in all the emerging technology and began to exploit it. He said another huge change is underway in how companies are using technology to do business.

"With the consumerization of IT, through the use of blogs, wikis, etc., things are changing again in a fundamental way," he said in his keynote address to conference attendees. "The bad guys are finding a rich target environment and are using attacks that run quiet and deep."

He noted how attackers are using malware hidden within things like screen savers and Web sites to go after specific parts of a company's infrastructure, with the goal of stealing critical data. As a result, he said, we've seen the steady stream of data breaches in the past two years.

Pescatore said Security 3.0 is about staying ahead of evolving threats by integrating security into the larger IT infrastructure. "It's about moving from whack-a-mole to a chess game where we can deploy security in one place so the attacker has to move in another direction," he said. "The idea isn't necessarily to win, but to always be a couple steps ahead of the bad guys and force them into a stalemate."

Wednesday, Feiman put the theme in context with IBM's Watchfire acquisition. "[Gartner has] projected that by next year, 80% of the big vendors will make security an integral part of its development process," he said. The Watchfire acquisition, therefore, is part of IBM's effort to bolster its own security development lifecycle, he said.

Tags: Web Application Security,  Software Development Methodology,  Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,  Business Management: Security Support and Executive Communications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks Software Development Methodology nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Twitter worm attack highlights social network flaws Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions Sophos CEO on Symantec, McAfee after Utimaco acquisition EMC adds configuration management with Configuresoft acquisition Know when you need IDS, IPS or both Symantec acquires Mi5 Networks, bolsters Web security RSA Conference 2009 shines spotlight on security vendor innovation Oracle to buy Sun Microsystems for $7.4 billion Entrust to be acquired by investment firm Enrique Salem takes charge at Symantec Countdown: Top 5 most important questions to ask endpoint security vendors Flaw disclosure debate polarizes SOURCE Boston panel

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary