The software security sector has become one of the more crowded and diverse markets in recent years as vendors with application scanners, static-analysis tools, pen testing teams and hordes of consultants have raced to address the need for better, more secure software. This task once was the province of the big consulting firms and the highly specialized shops like Foundstone Inc., @stake (now Symantec Corp.) and Cigital Inc. But a growing emphasis in both the private sector and the government market on producing better quality code from the start has created a major growth spurt.
How big has it gotten? Somewhere in the neighborhood of $275 million to $300 million in 2007, according to numbers gathered by Cigital CTO Gary McGraw. That number isn’t going to scare the firewall market anytime soon, but it’s nothing to sneeze at either. More than half of that revenue number came from the various software security tools vendors, including HP’s SPI Dynamics unit, IBM’s Watchfire group and smaller players like Cenzic Inc. and WhiteHat Inc. But a big chunk also came from the companies selling so-called white-box analysis tools, such as Fortify Software Inc. and Ounce Labs Inc.
As McGraw points out:
This is a telling development. The source code analysis space is now larger than the black box testing tools space, showing that enterprises are spending money wisely and looking to fix problems, not just identify them from the operations side. Step one in solving software security problems (even when we’re only talking bugs) is knowing exactly where in the code the problem exists. White box analysis is superior to black box analysis in that respect. Plus, the move to encompass source code of any sort is a very nice expansion of software security outside of the “strictly the Web” (port 80) thinking that somewhat hampered the first generation of tools.
This is all for the good. Writing good, reliable software is a notoriously difficult task that even the largest and most well-funded development organizations in the industry still struggle with. Putting more resources into security testing and analysis of code before it goes into production won’t find or fix every problem, but it should help eliminate a lot of the common security and reliability bugs that crop up.