HP buys SPI Dynamics: The trend continues

The software security tools market has been ripe for picking, for two reasons:

• We had a lot of small, privately held companies developing exciting, but in many cases, overlapping, technology, but those companies had trouble finding customers and going to market. Their exit strategy is to be gobbled up by a big fish.

• The big fish were significantly behind the times when it came to integrating security into their developer tools. Their business models favor buy-it instead of build-it for this type of technology, but they weren’t buying.

Until recently, that is. Until this month, none of the big fish, like IBM Rational, Mercury (now part of HP), Microsoft, Oracle, Sun and Borland/CodeGear, had integrated security as part of their IDEs, test/QA tools, or applicaction life cycle suites. The notable exception has long been Compuware, with its DevPartner SecurityChecker. It’s only been a matter of time before the fish starting munching, and frankly, I expected the feeding frenzy to start quite a while ago.

The dam broke a couple of weeks ago, when IBM announced the acquisition of Watchfire. Today, we have the second big move, as Hewlett-Packard today said it will buy SPI Dynamics.

This is only the start.

Microsoft needs to incorporate a top-quality security solution into Visual Studio Team System, encompassing not only the edition for software testers, but also the editions for architects and developers. This is a glaring weakness. While Microsoft could build the functionality itself (as it did with the other ALM tools in Team System), it would do better buying one of the existing players, and that’s what I think the company will do.

Oracle is in a similar situation: It doesn’t have software security functionality, either baked into its tools or as stand-alone offerings. It’s hard to predict what Oracle will do, whether they’ll build it, buy it or ignore it.

Borland and its CodeGear subsidiary are also behind the times. Software is a core part of the application life cycle, but there’s no specific security offering in the Borland pantheon, even in its Silk and Gauntlet tools. As with Microsoft, Borland could build or buy, but I expect them to buy it. I hope whatever they do gets baked back into the CodeGear IDEs; that’s where software security belongs, as tightly integrated into the developer desktop as spellcheck is integrated into a word processor.

The Eclipse and NetBeans projects need to start software security initiatives. The lack of a security project, either as a top-level element or as part of the Eclipse Test & Performance Tools Project, is a huge oversight, but given how the Eclipse Foundation works, it takes a commercial vendor to initiate a project. Now that IBM is buying Watchfire, it’s less likely that Big Blue will push Eclipse in this direction. NetBeans, by contrast, is driven by one company’s strategic vision, However, Sun needs to be more strategic and visionary here, and get on the ball.

Fortunately, there are more software security companies available for purchase. It won’t be long until we see the big fish gobble up Agitar, Armorize, Cigital, Fortify, Klocwork and Ounce Labs. Who do you think will go first?