HP ‘SPIs’ Web Application Security

UPDATED: Suddenly, the market for securing Web applications is white hot.


HP
 bid to buy to partner and applications security
assessment startup SPI Dynamics for an undisclosed sum just two weeks after IBM  made a deal in the same arena.


The deal, announced at HP’s Software Universe show in Las Vegas Tuesday, is
designed to boost the system vendor’s application quality management
provisions to ensure that e-commerce Web sites and business
processes run without any performance issues.


This pledge is a key facet of HP’s multi-billion-dollar strategy for
business technology
optimization to fit IT with business processes, said Jonathan Rende, vice
president of products for HP Software, on a conference call to discuss the
deal.


Securing Web applications is a major concern now with the rise of rich
Internet applications, wikis, blogs and mash-ups in the evolving world of
Web 2.0.


“Web applications are becoming ubiquitous,” said SPI Dynamics President and
CEO Brian Cohen on the conference call. “Everyone wants to Web-enable things. As they do so, they fall into a lot of traps associated with application security. We have technology that allows them to identify the weaknesses in their applications and prescribe
corrective actions.”


SPI Dynamics makes several software products. But the one HP most covets for
helping programmers preserve application quality is WebInspect, which allows customers to scan and identify security vulnerabilities of
Web applications from development through deployment.


The idea is to detect coding errors that leave applications susceptible to
exploits, such as SQL
injections
. HP uses the product to conduct security assessment and
consulting engagements.


Applying security early in the development process also helps meet
compliance requirements, such as Sarbanes-Oxley, PCI and HIPAA. To that end,
SPI also makes DevInspect, which helps developers find security
vulnerabilities in source code and fix them.


HP and SPI are well acquainted with one another through another key SPI
product; SPI’s QAInspect software integrates with HP Quality Center to allow
QA testers to identify security defects early in the development lifecycle.


WebInspect, DevInspect and QAInspect are all managed by SPI’s Assessment
Management Platform (AMP), which allows customers to manage all of the SPI
products in use throughout the development lifecycle.


“Security assessments and vulnerabilities are synonymous with defects,”
Rende added. “The sooner you find these, the better. We wanted to stake a
claim in the fast-growing security space, and the best way to do that is to
acquire a leader.”


Despite this synergy, HP was noncommittal Tuesday about how many of SPI’s
140 employees it would retain, but will likely be more than happy to tack on
SPI’s 1,000-plus customers spread across several vertical markets. Also,
SPI’s
assets will be tucked into HP’s Technology Solutions Group when the deal
closes in the third calendar quarter this year.


HP is targeting SPI shortly after IBM purchased partner Watchfire, which makes AppScan,
a security vulnerability testing suite that lets users identify potential
security risks in applications.


SPI and Watchfire are two of three Web application security pure plays.
The third, Cenzic, remains independent for now.


HP also made the
bid for SPI on the same day it reconstituted its security product set under
the Secure Advantage umbrella. The idea is to give HP’s security offerings
less of a point solution and more of an integrated feel for customers.

News Around the Web