RealTime IT News

HP 'SPIs' Web Application Security

UPDATED: Suddenly, the market for securing Web applications is white hot.

HP  bid to buy to partner and applications security assessment startup SPI Dynamics for an undisclosed sum just two weeks after IBM  made a deal in the same arena.

The deal, announced at HP's Software Universe show in Las Vegas Tuesday, is designed to boost the system vendor's application quality management provisions to ensure that e-commerce Web sites and business processes run without any performance issues.

This pledge is a key facet of HP's multi-billion-dollar strategy for business technology optimization to fit IT with business processes, said Jonathan Rende, vice president of products for HP Software, on a conference call to discuss the deal.

Securing Web applications is a major concern now with the rise of rich Internet applications, wikis, blogs and mash-ups in the evolving world of Web 2.0.

"Web applications are becoming ubiquitous," said SPI Dynamics President and CEO Brian Cohen on the conference call. "Everyone wants to Web-enable things. As they do so, they fall into a lot of traps associated with application security. We have technology that allows them to identify the weaknesses in their applications and prescribe corrective actions."

SPI Dynamics makes several software products. But the one HP most covets for helping programmers preserve application quality is WebInspect, which allows customers to scan and identify security vulnerabilities of Web applications from development through deployment.

The idea is to detect coding errors that leave applications susceptible to exploits, such as SQL injections. HP uses the product to conduct security assessment and consulting engagements.

Applying security early in the development process also helps meet compliance requirements, such as Sarbanes-Oxley, PCI and HIPAA. To that end, SPI also makes DevInspect, which helps developers find security vulnerabilities in source code and fix them.

HP and SPI are well acquainted with one another through another key SPI product; SPI's QAInspect software integrates with HP Quality Center to allow QA testers to identify security defects early in the development lifecycle.

WebInspect, DevInspect and QAInspect are all managed by SPI's Assessment Management Platform (AMP), which allows customers to manage all of the SPI products in use throughout the development lifecycle.

"Security assessments and vulnerabilities are synonymous with defects," Rende added. "The sooner you find these, the better. We wanted to stake a claim in the fast-growing security space, and the best way to do that is to acquire a leader."

Despite this synergy, HP was noncommittal Tuesday about how many of SPI's 140 employees it would retain, but will likely be more than happy to tack on SPI's 1,000-plus customers spread across several vertical markets. Also, SPI's assets will be tucked into HP's Technology Solutions Group when the deal closes in the third calendar quarter this year.

HP is targeting SPI shortly after IBM purchased partner Watchfire, which makes AppScan, a security vulnerability testing suite that lets users identify potential security risks in applications.

SPI and Watchfire are two of three Web application security pure plays. The third, Cenzic, remains independent for now.

HP also made the bid for SPI on the same day it reconstituted its security product set under the Secure Advantage umbrella. The idea is to give HP's security offerings less of a point solution and more of an integrated feel for customers.