The drumbeat for more secure application development picked up pace on Tuesday, with news that software giant HP had acquired privately funded Fortify Software, a maker of static code analysis tools, for an undisclosed amount.
The deal underscores the growing importance of application security and application testing, but not everyone is convinced that HP-Fortify will do much to stem a flood of new vulnerabilities as applications migrate to the Web and attackers focus on vulnerabilities in common applications.
Vulnerabilites in Adobe Flash Player, Apple Quicktime and other popular applications were among the leading targets of attacks in 2009, according to data from Kaspersky Lab. HP says Fortify’s technology will streamline development and application security testing for its customers.
“Software has become infrastructure, just like steel and cement,” said Joshua Corman, Research Director at The 451 Group and co-founder of RuggedSoftware.org, a non-profit group that is trying to raise awareness about the need for secure coding. “The applications we build aren’t nearly as strong as the bridges or buildings we rely on every day,” he said.
“I use the term ‘vulnerabiquity’,” he said “There are just pervasive (software) vulnerabilities. We’ve got to do something.”
Application testing is an increasing focus of auditors, too. Regulations like the Payment Card Industry Data Security Standard (PCI DSS) call for application code audits as a necessary step to prove compliance. But Corman said that code security testing its still a specialized skill in the software field and not of interest to most developers.
Fortify, which was founded in 2003, raised $24m from investors including Kleiner Perkins Caufield & Byers as well as Sigma Partners, Interval Capital Partners and Duff Ackerman & Goodrich. It last raised money in 2007 and claimed to be cash flow positive and profitable at the time it was acquired.
The company has long partnered with HP, most recently announcing Hybrid 2.0, a product that integrated HP’s Assessment Management Platform (AMP) with Fortify’s Source Code Analysis (SCA) and Program Trace Analyzer (PTA) products to link the results of penetration tests to static and dynamic source code analysis tools. While HP acquired some static analysis capabilities with SPI Dynamics, word is that the company had de-emphasized that technology in recent years, preferring Fortify’s tools.
Fortify’s products are mostly licensed by large enterprises, with Oracle, Wells Fargo and Fidelity Investments as customers. The company has also worked with large systems integrators, like HP-owned EDS, and has partnered with third party providers, like application testing firm WhiteHat Security on Web application vulnerability testing.
HP’s acquisition will help make Fortify’s tools more mainstream and consumeable to a broader population of companies. But analysts like Corman aren’t convinced that there will be a spike in demand for them, or an overall improvement in the software security landscape, without broader investment in software testing and changes to the way software development is taught.
HP said it will maintain Fortify as a stand alone entity in the short term, eventually folding its products into its Business Technology Optimization application portfolio, which also contains Web application testing tools aquired with SPI Dynamics.