On the heels of IBM's acquisition of Watchfire, HP today announced it was buying SPI Dynamics, another application security bellwether, for an undisclosed amount.
The move signifies the growing convergence of the information security marketplace, especially in light of IBM’s pickup of Watchfire, which was SPI’s main competitor, analysts said today.
"We wanted to stake a claim in the fast-growing security space, and the best way to do that is to acquire a leader," Jonathan Rende, vice presidents of products at Palo Alto, Calif.-based HP, said today on a conference call.
HP executives said business application security is a serious concern across enterprises. Atlanta-based SPI’s offerings allow customers to inspect and assess security at all phases of the development lifecycle. The solutions include a real-time dashboard to centrally manage security vulnerabilities.
"We have a commitment to the enterprise software space," Rende said. "This is one of the fastest growing, most profitable parts of the business. This adds a new chapter to the application side of the house."
Last year, HP acquired Mercury Interactive, a leading automated software quality assurance company, for $4.5 billion.
Chenxi Wang, a Forrester analyst, told SCMagazine.com today that today’s acquisition not only validates the application security space — she cites a study that 92 percent of vulnerabilities are found on applications, versus networks and systems — but also acts as a strong complement to the Mercury purchase.
"The integration between SPI and Mercury is a very compelling one, even more compelling than IBM Rational and Watchfire," she said. "This move may be on the defensive side, in light of IBM’s Watchfire acquisition, but this also highlights HP’s commitment to deliver quality software, and also their vision to extend quality control over all phases of the software lifecycle."
Brian Cohen, chief executive officer of SPI, which has about 140 employees and some 1,000 customers, said on the call that the merger makes sense considering the two companies have been longtime partners and have an overlapping customer base.
"Web applications are becoming ubiquitous," he said. "As they do so, they fall into a lot of traps associated with application security. We have technology to let [businesses] identify weaknesses in their applications and prescribe prospective action."
The deal with SPI is HP’s first security-related acquisition since the world’s largest IT company acquired Trustgenix, a federated identity management provider, in 2005, executives said today. But they added, the SPI acquisition does not mean HP is interested in becoming a "prevention vendor."
SPI arguably is best known within the security industry for its research arm. For example, Billy Hoffman, lead research engineer, unveiled a proof-of-concept script-based website vulnerability scanner at a hacker conference in March.
Cohen said HP remains committed to SPI’s research and development group, and HP hopes to make SPI its "security center."
Once the deal is finalized (expected to happen in the third quarter), SPI will be integrated into the software unit within HP’s Technology Solutions Group. Executives did not mention the possibility of layoffs.
In a May 23 in-person interview with SC Magazine, Cohen implied that an acquisition was imminent, saying prospective buyers were "circling us all the time." But, he said, the goal all along was to build to an initial public offering (IPO).
Click here to email reporter Dan Kaplan.