The acquisition, whose terms were not disclosed, was made to strengthen the HP application security software portfolio.
HP now gains Fortify's static application security analysis technology, used to find vulnerabilities through the analysis of application code. Static application security analysis testing, also known as source code, binary, or byte-code analysis, can be performed before the application is operational and is considered a cost-effective method of finding and fixing bugs.
“HP does need this piece of technology,” Chenxi Wang, principal analyst at Forrester Research, told SCMagazineUS.com on Tuesday. "It is one of the holes in their portfolio."
The void was especially glaring after HP competitor IBM gained the technology with its acquisition last year of source-code security testing provider Ounce Labs, Wang said.
HP's newest buy complements its 2007 acquisition of SPI Dynamics, a maker of dynamic application security analysis technology, used to identify vulnerabilities in already-operational websites, Mark Sarbiewski, vice president of products at HP told SCMagazineUS.com on Tuesday. The combination of static and dynamic application security analysis technology now will allow HP to offer a more thorough solution to improve the security of applications and services.
The acquisition also validates that security needs be part of the application lifecycle, he added.
The deal indicates that application security is gaining maturity, Wang said. In the past, many different security vendors had stakes in the various application lifecycle phases, and now the technologies are becoming more integrated.
A tighter combination of static and dynamic analysis will provide increased efficiency and accuracy of vulnerability detection, she added.
When the deal closes, HP plans to initially run Fortify as a standalone entity to ensure continuity while targeting the security market. Over time, Fortify will be integrated into the HP Software and Solutions business. Fortify's products eventually will become part of HP's Business Technology Optimization application portfolio.
“[Fortify] has a huge amount of momentum and we want to keep the team intact for up to a year,” Sarbiewski said. “We are going to be pretty thoughtful about how we integrate and keep the teams together."
The “vast majority” of Fortify employees will be offered a position at HP, Sarbiewski said.
“[Fortify CEO John Jack] will be running this business within HP software, and we expect the key members of the team will be on board,” he added.
Barmak Meftah, chief products officer at Fortify, said the acquisition will allow Fortify to elevate and accelerate its growth in the market.
“Our main footprint is the CISO and development group,” he told SCMagazineUS.com. “HP brings a big outreach to the CSO and quality assurance audience.”
HP and Fortify have a history of collaboration, so the acquisition was not a surprise, Forrester's Wang said.
“The acquisition has been rumored for more than a year,” she said.
HP has likely been waiting to ensure it could make a strong business case for the acquisition and has been working with Fortify in the meantime to understand how its business model works, Wang said. In June 2009, Fortify's static application security analysis technology was integrated with HP's Application Security Center and Quality Center software solutions. Then in February, the companies introduced Hybrid 2.0, an integrated static and dynamic analysis security analysis technology.