SPI Dynamics, like rivals Cenzic and, eventually IBM’s Watchfire, each focus on detecting security flaws in web applications. While Watchfire and Cenzic use differing ethical hacking approaches (Watchfire uses technology akin to virus signatures while Cenzic monitors interactions), SPI Dynamics takes a different approach by inspecting web apps for conditions such as SQL injection (the ability to submit bogus SQL queries) and cross-site scripting (which directs the user to a rogue web page under the covers).
The Atlanta-based company has about 140 employees and 1000 customers, roughly half of whom are also HP/Mercury sites. Of course, given that HP/Mercury is by far the leader in the software testing market, the fact that Mercury is such a high proportion of SPI’s installed base is hardly unique. The same could be said for rival Cenzic.
SPI Dynamics has three product lines, extending from initial unit test to system test and scanning of web sites in production. If that sounds a lot like Mercury’s Quality Center tools, the resemblance is more than coincidental.
As such, the tools fit well with Mercury’s Quality Center tools, with SPI Dynamics already having integrations with Test Center at a number of accounts. They are also integrated into Microsoft Visual Studio, and HP says it plans to continue offering that support.
When asked whether the proposed acquisition would impact SPI’s existing relationships, HP’s Jonathan Rende, vice president of products, said that HP doesn’t have any plans to terminate relationships, although he obviously couldn’t speak for partners. Of course, given that IBM is ironically listed at the top of SPI Dynamics’ partner page on its website, it would be surprising if that survived the acquisition.
Besides obviously HP, SPI’s other technology partnerships include Microsoft, plus several web security-related remediation, information management, and discovery providers who have cooperated on development of Application Vulnerability Description Language (AVDL), an Oasis standard.
They include Citadel, which offers the Hercules automated vulnerability remediation solution; GuardedNet, which offers the euSECURE is a security information management platform; Teros, which conducts discovery; and F5 Networks, which provides an XML load-leveling appliance. As Rende admitted that HP had not closed the door on future related acquisitions, each of these companies could be future targets.
Beyond the obvious fit, and the fact that in an increasingly interconnected world, security should be part of the development life cycle.
But while the Mercury tools focus on more conventional software bugs and performance bottlenecks, SPI Dynamics looks for security holes. In itself, it opens an area that is often foreign for developers since security tends to be the domain of specialists. For instance, when developing or testing code, developers and QA specialists typically don’t think about factors like susceptibility to buffer overflows.
According to SPI vice president and cofounder Caleb Sina, most of the installed base uses the web site security scanning product, which is where the rivalry with Watchfire and Cenzic are greatest, and is where the use is by security professionals. By contrast, only 12% of the installed base uses SPI tools early in the life cycle, covering unit and system testing, which is where the obvious synergy with HP/Mercury and its core developer/QA constituency is. But, Sina added, about half the installed base planned to extend security checking back into Mercury territory.
HP expects the deal to close in Q3, and plans to retain the personnel.
Our View
HP said that that both sides started talking acquisition months ago and therefore claimed that this was not a reaction to IBM. But whether it is or not, HP’s and IBM’s offers are part of a broader trend to intertwine web application security more closely into the software development life cycle. That’s a concept that sounds logical on paper but is culturally more difficult to accomplish because the application folks have traditionally not thought about security since it is not in their training, with the converse being true for security specialists.
But that’s where some other interesting synergies in this deal pop up. Because SPI also has a tool that’s meant to scan a website for security holes after it enters production, that could make a logical fit with HP’s infrastructure management tools that come form the old OpenView side.
HP also explained that it didn’t plant to become a security vendor per se, and would still partner there. This was HP’s first security-related acquisition since it bought identity management tools in house, but HP indicated it would likely get more active in the future. For starters, it stated that it viewed application security as being part of its space. As we noted above, we wouldn’t be surprised to hear HP make some follow up deals that could cover areas where SPI has already actively been partnering.
