Sometimes, partnering isn’t enough. That’s the case with HP, which is now acquiring a former partner, code analysis vendor Fortify, to better ramp up its capabilities in enterprise application security.
Fortify’s chief claim to fame has been its static analysis tools, which enable developers to scrutinize the code of their applications and hunt for errors and potential security holes. HP, meanwhile, has offered a dynamic analysis tool, geared toward examining programs for flaws while they’re running. Together, the two have been partners on the Hybrid 2.0 Web security solution that paired Fortify’s static analysis with HP dynamic analysis approach.
Now, Mark Sarbiewski, vice president of products for HP Software and Solutions, said that a much closer relationship between Fortify’s and HP’s technologies is the key to the future of enterprise application security.
“Being a partner is one thing,” Sarbiewski told InternetNews.com. “Having it all under one roof is another.”
Specifically, the acquisition means that HP, while continuing with Hybrid 2.0 — which is set for delivery by the end of the year — will also now be able to take advantage of Fortify’s tools through its professional services group.
“HP has a huge capability there with EDS, and we have many thousands of folks that do this,” Sarbiewski said. “This is a wonderful new piece of the overall puzzle in terms of the technology to go with the services.”
But IBM’s not the only one looking to marry dynamic and static code analysis and services. The Fortify acquisition follows the purchase of static analysis vendor Ounce Labs by IBM in 2009. Since then, Big Blue has integrated the solution into its broader IBM Rational portfolio for software development.
What’s next for HP’s code analysis efforts and its IBM rivalry
Tools like Ounce Labs’ and Fortify’s aim to give enterprises a look at potential security pitfalls early in the application development lifecycle, when it’s typically cheaper to fix problems than after a product, app or service is completed, deployed or shipped.
“It’s a challenge for enterprises to get the security right for their applications,” Sarbiewski said. “We believe that the only way to solve the problem is by solving it through the lifecycle.”
One way HP aims to do that is to more closely integrate and then build on the marriage of Fortify’s technology with its own.
Already, the pair’s Hybrid 2.0 project — which is currently in use by beta customers — is executing toward that goal. The offering works by leveraging Fortify’s program trace-analysis capabilities, which enable users to see what is happening inside of an application as it is being attacked by HP’s dynamic analysis tools.
“The combination tells you what vulnerabilities are real and where they are inside the application,” Sarbiewski said. “That to us is the future.”
Of course, the acquisition — and HP’s plans for Fortify’s technology — means that HP will once more find itself going head-to-head against solutions and services similar to those being pushed by its rival, IBM. Spokespeople for IBM were not available by press time.
To Sarbiewski, though, it’s no surprise that the two enterprise IT giants are thinking along the same lines.
“We’ve been on a path that led us to this acquisition,” Sarbiewski said. “IBM came in and it’s not surprising to me that you’d see the portfolios going down somewhat similar paths if we’re both seeing what really needs to be out there in the market.”
And despite the rivalry, Sarbiewski sees educating customers on the need for better tools as a bigger challenge than vendor competition. With the market is still in its early stages, he said it’s critical to help enterprises understand how they can get their developers and quality teams working together to more effectively secure applications.
“It’s a good thing when you have sizable players that are out there, that are validating the market and creating complete solutions,” Sarbiewski said. “It is a good validation that there is a real market here and there is no silver bullet for security — you have to attack the problem at the root with technology, as well as services and education.”
Financial terms of HP’s purchase of Fortify were not disclosed. Sarbiewski said that the majority of Fortify employees will get offers to join HP.
Follow eSecurityPlanet on Twitter @eSecurityP.