Cenzic and WhiteHat's web applications testing tools are used to search for vulnerabilities in applications that have already gone live. But companies like Fortify and Ounce, which provide technology used primarily to scour code before it goes into production, say that they are experiencing similar growth.
"Companies are looking at integrated testing, which will be a smart way to approach things when the products are ready. IBM and HP will be tough competitors, but we're still seeing that customers want these technologies from providers that are purely focused on testing," said Roger Thornton, chief technology officer at Fortify.
"Companies know they need to apply many different types of code analysis and testing tools to approach the entire applications security process from a risk management perspective. While that concept is still relatively new, we're seeing growth in demand for our products," Thornton said.
At least one of Fortify's customers indicated that even once IBM and HP have finished integrating security testing into their development platforms, many companies will still look to independent providers to handle a good deal of the work. "I really think there will be a place for these companies. I'm concerned with seeing large vendors buy some of these tools and just let them evaporate. These other players are focused purely on security," said Grant Bourzikas, director of information security at online trading firm Scottrade.
"For these [independent providers], this is their number one bread-and-butter product, and I see better products coming out of them in the future," Bourzikas said. "That's not to say that IBM and HP don't have great products, but I don't think the same emphasis is being placed on the technology today as when these were standalones; for this type of work, I want a company focused on security, versus someone more concerned with selling me storage or services."
HP executives conceded that large, diversified IT vendors haven't always kept their promises to stay committed to the products they acquire. They said their long-term goal is to make SPI's web applications tools an integral piece of the company's Mercury development platform.
But in the meantime, HP is seeing continued growth in demand for SPI's existing technologies, and executives said the company will continue to market the tools in a standalone fashion.
"It's true that acquisitions sometimes don't work out as promised, but we are totally committed to furthering SPI while we integrate the technology into the development process," said Chris Whitener, chief strategist of the Secure Advantage business at HP. "Clearly our vision is that security testing will become a requirement of software developers, but there's a market for these products as they exist today, and we're still seeing strong demand."
Industry analysts said the process of driving security testing deeper into the development lifecycle remains nascent, while predicting that it may very well become the norm in the future.
However, there should be opportunities for both the independent providers and for their larger rivals as applications security continues to prove itself as a growth market, said Paul Roberts, an analyst with the 451 Group.
"Whenever big acquisitions happen, you always hear the business model validation argument from those left standing. I don't disagree that it's taking a long time for HP to fully digest SPI, and it's the same with IBM and Watchfire," Roberts said. "And even when they do, there's likely still a role for stand-alone tools at later points in the development cycle."
The analyst pointed out that the move to push security responsibilities onto developers may not be welcomed by some of those highly sought-after professionals.
"The larger question is, will there always be a role for smaller venture-funded companies to provide [applications security testing], or will it also get rolled up into larger diversified companies selling the development platforms," said Roberts.
"Both arguments are right, and it's not a zero-sum game; clearly HP and IBM bought those companies because they see a need for testing to move down the chain. But people who say that most code-writing shops aren't there yet are right, and there's also a dearth of development talent out there," he said.