We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

The Mike Rothman Security Report

Peter Schooff

Is Big the New Small in Application Security?

Vote 0 Votes

I've been following the security markets for close to 15 years at this point, and I continue to spot the same trends over and over again. You don't have to be too smart to figure out where things are going, based upon where they've been. At least that's the way it's worked in technology.

Application security will be no different. Although still an early market, it's following the general deployment characteristics of its siblings in the network and host security environments.

One of the "big" research ideas I put forth in 2006 was a concept called "big is the new small." This idea reflected the reality that for most organizations, the idea of doing business with a security start-up created a risk profile they weren't comfortable with anymore. Certainly not for established and mature technology categories, like network security (firewalls, IPS, VPNs).

A manifestation of this mentality is the ongoing consolidation of security functions by the "aggregators," or "Big Security" as I call them, who bring market might and distribution leverage to accelerate the adoption of emerging security categories. Folks like Symantec and McAfee, and let's not forget the powers from other technology disciplines, like Cisco, Microsoft, HP, IBM and the like.

So what? Since you probably focus on applications and application-oriented security, why do you care? Basically, you've seen this movie before and it's happening again right before your eyes. Take a case in point last year, when within the space of a couple of months the leading application security scanning companies (Watchfire and SPI Dynamics) were acquired by IBM and HP, respectively.

As comforting as it is to have deep pocket parents like IBM and HP behind your favorite app scanner, is this a good thing? Will it remain a good thing? Should you start looking at other alternatives? Basically, you need an idea of whether consolidation is a good thing or a bad thing for you – the customer.

Unfortunately, history tells us that most deals are a lot worse for the customers than they are for the founders of the security start-ups, who tend to walk directly from the bank to the Ferrari dealership to flex their new found net worth. In a lot of cases, the acquired technology is buried within the larger company and innovation slows to a trickle, support drops off a cliff, and the technology dies a slow and horrible death.

On the other hand, is it any safer to go with a start-up that is still trying to figure out whether they can make payroll this quarter and if the investors are going to give them enough runway to grow their business? As you can see, there are risks on both sides. If you want a no-risk environment, go work…Ah, I'm actually not sure where you would work to eliminate risk. That's not an option anymore in any business.

Basically, you need to start thinking about #1 and that is you and the needs of your organization. That means focusing first on finding the product (or service) that most closely meets your needs, and don't worry about corporate heritage, funding, or ownership at this point. It's counter-productive. As discussed in my Buying Security Products guide, this first stage is about finding solutions that can meet your needs.

Once you have a "short list" of sufficient solutions, then you can start weighing the benefits and risks of working with a big company vs. a small company. Relative to application security, the entire business is not a stand-alone opportunity. There is a niche opportunity for maybe 1 or 2 of the firms to get to sufficient heft, but the reality is that application security tools need to be part of a bigger software development suite. So it's not a matter of if, but when the interesting, innovative tools will be swallowed up and integrated into a bigger suite of products.

That's what was so interesting about the HP/SPI and IBM/Watchfire deals. It wasn't the companies that did the deals, but where in those monstrous organizations the technology resides. Both of the acquired companies ended up in the application dev tools business units. Candidly, that's where the technology belongs.

So what's my conclusion? Basically, it's just a matter of time before all of the major players in application security are "consolidated" and subsumed into the collective of a big application development tools shop. Deals always create risk and angst, but it's no reason to not work with a vendor.

But it's also not a reason to do business either. Focus on what problems you need to solve. Find solutions and/or services to meet those needs. Then pick a vendor that you are comfortable with, regardless of how big they are.

While you are at it, build contingency plans – just in case. Application security folks should do that without even thinking anymore. Murphy's Law is alive and well. If it can go wrong, it will. So plan for that. If the vendor gets bought, make sure you have Plan B. If they are lost and stop innovating, let your wallet express your dissatisfaction. In the security business, deals happen. You should plan for that.

ebizQ is proud to bring you Security Incite's Mike Rothman, who podcasts and writes on application security and related topics.

Recently Commented On

Monthly Archives