February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« New Database Vulnerability Found | Main | Ajax a Threat to Web 2.0 »

August 01, 2007
Podcast with IBM Rational: Security Becomes an Important Factor in Application Lifecycle Management

Listen to or download the 11:09 min. podcast below:



Download file

What follows is a transcript of my podcast with Dave Locke, the Director of Offerings Marketing at IBM Rational, where we discuss application lifecycle management and how that relates to IBM’s recent purchase of Watchfire, how application testing works, how the Watchfire acquisition compares with HP’s purchase of SPY Dynamics, and finally, any acquisitions IBM Rational might be looking to make in the future (I know I know, but I still had to ask).

Can you explain application lifecycle management?

In a nutshell, when you’re deciding in a business to look at aspects of your business that need automation, specifically, I’ll give an example to make it easier here, a sales order process, right. Typically, most companies today don’t go through a paper based process, they capture their sales order, they process it off the back end, they ship it out. It’s all done via computers through applications. Easy to know, because everybody does that, right? Well, when you're deciding on what it is you need to automate, typically businesses look at different scope, different areas of the business to say, “hey, you know what, I’m going to take and automate the sales order process, we’re going to get it off paper.”

First off, in an application life cycle management discipline, first thing you want to do is consider what is it you’re trying to accomplish, what are the requirements of this project, how does it fit into the overall business, what is the value I’m going to get by automating this process through some use of technology. As you start making those decisions, you finally come to a decision, OK, it’s going to cost “X” amount of dollars, “X” amount of time, we’re going to reap “X” benefit from doing that. At that point in time, that application now starts moving into the architecture and design phase. So, how does it fit into the rest of the system, the overall enterprise architecture? How does it fit into the other applications it needs to communicate with? What is the architecture? Is it an SOA architecture or am I going a monolithic application?

Then, you start on the development phase: you do the testing, lots of different types of testing goes on, right? So there’s functional testing to make sure it actually works and the known defects are taken care of. You go into performance testing, you know, expecting 5,000 users to hit concurrently? But it’s pretty hard to get 5,000 of your friends to test concurrently, so you automate that. With our new Watchfire acquisition, it’s focused on the security of that application, we’ll talk a little more about that in a moment. Once you’ve completed this development process, you hand off to your IT operations to actually put it up live and manage it in a production environment. Well, the cycle of deciding what you’re going to build, understanding the architecture, building it, testing it, is really this application life cycle management. And, you know, typically depicted in kind of a circle because as you understand what you’re going to build, you learn more about it and you iterate deeper and deeper into the project so you can best facilitate getting that application out in a very cost effective way. The management aspect of this, of course, you have individuals working on different pieces of the project, but you also need to connect those different individuals, right? The folks that are looking at the line of business reasons you’re doing a sales order system are physically in a different department and have a different way of thinking than the people actually doing the coding. We need to hand that off to the coders; well, how do you do that? How do you know if you’re doing it efficiently? Have you captured the right things? Once you’ve handed it off, how many time did you have to go back and change requirements or change architecture? All of these types of decisions typically are made by small sub-teams without the full context of the entire life cycle of the application. So, the notion of application life cycle management is really taking and governing the business process of delivering that software from start to finish, all the steps in between and the providing all different layers of reporting to that senior management, middle management, project management, individual contributors can understand how they fit, the investments we’re making and how efficient we’re running. So, it’s really all that put together.

Tell me a little bit about the security aspect of Watchfire being included in the application lifecycle now.

So, as we see these different types of applications, many of them are now being deployed outside the firewall or inside the firewall, but have through the firewall access. And, not only inside the firewall type applications needing security, but all of these types of applications do need a way to be able to securely present, manage, interact with the user so there is no breach in security. And, as you know, as we look at the world, all of these applications are becoming more and more widely accessed from non-employees, if you will, as well as internal employees. How do I manage that security? It’s become a more and more important topic as we see headline news week after week about this and that security breach. Well, Watchfire, the reason we chose to do this acquisition, Watchfire is actually the leader in the market for application level testing of security. So, as you can imagine, there are many different layers of security that have to be considered, right, so at the firewall level, how strong is the firewall? Is it resisting many attacks? If there’s a breach of security, how do I know there’s been a breach and how do I do the intrusion detection, right? So, there’s many different layers of security. Watchfire focuses on the application and testing the application for known hacks, security leaks and actually, you know, automating the process of banging on that application to find those potential breach areas.

The fact that most new security vulnerabilities pop up in the most unexpected places, exactly how does application security testing test for the future security risk?

That’s pretty tricky. There’s a couple different aspects of this that make sense. So, on the Watchfire level, it does what is considered “black box” security testing, meaning it does not go to the depths, internals of the code. We have some other assets that work on those kind of tests – the “white box” tests. Watchfire focuses on this black box and it does a couple of things. First off, we have a Watchfire team which is now part of IBM, by the way. They are acquired as Monday, so they are IBMers now. But, there’s a team there that focuses on hacking. They’re always looking for different techniques of hacking, looking for the latest, greatest insight from different hacking websites: reverse engineering hacks that folks are doing and so they’re always working on that forefront, bleeding edge of how people are thinking about hacking. And, so, they then take that and codify that into a data base of “techniques” that we then run against websites. So, it’s always kind of working on that bleeding edge and taking known approaches and kind of evolving them to be more effective over time.

Now, I understand that HP just acquired SPY Dynamics. How do you see this as competition to IBM?

The SPY Dynamics/HP deal, that was not a surprise, but interesting to see. So, Watchfire has 63% of the market share as reported by Gartner. SPY Dynamics is in the 20’s, if I recall correctly. So, we went out and acquired the number one tool in this space and what’s really nice about the acquisition is that it absolutely fits into our portfolio, very, very complementary. They’re really isn’t any overlap and, you know, one of the things that is unique about IBM Rational is the depth and breadth of integration we have across a whole application life cycle we were talking about a moment ago. Well, Watchfire, even though the acquisition is only a few days old, is actually already integrated with one of the key tools it needs to be integrated with, Rational ClearQuest. And so that makes it a real hand-to-glove fit. You know, as compared to SPY Dynamics, also a very good tool, they work very similar, absolutely, right in the same space but not as large a market share and, you know, HP, in terms of integrating it in with their ALM offering, they haven’t announced any integration at this point, don’t know what their plans are internally, but we would expect to see that kind of consolidation and it was also a hole in their portfolio as well.

So it’s clear that IBM is going for an end-to-end solution. Do you see anything else that you might need to acquire to achieve a full end-to-end solution or do you feel that IBM is already there?

There’s always places you can improve, right? We could all see improvement; we’re always striving to deliver better results for our customers. You know, it’s interesting, thinking about IBM in general from the security perspective.As a company, we are very serious about security here within IBM. We’re also serious about delivering security solutions to our customers to help them. And, you know, we turn a lot of our tooling on ourselves, really the first step, because we’re so serious about this. Looking across IBM, I’m definitely not an expert on all the different offerings IBM has, but we do have offerings that work across the entire spectrum of security, all the way from the front-end intrusion detection, all the way through to ongoing monitoring of applications and things and now with the Watchfire acquisition, focused on application level, you know, pre-deployment testing. So, is there another announcement in the works? Not here to reveal that. We can always see ways to improve for sure. I would say that IBM, with our market size and the number of employees that work here and our serious focus on testing and security, I think we’re in a pretty good position to continue our market leadership. But, again, there’s always room for improvement.

Posted by pschooff in Podcast |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2188

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map