Blog archive

HP's Fortify Acquisition: More Validation of Security in the App Dev Lifecycle

No one was really surprised today when Hewlett-Packard announced that it would be acquiring application security solutions provider Fortify Software. Rumors have been bouncing around the Valley for months.

"This was a real contender for the worst kept secret in Silicon Valley throughout the summer," says Fortify's chief scientist (and co-founder) Dr. Brian Chess.

Details of the deal were not disclosed in HP's announcement, and Chess wouldn't talk about them, either. But he did have some things to say about the meaning of the acquisition.

"Since the company was founded, we've been saying that security is going to become part of building software," Chess says. "And now the big guys are saying it, too. In fact, we're coming into HP as part of the group that does application lifecycle management. With this acquisition, I really feel that we've had our vision validated."

HP is getting more than Fortify's vaunted static application security analysis technology (analyses app code). The founders and management team are sticking around, Chess says, so HP is adding considerable app security expertise with this deal. Fortify CEO John M. Jack will be running the business from its current San Mateo offices for the time being as a stand-alone entity.

"Long term, we think we're going to find that we have a lot in common with HP," Chess says. In fact, Chess himself worked at HP about a decade ago. "Of course it's a much larger company than the one I left, but I think I know these guys to a certain degree. My memory of the company is that it's made up of a bunch of straight shooters who really value technology."

Fortify was founded in 2003. Its initial funding was provided by Kleiner, Perkins, Caufield & Byers. Earlier this month the San Jose Mercury News published a nice story about the company's early days setting up shop in the Silicon Valley venture firm's basement.

The Fortify is seen as complementing HP's 2007 acquisition of web-app security firm SPI Dynamics. And HP isn't the only big player adding application security expertise through acquisition. Last summer, IBM acquired Ounce Labs, a Waltham, Mass.-based maker of enterprise source-code security testing software. Big Blue's acquisition of Watchfire in in 2007 brought governance, risk management, and security and compliance capabilities to the software development lifecycle.

Fortify focuses on software security at the application layer, which is a longtime target of app security guru Gary McGraw. When he's not writing books such books as the now nearly classic Software Security: Building Security In and Exploiting Online Games: Cheating Massively Distributed Systems (with Greg Hoglundl), McGraw serves on Fortify's technical advisory board. He's also the CTO of security consulting firm Cigital, which joined with Fortify last year to create a set of best practices for developing and growing an enterprise-wide software security program, dubbed Building Security In Maturity Model.

"We expected this, and it's nice to see it happen," McGraw.

Cigital actually created the core technology on which Fortify's static analysis products are based, McGraw reminded me, and licensed it to Kleiner Perkins in 2003. "We developed this really early static analysis thing that was consultantware/researchware, and they turned it into a professional software product," he said.

McGraw sees the acquisition as a good thing, and echoes Chess's view of it as validating the build-security-in-the-app strategy.

"The big guys finally care about software security, and they've got the marketing muscle to cause lots of other people to care about it, too," he says. "And that's good for everybody."

McGraw offers an interesting overview of the current software security landscape in an InformIT article, "Software [In]security: Software Security Crosses the Threshold." Worth checking out.

Posted by John K. Waters on August 17, 2010