HP solidifies partnership with Fortify – purchases it outright
by Steve Ragan - Aug 18 2010, 12:00For years, Hewlett-Packard (HP) has enjoyed a great business relationship with Fortify Software. Now, after much rumor and speculation, the two are finally to be housed under the same roof after HP announced the pending acquisition of Fortify on Tuesday.
The terms of the merger have not been released, but this is generally the norm for such deals. However, it's the news itself that’s interesting.
“The rumor mill has had this acquisition in the works for years, but the truth of the matter is it was all about timing. I've worked for a few companies in my years that have grown by acquisition - and there are right ways to do it, and wrong ways,” Rafal Los, HP’s Security Evangelist said in an email on the merger.
[More on Los can be found here, including a few comments that foreshadowed the merger if you read between the lines.]
“You see, it's not just about buying another company. It's rather more like taking a puzzle and then bringing in an entirely new, but very needed piece, and trying to make it fit,” he added.
“You can't just force it in, otherwise the unique parts that made it special will break - but at the same time it isn't going to do much good unless it's a seamless part of the puzzle itself.”
In 2009, the two companies teamed up to develop application security systems, which turned into Hybrid 2.0 earlier this year. In a statement, HP said the merger is a continuation of shared goals that the two security products have had all along. That is, helping developers and security managers find, fix, and mitigate software vulnerabilities before they are exploited.
Going forward, the goal is to use HP’s existing software security offerings alongside the technology developed by Fortify (i.e., its Fortify 360 solution) to push security assurance into the application development lifecycle, thus merging it with HP’s Business Technology Optimization portfolio.
“There are over 400 categories of vulnerability types that we look for,” Roger Thornton, founder and CTO of Fortify, told The Tech Herald. “But when we look at the runtime data from the customers that are using our monitoring products, there is a very targeted focus on certain types of vulnerabilities.”
The focus, from what Fortify has seen, is Web framework vulnerabilities such as Cross-Site Scripting and SQL Injection, as well as variants of those attack vectors. While there is a big surface area of potential problems, attackers are very successful in exploiting a just a small subset of them.
The problem today is that an overwhelming majority of companies out there are not aware of the lifecycle approach to solving these software vulnerability issues, Thornton explained.
This is what excites Fortify about the acquisition, with deal will vastly expanding its reach into market sectors it was never previously able to access. For now, Fortify will operate as a standalone entity, but will be folded into HP over time.
“We’ve been learning from acquisitions that we’ve done over the last five years now, and one of the things that we’ve learned is to be very thoughtful about how you pull it all together. Keep the momentum when you have it,” Mark Sarbiewski, HP’s vice president of product marketing told The Tech Herald in an interview.
What this means is that Fortify will exist within HP Software, where it will be expected to maintain momentum with the strategy and the ideas that it's been working on. In addition, the vast majority of Fortify's staff will be asked to join the HP team, and the existing management will remain.
“We really see the challenge of securing applications similarly. We see it as a lifecycle problem. There’s no silver bullet, the problem comes when the application logic doesn’t do, or does things that it shouldn’t. Where do those problems come from? They’re injected early on in the [development] process,” Sarbiewski said.
“What Fortify has, that HP did not, is mindshare and reach to the CISO and the development community,” he added.
For now, both Fortify and HP’s engineering teams are working to ensure that products on both sides function seamlessly together, and the next step is to use HP’s services arm and partnerships to help push market adoption on a much wider scale.
Comment on this Story