HP To Acquire Code Security Software Maker Fortify
Fortify's products pick out exposures that result from errors in programming.
(click image for larger view)
Computer History Museum Tour
Hewlett-Packard will acquire Fortify Software to gain possession of its ability to perform analysis on source code to detect security risks and exposures.
For example, Fortify 360 Static Application Security Testing technology can examine source code and pick out exposures that result from poor or hurried programming. If a programmer has created a form where a user is to enter a zip code, but leaves space for 32 characters to be entered instead of five, 360 SAST would detect that. If the zip code were to be loaded from the form into a database, a 32-character space would open the door to an SQL injection attack. A hacker could put an SQL statement where the zip code was supposed to go and the database would act on it, once the injection was uploaded.
HP and Fortify collaborated on Hybrid 2.0, a product to protect software both in composition and in use. In addition to analysis of software under development, software needs protection once it's running. The former is called static analysis; the latter, dynamic analysis, and Hybrid 2.0 does both.
The two companies began working together last year on the product. The second version, Hybrid 2.0, was issued Feb. 22. In addition, Fortify static analysis capabilities have been integrated into HP Application Security Center and HP Quality Center software. Upon completion of the deal, HP will initially continue Fortify as a stand-alone business unit.
"The big question is if HP will integrate this product smoothly and invest in it further, unlike what they did with WebInspect," said Mandeep Khera, chief marketing officer for Cenzic, supplier of Hailstorm, a testing system for software vulnerabilities and an HP competitor. WebInspect checks web applications and services for security exposures. HP acquired WebInspec with its acquisition of Spi Dynamics in 2007 and continues to offer the product.
Fortify products "absolutely will be continued," HP said in response to a question from InformationWeek.
After the purchase is completed, Fortify products will become part of the HP software and solutions' Business Technology Optimization Applications portfolio.
Static analysis and dynamic analysis products helps prevent security breaches in production systems. Use of the systems is one component of meeting sound operations compliance requirements.
When Fortify products are added to HP's existing capabilities, "organizations will have a best-in-class solution to improve the security of their applications and services," said Bill Veghte, executive VP, software and solutions, in the announcement of the acquisition move.
"Joining HP will allow us to further integrate our proven technology and security expertise," said John Jack, CEO of Fortify, in the announcement.
In related activity, IBM acquired Ounce Labs, maker of static security testing products for source code, in July 2009. It added the Ounce product line to its rational software division, supplier of a wide range of development and test tools.