It seems like just a few years ago that Sanctum's AppShield demo took the RSA Conference by storm. Their demo showing how easy it was for users to modify fields on a web form posted by poorly written applications was a first and people were racing across the Moscone to see what all the buzz was about. What they saw was the birth of the new Web application security segment!
Who would've guessed that over the years that customers would place far more value on AppScan, originally thought of as a throw-in for the web application firewall product. This is one prime example of why start-ups can be so hard - it is very difficult to know how customers will use good ideas. Watchfire saw the potential with application scanning when they purchased Sanctum in 2004.
AppScan will now ride with the IBM security team, as IBM has announced plans to acquire Watchfire. I see this as a terrific deal for both companies, and somewhat less than terrific for Watchfire competitors:
+ IBM gets software that can drive global service revenues. With AppScan in the fold, IBM can evolve the Rational product line to cover more of the application development lifecycle. There is a lively market for tools to help developers make security intrinsic to the application. IBM will bring AppScan into large deals, including those from ISS, that the product would never have seen as part of Watchfire.
+ Watchfire gets IBM backing to broaden the use of its technology. It would not surprise me to see the Watchfire scanning core competency to serve as the basis for a full-scale assault on compliance verification for large enterprises. The fact that Watchfire has some experience with providing scanning results as a service is a definite sweetener.
- SPI Dynamics needs a hug. For that matter so does Cenzic. Fortify has Oracle to run to so they can carry on; Veracode has a unique and interesting business model so they too will continue to go about their business. There have been rumors of SPI throwing themselves at the mercy of companies like HP and Microsoft. In my experience, that approach seldom turns out well.