From: Roger Knott (MKT-US)
Sent: Thursday, August 19, 2010 8:17:37 AM
Subject: Newsbank - HP buys Fortify
Auto forwarded by a Rule
From the 451Group.com
HP 'Fortify-ed': IT giant picks up a leader in software security assurance
$275m (451 Group estimate)
August 17, 2010
Hewlett-Packard (NYSE: HPQ) has acquired Fortify Software, a move that deepens the two-year-old partnership between the IT giant and the application security vendor. Terms weren't released, but we understand that HP handed over about a quarter-billion dollars for Fortify. The transaction is the latest in a tit-for-tat M&A dance between IBM (NYSE: IBM) and HP (with Big Blue leading) around application security as part of their software development portfolios.
If IBM and HP basically matched each other's deal size in the first round of M&A for application security, HP has gone much bigger than Big Blue in the second round. In fact, we gather that the price tag for HP's purchase of Fortify is more than 10 times larger than the amount that IBM paid last summer for rival static code analysis vendor Ounce Labs.
Select application security acquisitions
Source: The 451 M&A KnowledgeBase *451 Group estimate
Terms weren't revealed on either the Fortify or Ounce Labs transactions. However, we estimate that IBM shelled out about $25m for Ounce Labs and that HP likely paid about $275m (including earnout) for Fortify. Our understanding is that Ounce Labs garnered roughly 3 times trailing sales, while Fortify went for about 4.6x trailing sales of about $60m.
Those deals, which were separated by roughly a year, came after both tech giants had made acquisitions of dynamic code analysis vendors within two weeks of one another. Back in mid-2007, IBM purchased Watchfire for an estimated $140m, roughly matching HP's $135m acquisition of SPI Dynamics. Both transactions were done at more than 5x trailing sales, according to our understanding. For those keeping track of the arms race M&A by these two tech superpowers, the collective bill for their application security deals now exceeds a half-billion dollars.
San Mateo, California-based Fortify Software offers a suite of products consisting of static and dynamic code analysis, vulnerability scanning and audit, collaboration and GRC-focused reporting and dashboards. In 2009 Fortify struck a deal with WhiteHat Security for hosted code analysis and application vulnerability assessment.
The company was founded in 2003 by CTO Roger Thornton, chief scientist Brian Chess and VP of corporate development Michael Armistead. It is interesting to note that both Chess and Armistead worked for HP earlier in their careers. CEO John Jack joined Fortify in the beginning after a stint as CEO at Covalent Technologies. Fortify has raised three rounds of venture funding totaling $24m, although it declines to break out how much was raised in each round. Investors include the company's initial backer Kleiner Perkins Caufield & Byers, as well as Sigma Partners, Interval Capital Partners and Duff Ackerman & Goodrich. The last round was closed in 2005.
Fortify was one of the early leaders in source code analysis or static analysis (when software was your own and/or source code was available). Through development into dynamic analysis, training and partnerships, Fortify further extended its value. The software and applications security market is still nascent. Although the early focus was on tools to test the security of production applications and websites, as the space has matured, a pantheon of complementary and valuable tools and services to drive more Rugged software has evolved. The market first concentrated on dynamic testing of production Web applications and compiler software. There were initial debates over dynamic testing versus static testing. At this point, many consider the technologies complementary.
Ultimately, the tools are a minor part of driving software security and Rugged digital infrastructure. Other related application security segments include training and consulting firms to help organizations design and enhance sustainable, secure development into their existing system development lifecycles. Web application firewalls and sometimes intrusion-prevention systems exist to temporarily (or even permanently) shield vulnerable software. Application vulnerability scanners can often check for specific known vulnerabilities. 'Fuzzing' technologies can also help to programmatically stress software to reveal vulnerabilities.
Founded in 1939 and headquartered in
At the close of the second quarter of 2010, HP had generated $30.8bn in revenue, a 13% increase over $27.4bn in Q2 2009. Net earnings came in at $2.2bn, or $0.91 per share, compared to $1.7bn and $0.71 per share during the same period last year. The 'corporate investment' segment, which includes the ProCurve and TippingPoint security products, generated $315m in revenue for Q2 2010, representing a 31% increase over $236m in Q2 2009.
This deal is the latest salvo as HP and IBM vie for the majority of the market for application security as part of development. In June 2007, IBM's Rational division purchased Watchfire for dynamic code analysis. HP responded in kind within two weeks, buying Atlanta-based SPI Dynamics for its dynamic code analysis. When IBM Rational extended its investment in static code analysis with the Ounce Labs acquisition, we expected HP to follow suit and purchase Fortify. But this time the expected response took a little over a year (a bit longer than two weeks). Both of these players want to seek market leaders and strong leadership teams to tap into market demand and drive these capabilities through their application development and quality/testing portfolios.
HP plans to take care to preserve Fortify's sales momentum and is planning an integration window spanning more than a year. The company explains that this acquisition is a natural extension of the previous two-year partnership and better enables it to drive the marriage of static and dynamic code analysis. In February, the two announced their Hybrid 2.0 combination of Fortify's static analysis and HP's dynamic analysis.
As noted, the industry needs more Rugged software. Software has become modern infrastructure, though unlike steel and concrete, it is not nearly as dependable. At present, software security is a nascent market and its adoption is less than 1% in development organizations. In some ways, this deal could be a good thing, driving a more Rugged future. As tools like Watchfire and SPI Dynamics and now Ounce Labs and Fortify have been bought by large IT providers, this may make them more consumable to mainstream organizations. These transactions can serve to further legitimize the need for security to be woven into software development and quality assurance tools and processes. We believe that security needs to be baked into common infrastructure wherever and whenever possible. To this end, we're hopeful that moves like this can better 'Trojan horse' security into future digital infrastructure.
On the flip side, since security is not core to either player, there is the risk that these innovative technologies could get lost or wither on the vine. Many in the security space felt that HP did a poor job retaining SPI Dynamics' core talent and maintaining and growing its technology. Regardless, with the SPI Dynamics integration complete, the opportunity exists to leverage the lessons learned. Perhaps this latest transaction will bolster HP's existing investment.
As with many players in this emerging market, Fortify enjoyed fruitful partnerships with other application security technologies. One of the more prominent relationships was with Web application security vendor WhiteHat Security. We are eager to see the impact that the sale to HP will have on these partnerships. Though HP would not specifically call out partners, the company has been clear that it wishes to maintain sales momentum and aims to keep Fortify as a separate business unit. We expect that HP will avoid trying to make many changes to the partnership ecosystem for at least the first year.
Tools are a part of application and software security, but only a part. As the space has matured, we've spoken with many organizations that regret starting with tools as their first taste of secure development – quickly bombarding an unprepared development organization with new classes of potential bugs that may or may not need fixing. This may drive more follow-on demand for training and consulting from firms like Cigital, Security Innovation, Safelight Security Advisors and Aspect Security. Conversely, however, it may poison the well with bad first impressions on development teams that don't yet appreciate or value investments in secure software. For example, we're seeing Veracode gain more traction with its SaaS model and rapid turnaround, which is less disruptive and better aligned with agile development software organizations.
We see plenty of opportunity for this acquisition to trigger follow-on deals, and will be exploring this in coming weeks. Will IBM continue to lead with the next step in the dance? Will either player better leverage their systems integration and professional services arms to drive more adoption? Will fellow development platform players like Microsoft (Nasdaq: MSFT), Oracle (Nasdaq: ORCL) and VMware (NYSE: VMW) scoop up other stand-alone static and dynamic analysis providers to seek parity? Will the integration of Fortify into HP create room for the next class of innovative smaller players? There is also a lot of opportunity for the cloud to drive new routes to market and demand for application security.
Lastly, as we wrote in a recent report, organizations are migrating more and more applications and workloads into clouds. This is an excellent opportunity to assess application readiness and the ability to protect themselves when on-premises mitigating controls may not be available – or even possible.