2010年8月18日 星期三

FW: Newsbank - HP buys Fortify

From: Roger Knott (MKT-US)
Sent: Thursday, August 19, 2010 8:17:37 AM
To: Newsbank
Subject: Newsbank - HP buys Fortify
Auto forwarded by a Rule

From the 451Group.com


HP 'Fortify-ed': IT giant picks up a leader in software security assurance

Analyst: Josh Corman, Lauren Eckenroth, Brenon Daly
Date: 18 Aug 2010
Email This Report: to Colleagues »» / to yourself »»
451 Report Folder: File report »» / View my folder »»




Fortify Software


Application security

Deal value

$275m (451 Group estimate)

Date announced

August 17, 2010

Closing date

Not disclosed

Hewlett-Packard (NYSE: HPQ) has acquired Fortify Software, a move that deepens the two-year-old partnership between the IT giant and the application security vendor. Terms weren't released, but we understand that HP handed over about a quarter-billion dollars for Fortify. The transaction is the latest in a tit-for-tat M&A dance between IBM (NYSE: IBM) and HP (with Big Blue leading) around application security as part of their software development portfolios.

Deal details

If IBM and HP basically matched each other's deal size in the first round of M&A for application security, HP has gone much bigger than Big Blue in the second round. In fact, we gather that the price tag for HP's purchase of Fortify is more than 10 times larger than the amount that IBM paid last summer for rival static code analysis vendor Ounce Labs.

Select application security acquisitions

Date announced



Deal value

Target trailing revenue

August 17, 2010


Fortify Software



July 28, 2009


Ounce Labs



June 19, 2007


SPI Dynamics



June 6, 2007





Source: The 451 M&A KnowledgeBase *451 Group estimate

Terms weren't revealed on either the Fortify or Ounce Labs transactions. However, we estimate that IBM shelled out about $25m for Ounce Labs and that HP likely paid about $275m (including earnout) for Fortify. Our understanding is that Ounce Labs garnered roughly 3 times trailing sales, while Fortify went for about 4.6x trailing sales of about $60m.

Those deals, which were separated by roughly a year, came after both tech giants had made acquisitions of dynamic code analysis vendors within two weeks of one another. Back in mid-2007, IBM purchased Watchfire for an estimated $140m, roughly matching HP's $135m acquisition of SPI Dynamics. Both transactions were done at more than 5x trailing sales, according to our understanding. For those keeping track of the arms race M&A by these two tech superpowers, the collective bill for their application security deals now exceeds a half-billion dollars.

Target profile

San Mateo, California-based Fortify Software offers a suite of products consisting of static and dynamic code analysis, vulnerability scanning and audit, collaboration and GRC-focused reporting and dashboards. In 2009 Fortify struck a deal with WhiteHat Security for hosted code analysis and application vulnerability assessment.

The company was founded in 2003 by CTO Roger Thornton, chief scientist Brian Chess and VP of corporate development Michael Armistead. It is interesting to note that both Chess and Armistead worked for HP earlier in their careers. CEO John Jack joined Fortify in the beginning after a stint as CEO at Covalent Technologies. Fortify has raised three rounds of venture funding totaling $24m, although it declines to break out how much was raised in each round. Investors include the company's initial backer Kleiner Perkins Caufield & Byers, as well as Sigma Partners, Interval Capital Partners and Duff Ackerman & Goodrich. The last round was closed in 2005.


Fortify was one of the early leaders in source code analysis or static analysis (when software was your own and/or source code was available). Through development into dynamic analysis, training and partnerships, Fortify further extended its value. The software and applications security market is still nascent. Although the early focus was on tools to test the security of production applications and websites, as the space has matured, a pantheon of complementary and valuable tools and services to drive more Rugged software has evolved. The market first concentrated on dynamic testing of production Web applications and compiler software. There were initial debates over dynamic testing versus static testing. At this point, many consider the technologies complementary.

Ultimately, the tools are a minor part of driving software security and Rugged digital infrastructure. Other related application security segments include training and consulting firms to help organizations design and enhance sustainable, secure development into their existing system development lifecycles. Web application firewalls and sometimes intrusion-prevention systems exist to temporarily (or even permanently) shield vulnerable software. Application vulnerability scanners can often check for specific known vulnerabilities. 'Fuzzing' technologies can also help to programmatically stress software to reveal vulnerabilities.

Acquirer profile

Founded in 1939 and headquartered in Palo Alto, California, HP has grown from electronics manufacturing to a leading provider of computer hardware and software with more than 300,000 employees. HP's security portfolio consists of application security assessment (via its SPI Dynamics buy) as well as its TippingPoint assets acquired with 3Com (Nasdaq: COMS) in November 2009, HP's last security purchase before Fortify. The company combined the TippingPoint technology with its ProCurve product line for networking security.

At the close of the second quarter of 2010, HP had generated $30.8bn in revenue, a 13% increase over $27.4bn in Q2 2009. Net earnings came in at $2.2bn, or $0.91 per share, compared to $1.7bn and $0.71 per share during the same period last year. The 'corporate investment' segment, which includes the ProCurve and TippingPoint security products, generated $315m in revenue for Q2 2010, representing a 31% increase over $236m in Q2 2009.

Deal rationale

This deal is the latest salvo as HP and IBM vie for the majority of the market for application security as part of development. In June 2007, IBM's Rational division purchased Watchfire for dynamic code analysis. HP responded in kind within two weeks, buying Atlanta-based SPI Dynamics for its dynamic code analysis. When IBM Rational extended its investment in static code analysis with the Ounce Labs acquisition, we expected HP to follow suit and purchase Fortify. But this time the expected response took a little over a year (a bit longer than two weeks). Both of these players want to seek market leaders and strong leadership teams to tap into market demand and drive these capabilities through their application development and quality/testing portfolios.

HP plans to take care to preserve Fortify's sales momentum and is planning an integration window spanning more than a year. The company explains that this acquisition is a natural extension of the previous two-year partnership and better enables it to drive the marriage of static and dynamic code analysis. In February, the two announced their Hybrid 2.0 combination of Fortify's static analysis and HP's dynamic analysis.

Deal impact

As noted, the industry needs more Rugged software. Software has become modern infrastructure, though unlike steel and concrete, it is not nearly as dependable. At present, software security is a nascent market and its adoption is less than 1% in development organizations. In some ways, this deal could be a good thing, driving a more Rugged future. As tools like Watchfire and SPI Dynamics and now Ounce Labs and Fortify have been bought by large IT providers, this may make them more consumable to mainstream organizations. These transactions can serve to further legitimize the need for security to be woven into software development and quality assurance tools and processes. We believe that security needs to be baked into common infrastructure wherever and whenever possible. To this end, we're hopeful that moves like this can better 'Trojan horse' security into future digital infrastructure.

On the flip side, since security is not core to either player, there is the risk that these innovative technologies could get lost or wither on the vine. Many in the security space felt that HP did a poor job retaining SPI Dynamics' core talent and maintaining and growing its technology. Regardless, with the SPI Dynamics integration complete, the opportunity exists to leverage the lessons learned. Perhaps this latest transaction will bolster HP's existing investment.

As with many players in this emerging market, Fortify enjoyed fruitful partnerships with other application security technologies. One of the more prominent relationships was with Web application security vendor WhiteHat Security. We are eager to see the impact that the sale to HP will have on these partnerships. Though HP would not specifically call out partners, the company has been clear that it wishes to maintain sales momentum and aims to keep Fortify as a separate business unit. We expect that HP will avoid trying to make many changes to the partnership ecosystem for at least the first year.

Tools are a part of application and software security, but only a part. As the space has matured, we've spoken with many organizations that regret starting with tools as their first taste of secure development – quickly bombarding an unprepared development organization with new classes of potential bugs that may or may not need fixing. This may drive more follow-on demand for training and consulting from firms like Cigital, Security Innovation, Safelight Security Advisors and Aspect Security. Conversely, however, it may poison the well with bad first impressions on development teams that don't yet appreciate or value investments in secure software. For example, we're seeing Veracode gain more traction with its SaaS model and rapid turnaround, which is less disruptive and better aligned with agile development software organizations.

We see plenty of opportunity for this acquisition to trigger follow-on deals, and will be exploring this in coming weeks. Will IBM continue to lead with the next step in the dance? Will either player better leverage their systems integration and professional services arms to drive more adoption? Will fellow development platform players like Microsoft (Nasdaq: MSFT), Oracle (Nasdaq: ORCL) and VMware (NYSE: VMW) scoop up other stand-alone static and dynamic analysis providers to seek parity? Will the integration of Fortify into HP create room for the next class of innovative smaller players? There is also a lot of opportunity for the cloud to drive new routes to market and demand for application security.

Lastly, as we wrote in a recent report, organizations are migrating more and more applications and workloads into clouds. This is an excellent opportunity to assess application readiness and the ability to protect themselves when on-premises mitigating controls may not be available – or even possible.




Roger Knott | Senior Manager, Analyst Relations

10101 N. De Anza Blvd., Cupertino, CA 95014

Office: 408.863.6339 | Mobile: 415.999.4015