In-Depth

Fortify, HP Tout Integrated Approach to Application Vulnerability Testing

Experts say a recent accord between Fortify and HP augurs the advent of a new approach to vulnerability detection.

• By Stephen Swoyer
• 07/07/2009

Hewlett-Packard Co. (HP) recently entered into a partnership with application security testing and hardening specialist Fortify. At first glance, the HP-Fortify accord might like any other partnership between like-minded vendors. There's more here than meets the eye, however, according to industry experts.

Fortify agreed to integrate its Fortify 360 static application security testing (SAST) software with HP's Application Security Center and Quality Center offerings. Analysts at Gartner Inc. see the Fortify-HP accord as a new (and particularly welcome) development in application security testing and hardening, inasmuch as it augurs the advent of a new approach -- i.e., integrated SAST and dynamic application security testing (DAST) -- to vulnerability detection.

"SAST and dynamic application security testing … techniques are complementary," write analysts Joseph Feiman and Neil MacDonald, in a Gartner research blast. "[V]endors have greater vision if they integrate static and dynamic testing to increase the breadth of application life cycle coverage and the accuracy of vulnerability detection, thus better serving enterprises' strategic security needs."

There is, of course, a mutual-self-interest angle as well. Fortify is a leader in the SAST segment but doesn't currently offer a DAST product. HP is a leader in DAST, and despite its efforts on the SAST front (Feiman and MacDonald specifically cite HP's DevInspect SAST), doesn't yet offer a DAST product.

It's a shortcoming that HP needed to redress -- if not by partnership then by acquisition -- if it hopes to make good on its ambitions in the application security testing space, where it's currently battling IBM Corp., among others, for market bragging rights.

"[A]n alternative that resolves HP's aspirations to become a leader in SAST and in the overall application security space would … [have been to acquire] a leading SAST vendor, such as Fortify," Feiman and MacDonald write, acknowledging that its new accord with Fortify helps HP achieve much the same thing. On the other hand, they point out, a partnership doesn't give HP the exclusivity that an outright acquisition would have.

"The partnership is not exclusive, and both vendors will continue marketing their respective products independently. Their development and sales teams will start working together on the upcoming integrated offering. Until then, the vendors will not resell each other's products," they write.

Feiman and MacDonald nonetheless see the partnership as a key win for HP because it helps the computing and services giant counter Big Blue, which fields creditable DAST and SAST technologies. "The combined solution should offer strong competition to IBM, which, like HP, is leading in DAST, and has developed its own SAST capabilities for leadership in application security."