Application security, in the forms of vulnerability scanning and secure software development, is a "must-have" for medium-sized and large enterprises. The recent $10 million U.S. Air Force deal – spearheaded by Fortify’s source code analysis product and incorporating Web application scanning from Watchfire and database scanning from Application Security Inc. – is becoming a common method of buying and implementing app security solutions.

The trend is driven by businesses' need for stronger security in application best practices. This blending of run-time scanning of vulnerability profiles with static source code analysis will help vendors (and their customers) combine application vulnerability scanners and linkages with secure software development products.

What's driving this trend? First, the proliferation of applications. Major enterprises have tens of thousands of applications – and software development distributed all over the planet. The world has changed from a relatively few monolithic applications designed for centralized mainframes to a wide range of lighter-weight distributed applications.

In this new world, organizations correcting a vulnerability in the source code of one application need to be able to easily detect similar vulnerabilities across all applications, and schedule in-house and outsourced engineering appropriately.

A second driver is enterprises' awareness that new vulnerabilities are discovered every day. Every patch announcement by a major vendor sends ripples of activity throughout development organizations. This point has been brought home by the entire compliance effort, which forces enterprises to constantly measure the effectiveness of their controls, including scanning for vulnerabilities and monitoring configuration controls.

Third, software development lifecycles (SDLs) are extending to include feedback from runtime scanners. Structured SDL processes have proven to be a cost-effective means of plugging vulnerabilities, and organizations definitely prefer to fix application vulnerabilities in the source code, rather than rely on security filters in the data path.

However, the SDL should extend to optimize run-time feedback from production applications in order to mitigate security vulnerabilities. Fortify has developed Web application security capability, and IBM/Rational scooped up Watchfire to get this expertise.

A fourth driver is the trend toward the consolidation of application scanning vulnerability management. Organizations presently scan for such things as Web application vulnerabilities, database vulnerabilities, network configurations, and security device configurations. Enterprises are moving to consolidate this activity within their IT organizations to achieve greater operational efficiencies.

This trend makes sense. Core Security and Qualys have already added Web application scanning to their product portfolios. Expect to see more mergers and acquisitions among vendors to help speed this consolidation.

A fifth and final driver is that service-oriented approaches are making progress in the mid-markets. Medium-sized organizations may not have investments in large engineering teams and SDL products, but they still need applications that can operate 24/7 and be resilient to security threats. Service approaches from companies such White Hat and Veracode help make application security tools easier to use by a broader market. McAfee's acquisition of ScanAlert also promises to be exciting, bringing Web application security scanning to smaller businesses.

The integration of run-time vulnerability management with structured analysis of source code is changing the face of application security. Scanning vendors, fueled by per-scan pricing models, are finding more functional areas to scan, and are promoting linkages to SDL products.

Meanwhile, SDL vendors are branching out to get the critical run-time information that can best protect all of the organization's applications, and not just the ones that are scanned. This is a healthy consolidation that can only help mainstream security into the operational core of the business.

— Eric Ogren is the principal analyst and founder of the Ogren Group, a firm specializing in consulting services for security vendors. Ogren's background includes more than 15 years of enterprise security experience with both the Yankee Group and Enterprise Strategy Group. Ogren has also served in a variety of senior positions at vendors including Tizor, Okena, RSA Security, and Digital Equipment. Special to Dark Reading.