Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 AM

Consolidate This

The M&A bug bites proactive security, but convergence will have to wait

Everyone's talking about consolidation in the security market, and with good reason – lots of M&A activity has occurred. So what’s going on behind the scenes financially, and where will this trend leave us? Will security practitioners be left holding the bag? Most importantly, what impact will consolidation have on the nascent proactive security market?

Convergence versus consolidation
Two distinct threads run through the security market: consolidation and convergence. The first involves the unremitting development of energetic, innovative startups. These little guys are often the targets of consolidation, especially in the form of rollups. One quintessential example of a security rollup is Cybertrust, which bought a number of little companies (and some medium-sized ones like TruSecure) and assembled them into something bigger than the parts alone. In the end, Cybertrust built a company with annual revenues just north of $200 million.

Another rollup-like example is EMC Corp. (NYSE: EMC), with its acquisitions in the data security market, buying up little companies like Authentica and Documentum in order to bolster its data protection capabilities. Of course, EMC has bigger fish to fry, what with its recent $2.1 billion purchase of RSA Security Inc. (Nasdaq: EMC) It seems EMC has become a convergence point.

You see, eventually companies the size of Cybertrust and RSA themselves become targets for mega-corporations. Case in point: Verizon Business ’s $400 million purchase of Cybertrust, which closes this week. (See Verizon Grabs Cybertrust.) Cybertrust was acquired with a multiple on revenue of around 2 – the kind of valuation typical for a services company, even one where the services are heavily commoditized.

The Cybertrust/Verizon deal is more of a convergence than a consolidation. Similarly, the BT Counterpane deal is what I would call a convergence deal. (See BT Buys Counterpane.)

So what exactly is converging in these situations? The convergence involves network security as a commodity service being packaged together with other network-related utilities. If you are a large company, you need certain utilities such as Internet bandwidth and telephone services – and you need security as well. Convergence with the telecom sector makes great sense in the network security market of firewalls, intrusion monitoring, and extrusion detection. Incidentally, that’s why managed security services make a great deal of sense when it comes to network operations and monitoring. These are reactive security solutions.

Probably the two top convergence plays going strong now are IBM Corp. (NYSE: IBM), which bought Internet Security Systems Inc. last August for $1.3 billion, and Symantec Corp. (Nasdaq: SYMC), which bulked up and shifted toward the enterprise with its record-breaking $13.5 billion merger with Veritas. (See IBM Up-Ends Security Services Market.) Convergence is good for the overall security market, because it helps to spread the security “meme” far and wide. If decent network security becomes as ubiquitous as the telephone, that will be a great development for reactive security.

Proactive security is different
The real problem is that the computer security disaster we have created for ourselves looms as large as ever, even as the security market grows to gargantuan proportions and security companies rake in billions of dollars. At the heart of the problem is an emerging conundrum: The kinds of services ripe for convergence are not the kinds of services that can solve the security problem. Reactive network security can only go so far. If we want to get a handle on the unmitigated growth of the computer security problem, we have to build better software.

Software security has certainly come a long way since I wrote Building Secure Software with John Viega way back in 2000. The security market is maturing, demand is very high, and people are beginning to realize how much work remains to be done. A broad realization of the importance of software security is dawning, especially in the financial services market.

The first generation of tools created for the software security market (proactive security) is the Web application security testing tools. I call these tools badness-ometers – affectionately, of course. Black-box testing tools are great because they can help the clueless or the overly optimistic to understand that there is indeed a huge software problem... with their own software! Black-box testing tools are also dangerous, however, because passing all of the tests built into one of these tools does not mean your Web app is secure.

The upshot is that as long as badness-ometers are treated as badness-ometers and not security-meters, we’re OK.

Interestingly, the top two software badness-ometer companies were recently acquired: SPI Dynamics was bought by Hewlett-Packard Co. (NYSE: HPQ) for around $100 million (a multiple on revenue of 5.5), and Watchfire Corp. was bought by IBM for around $85 million (a multiple on revenue of 2.8). (See Want Turns to Need.)

The question is just what impact the consolidation bug will have on the proactive security market. Both HP and IBM are probably counting on Web app security testing tools to be mature enough for use by QA people (that is, non-security people who focus on software testing for a living). If that were true, then every QA department out there would need a few copies. We’ve debated the question of whether these tools are ready to be wielded by QA long and hard at Cigital, and the jury is still out.

There are pros and cons. If QA people could effectively use badness-ometers, awareness of the magnitude of the software security problem would grow, which would be excellent. However, if QA people find themselves over their heads in security nonsense, not much will come of the first wave of consolidation, at least for HP and IBM. What would be really interesting is if the large security services organizations at HP and IBM started applying badness-ometers in all of their projects. Demand for solutions to solve the problems that these tools find would skyrocket.

In the end, it's nice to see software security – the proactive security market – continuing to grow. Expect more consolidation as this trend continues. Convergence will have to wait.

— Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
PUBLISHED: 2020-10-26
Ruckus through is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
PUBLISHED: 2020-10-26
Ruckus vRioT through has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.
PUBLISHED: 2020-10-26
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version ...