Recent Posts

Blogroll

Blog powered by TypePad

« Should BRIC be BIIC? | Main | Thoughts on Token Security »

Software Security Market

Information Security budgets are pretty crufty, they are an accumulation of decisions but the analysis that led to these decisions is rarely revisited, it just snowballs. So the normal Information Security budget is just a legacy artifact of when the network was the greatest vulnerability. Gary McGraw took a pass at reviewing the numbers (*) in software security, breaking down software security sectors like tools and services (note to Gary - I think Aspect does more than just training!). This is great work by Gary to get these numbers to see the real changes occuring in software security. Here were his findings on software security tools:

One of the most important developments in the software security market can be seen in the tools space which, combined, almost doubled to $150-180 million. Top of list are two major acquisitions that closed in 2007: Watchfire's purchase by IBM (somewhere in the range of $120-150 million on 2006 revenue of $26 million) and SPI Dynamics's purchase by HP (for around $100 million on 2006 revenue of $21.2 million).

...

The black box space was flat in 2007, with IBM/Watchfire checking in at $24.1 million and HP/SPI Dynamics earning $22.3 million. Smaller companies in the space, including Cenzic, Codenomicon, WhiteHat and the like had combined revenues around $12.5 million (a growth of 25%, though Cenzic grew 16% and WhiteHat 52%). Most of the growth "hiccup" in the black box market can be attributed to the serious challenges posed by any acquisition. So far 2008 looks to be back on track from a growth perspective in the black box testing space. The global reach that IBM and HP offer are already making a big difference.


On a more positive note, static analysis tools for code review grew at a healthy clip in 2007 into a $91.9 million dollar market. Fortify was up 83% to $29.2 million. Klocwork grew over 60% to $26 million. Coverity grew over 50% to $27.2 million. Ounce Labs tripled their revenue to $9.5 million.



These are very nice growth numbers, what company doesn't want 83% growth? However, the total picture is not so good. Gary's estimate shows the software security space coming in at $150 Million total, yet we see a company like Checkpoint that won the network security war in 1995 with earnings of around $900 Million! One single network security vendor is 6 times bigger than the entire software security space?!? Complete UTTER Madness!

This is the stupefying, stultifying effects of budget cruft, where the decisions made in The People's Republic of Information Security have no bearing on reality of threats or even a business case.

Let's look at networks. Obviously Cisco is the biggest, they earned $39.5 Billion last year. Pretty stellar. So spending $900 Million (Checkpoint) to defined $39.5 Billion seems like a pretty good deal.

Except, let's compare software security spending - last year Microsoft earned $60 Billion, SAP $16 billion, and Oracle $22 Billion. So that is about $98 Billion and you are going to "defend" that with allocating $150 Million worth of software security tools?

Network Software
Asset Value $39.5 billion $98 billion
Security Investment $900 Million $150 Million
Security Investment
 as a percentage of asset value 		2.28% 0.15%

This table greatly disturbs me. From a prioritization standpoint The People's Republic of Information Security is misaligned by orders of magnitude. Next time you read about a data breach, or see an auditor's report with thousands of findings you won't have to wonder how it happened. It happened because Information Security doesn't have its eye on the ball.

Consider that software security tools could grow 50% a year for five years and still be half of where Checkpoint is today!

I see the outcomes of backwards looking, crufty decisions by Information Security every day - one or two software security sherpas heading out to work with thousands of developers, meanwhile the network security people sit around and read the newspaper and go home every day at 5.

The optimistic way of looking at all this data is that there is major room for growth for software security, if you take Checkpoint as a target, then the software security space should evolve to around 2% of the software space meaning that it should evolve into a $2 billion space around fifteen times larger than it is today. Unprotected assets will either be protected or will cease to be assets, VCs get your check books ready.

Update: Brian Chess says 2007 was the turning point - "the first year there was a bigger market for products that help you get code right than there was for products that help you demonstrate a problem exists."

* Gary collected the numbers himself and confirmed them with Gartner. See his article for more.

August 25, 2008 in Security, Security Metrics |

Comments

Very good post, again.

However, that 900M x 150M comparison does not seem to be "apples to apples" to me. Organizations buy security to protect the network as a system, not its components. When we're talking about software security and looking at the software numbers we are looking into tools to protect components (software pieces). The security of network and software components (like routers and Windows) is usually out of our hands, I mean, it's provided by the vendors. So, we buy security to protect the network as a single system and security to protect "tailor made" software. It's hard to know if comparing the amount spent on these two different things has any meaning at all.

Posted by: Augusto Paes de Barros | August 26, 2008 at 10:06 AM

Gary credits that he got those numbers from Gartner - you should credit them.

Posted by: anon | August 26, 2008 at 12:04 PM

Augusto,

If I write a web application and stick it front of SAP (which runes my entire business), then I open up port 80/443 to talk to the portal and SAP directly, what security services is the firewall offering my application?

Authentication? authorization? auditing? confidentiality? integrity? availability? Content validation?

From an app standpoint - I think none of these things.

Posted by: Gunnar | August 26, 2008 at 04:47 PM

Hi Gunnar,

I'm not sure how you came up with your total for the space, which is too low. Here's what I said in the original article:
"All told, the software security market for tools and services in 2007 was worth somewhere between $275-300 million. If you factor in application firewalls (probably accounting for $50 million), the number is even higher."

I think your ratios are still interesting, but the space is pretty much larger than your post implies. The reason this matters is that when a space approaches $500M, the analysts start covering it. We can see that now in software security. We're at an important threshold!

gem

Posted by: gem | August 28, 2008 at 11:54 AM

Hi Gary

I got the number from your article on the total tools market. I did not include services because I was comparing to Cisco and Checkpoint which have minimal services

Posted by: Gunnar | September 02, 2008 at 02:56 PM

The comments to this entry are closed.