Applications security: Cenzic stands alone

With a new product fresh out the door and its two largest rivals recently acquired by massive IT bellwethers, applications security testing specialist Cenzic contends that it’s ready to reap the rewards of remaining independent.

Ever since IBM announced that it was buying rival applications vulnerability scanning provider Watchfire in June, and HP followed suit by picking off competitor SPI Dynamics later the same month, Cenzic has been playing up its status as the largest independent player left in this red-hot segment.

Researchers at Stamford, Conn.-based Gartner are predicting the applications security testing market will grow to over $200 million in revenue in 2007, compared to $125 million in 2006 and just $70 million in 2005.

Cenzic has been promoting its place as the only major stand-alone provider left in the space as a major advantage: The company launched an official swap-out program aimed at convincing Watchfire customers to move to its products, and also introduced a new set of tools this week that promises to integrate testing data taken from both Watchfire’s and SPI’s vulnerability scanning systems.

Company leaders maintain that Cenzic can grow rapidly at the expense of its newly acquired rivals by virtue of its not being tied to a specific software development framework — both IBM and HP are working to meld their acquisitions into their respective Rational and Mercury platforms — and turning its products into a virtual console that can pool scanning results with those of other vendors’ tools.

While Watchfire and SPI may become de facto testing systems for new applications being produced using HP and IBM’s development platforms, many more customers are still in need of scanning programs that can scrutinize programs that are already live, said John Weinschenk, chief executive of Santa Clara, Calif.-based Cenzic.

In larger enterprises that use multiple development frameworks there will also be a need for tools that cross-reference and compile applications’ vulnerability data from all the available platforms, the CEO said.

That confluence of factors, along with superior testing capabilities in Cenzic’s testing products and services, Weinschenk predicted, will lead to unparalleled growth of the firm.

“These acquisitions may help a lot of people involved in testing during pre-production, but there’s still a much larger market for testing applications that are already out there,” Weinschenk said. “People want to compare results across these systems and that’s still painful to do using multiple products; our ability to port-in data via XML from both Watchfire and SPI gives us an advantage with those types of customers.”

On a more fundamental level, IBM and HP are betting that customers want to begin transferring vulnerability testing responsibilities from security teams over to software developers — a dramatic shift that will need time to take root, Weinschenk said.

As the two massive companies work to fold the acquisitions into their frameworks for use by quality assurance teams and developers, Cenzic will continue to market itself to the security professionals that are buying such tools today — and already have the budget to do so, he said.

“We could have merged with a quality assurance company ourselves, but we don’t want to go that route — especially with both of these companies being acquired, which should create a lot of new demand for our services,” Weinschenk said. “The future of security testing may sit with applications builders, but that’s not how these products are being consumed today.”

Some industry watchers believe that Cenzic will benefit from the rapid consolidation of the applications scanning space — even those who recognize that vulnerability testing will indeed someday be left primarily to developers.

In the immediate vacuum of independent providers created by the recent acquisitions, Cenzic will need to balance the short-term opportunity with its long-term vision, however, analysts said.

“The buyers of these tools are typically security teams which report to a different authority than applications testers. Because of that, there will still be a market for stand-alone security testing tools, and that market won’t go away soon,” said Dr. Chenxi Wang, analyst with Forrester Research, in Cambridge, Mass. “It will take time for the mentality and spending to shift; with Watchfire and SPI being acquired by platform providers, Cenzic is in a position to leap up and take more market share.”

With its service provider model, which allows customers to license products to test one application at a time, Wang said Cenzic should also fare well with smaller and medium-sized businesses — even though she believes that applications testing duties will pass to developers over time.

While Cenzic officials deny they are looking for a buyer in the near term, Weinschenk contends the firm could be in line to cash in at a later date. Based on a scarcity of rival testing providers, the CEO believes Cenzic could garner more than its rivals received from IBM and HP, though financial details of those deals were not released.

Software development giants such as HP and IBM may have already cast their lots, Weinschenk said, but security leaders including Symantec will someday be hot to enter the applications security space as the segment becomes more profitable.

At least one analyst agreed that such an opportunity could arise.

“Symantec appears to have serious plans around application security, and to realize that they will need more tools for scanning Web sites. Cenzic is still standing, so it’s a possibility,” said Eric Ogren, an independent security analyst based in Stow, Mass. “But Cenzic will really need to execute on its business plans and find ways to add more value to their offerings if that is ever going to happen.”

Ogren said Cenzic’s move to cast itself as an uber-console for applications testing projects won’t likely generate that level of interest, but adding some capability to help customers fix the software vulnerabilities discovered by its products just might do the trick.

“If they can take scanning of sites and combine that with source code analysis, for instance, they could do well because right now nothing like that exists,” Ogren said. “A lot of people are looking to combine the development and production sides of the house, but those are two very different skills. At this point and there’s nothing available that bridges them together.”

Other industry watchers said Cenzic clearly trails both SPI and Watchfire in terms of revenue, customers, and product maturity, and pointed out that both competitors will continue to seek customers outside of their parent companies’ development shops while their products are being integrated.

Joseph Feiman, analyst with Gartner, said that applications security testing will likely not exist as a stand-alone market in several years when tools have been successfully melded with development systems and programmers have been trained to use them.

In the meantime, there should be room for many market participants to grow, but Cenzic should do so with a strategic eye toward its future, he said.

“I don’t see anything out there that reflects negatively on the vision of either HP or IBM. The market is in consolidation and has entered the M&A stage, and I have doubts about standalones being able to compete at some point,” said Feiman. “Cenzic was behind its rivals in terms of execution, but the truth is that they have a strong opportunity now as a majority of enterprises are still only considering acquiring one of these technologies, so there’s plenty of room for growth.”