We've noted in the past that, when it comes to safeguarding services levels in SOA, there's been a disconnect - the service level agreements hammered out by business process owners are typically enforced using tools targeted at software developers. There's been relatively little connect between monitoring service level agreements with SOA tools and dealing with the realities of the data center.

All too often, the same has proven true when it comes to enforcing security of web applications. Software developers, who are supposed to be the intellects or artists of IT, typically know little about IT security. Conversely, security folks, who act as the armed guards or soldiers of the data center in repelling intrusions and hacks, know little of software architecture.

So we were intrigued last week when IBM disclosed its intention to buy Watchfire. Until now, you typically didn't see security checks within design and development phases of the software lifecycle. But IBM's offer could take what is currently a niche tool used by security specialists once the web app is either live or just about to, and inject the process at several points along the software life cycle. That's because IBM is the first household name to show an interest in tooling that probes application security soft spots.

Watchfire is part of a small, growing collection of providers who automate the ethical hacking of web applications (some of the others are SpiDynamics and Cenzic). In Watchfire's case, it stores signatures of known security breaches, much as antivirus tools don't store the virus, but its signature. (Cenzic takes a different tack, recoding end to end session through the browser.

Watchfire has a fairly impressive, 800-strong customer base, which is concentrated in financial services, healthcare, and government. Nine of the top 10 global banks are Watchfire customers. IBM is proposing to add it to the Rational brand, with targeted integrations to Tivoli.

Although Watchfire has been until now primarily a tool used by security specialists, it has a loose arrangement to exchange data with Fortify, a tool that checks application security vulnerabilities at the code level. Significantly, Fortify is also a Rational partner, and once the Watchfire deal is closed, could become another logical acquisition target for IBM as its tools could have an even better fit with Rational's testing tools.

What's interesting is that rival Cenzic is predicting there will be more consolidation in this space. On one side, application life cycle management vendors like Borland, Compuware, and Serena are logical suitors, as security testing should be added to the QA stage of the life cycle.

But we'd like to make a bit of a further reach: How about HP? Like IBM, it also has testing, IT governance, and infrastructure management offerings. Roughly half of Cenzic's installed base uses HP/Mercury testing tools, and the company has been certified to interface with Mercury Quality Center. Of course, as Mercury dominates the test market, Cenzic's ties are hardly unique.

But that doesn't mean that HP/Mercury shouldn't one-up IBM here. Maybe it's poker face or maybe HP has other meat on its plate, but Cenzic's marketing VP Mandeep Khera maintained that both companies have not had any marketing-related discussions since HP completed the Mercury acquisition.


Tony Baer, principal of onStrategies, is a well-published IT analyst with over 15 years background studying implementation issues in enterprise systems, application development, data management, and business intelligence. Baer's commentaries and rants on the state of the IT market are available here.