Jun 19 2007
By Jim Reavis
How do we know the toothbrush was invented in Alabama? The answer to that and other of life’s important questions are contained within.
Today’s information security headlines brought the news that HP has signed a definitive letter to acquire SPI Dynamics, a web application security company based in Atlanta. I have to admit that it wasn’t shocking news, as I have been an advisor to SPI since 2003, or about a generation ago in infosec time. The news is somewhat bittersweet, my daughter graduated from high school last week and now SPI has graduated from the security venture community to become a part of the Fortune 500. But graduations are mostly happy times, the part of you that doesn’t want to let go of the past is outweighed by the excitement at seeing what the future will bring. The excitement I hold here is to think about how much better off we will all be in surfing an Internet in which SPI has a greater influence. As successful as SPI has been as an independent company, its solutions have truthfully only been used to secure a small amount of the web applications that are out there, and I expect that HP’s market leading position with its Quality Center software will change that equation dramatically. But I want to reminisce just a bit, I think SPI’s story has some good lessons, whether you want to be an entrepreneur, or if you are a security architect developing a strategy.
Focus. When I first met with the SPI team in Atlanta in 2003, the application firewall was perceived to be a hot commodity and there was debate as to if SPI should follow that path and add an application firewall. The reality is that finding application vulnerabilities and providing real-time attack protection are two very different things and CIOs wanted their key network infrastructure partners like Cisco and F5 providing this functionality without radical architectural changes. I never met a business that bought their firewalls and scanners as a set. The CIO would buy the application firewall and the CISO would buy the application scanner. Had SPI not decided to focus on the assessment business, they could easily have lost their technical edge in this space. Wherever you are within the security spectrum, you have to find your focus and take it to its logical conclusion.
Security is a part of something bigger. As a security guy, my ego has a bit of a problem with security not being the center of the known universe. But this is the truth that we need to reconcile ourselves with. Every part of information technology is becoming imbued with security, and as a result security as an independent industry is disappearing. Security is an aspect of the confidentiality, integrity and availability of the systems and data that businesses rely upon, but it isn’t everything. SPI made a critical observation in 2004 that a huge part of the problem of web application security lay in how the developer and quality assurance communities addressed (or ignored) security, and boldly engaged those communities with no credentials or contacts whatsoever. They succeeded. SPI analyzed every part of the software development lifecycle, and found innovative ways to integrate application security within the tools that were already popular within that lifecycle. SPI certainly didn’t invent the concept of security through the software development lifecycle, but I would argue that they were the first pure security company to champion the cause of developer engagement, which in hindsight has proven to be the right call. Tellingly, HP has characterized this acquisition not as a security move, but as adding security into their application quality business, which is exactly the way it should be.
Honesty. Security people deal with difficult problems everyday, and they don’t like to hear the product companies trivialize those issues. I don’t think I ever heard SPI tell its customers that it provided their total SOX compliance solution in a box. To the contrary, they told their customers that securing applications required a full court press, we need to engage the developers, we need to be accountable to executives, we must have excellent processes and we must educate all involved. It isn’t a simple, sexy marketing message, but it is the truth.
Executive commitment. CEO Brian Cohen and VP of Marketing Tracy Simmons have been the most customer focused security executives I have ever worked with. They have personally shown up at more customer events in out of the way places than anyone I have known. Possibly they are having problems at home or are on the run from the law. Possibly Brian wanted as many occasions as possible to tell you that the toothbrush must have been invented in Alabama because anywhere else it would have been known as the teethbrush. More likely, I think they care about the customers and want to go to sleep at night knowing that they are solving real problems.
Fun. Company party. No pictures please. Enough said.
Yes, it has been a good ride and along the way, I have made some lifelong friends, but the job is not done. This space is getting more important. In case you didn’t notice, the State of Minnesota just last month gave the PCI/DSS standard developed by credit card companies including VISA (a SPI investor) full legal standing. I look forward to watching SPI founder Caleb Sima and the rest of SPI Labs using the tremendous resources at HP to take web security to the next level. I wish HP well in this new endeavor, they are now the stewards of a very important component of application security, managed by some very good people.
Related posts:
Posted by Jim.Reavis on Tuesday, June 19th, 2007, at 7:50 pm, and filed under Articles.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
Post a Comment