HP buys Fortify and the rumor mill says it’s for ~$250M.  Fortify’s bookings in 2008 were $43M and not much more 2009, so they got around a 5x multiple.  Fortify went through five rounds of funding to get $40M in VC funding.    

The main players and their 2009 bookings in code analysis for security testing are:

·         Fortify/HP:  $44M

·         IBM/Ounce:  $10M (est.)

·         Veracode:  $10M (est.)

·         Checkmarx:  revenues unknown.

·         Armorize:  revenues unknown

Total market size:  about $100M.

The mistake Gartner and others have made is grouping companies like Coverity and Klocwork—which account for almost $80M in revenue.  These companies aren’t true security companies—their business is finding software quality issues in C/C++ code for embedded systems.  Very little of their business is based on finding vulnerabilities in Java or .NET—the programming languages that comprise most applications that hackers attack.  (Sure they find buffer overflows, but that’s far from a preponderance of security headaches these days).

HP and Fortify have been negotiating for more than a year, just after Ounce Labs was bought by IBM.  In the case of Ounce Labs, it was a well known “secret” that Ounce was dying and IBM picked up the company as a fire sale.  Fortify, although not profitable, had some cash on hand and wasn’t in a hurry so the process got drawn out.  But Fortify had a business model problem:  to succeed, the python needed to swallow the pig.  In other words, Fortify needed a large deal or two every quarter to meet financial goals—such as the (rare) $7M US Air Force deal in 2008.  But finding the pig often proved as elusive as the truffle.  This meant Fortify’s cash position could often get tenuous.    It’s possible—though I don’t know—that Fortify missed a quarter or the current quarter looked bleak, accelerating the acquisition.   It’s also possible they got a big pig that suddenly made them seem more attractive.

When a big companies buys smaller one many call it validation.  This is certainly true in this case but the challenge of making code analysis a broadly accepted technology remains.  If you study the code analysis for security a little bit deeper, one thing becomes clear:  it’s a rich man’s sport.  Just look at the BSIMM project—all the companies used as prototypes are quite wealthy and can afford to deploy it across many development teams.  But not a small or medium business makes the list.  Why?  Code analysis is hard to do and deploy.  The challenge HP and IBM now have is to build a large market that appeals to a spectrum companies large and small so code analysis becomes embraced by the mainstream—much like network firewalls are used by everyone.