This week HP/Mercury announced its intention to acquire web application scanning tool company, SPI Dynamics. This is on the heels of IBM/Rational announcing two weeks ago intentions to acquire web application scanning tool company Watchfire. I applaud these moves and wonder what took the ALM (Application Lifecycle Management) tools companies so long to make a move. I have long been on the opinion that the most significant challenge in IT Security is that of application security. I’ve also believed for a long time that the problem will never get solved until it is addressed at the developer desktop (note: I am including testers and other app dev team members in that moniker). I have watched application security follow the same path as application performance and application reliability before that. It is an aspect of application quality that doesn’t get addressed until there is real pain being felt.Like performance, companies had to be burned by application security before they took any steps to rectify the problem. And the first wave was a “pull” on education — this is still in process today. Many developers don’t know how to code for security, testers don’t know where or how to look for security vulnerabilities, and the tools that were available were inaccurate time hogs that cost a lot of money and didn’t integrate with the existing software development process and tools already being used. I’m sure this had a lot to do with the slow adoption of source code and web scanning tools. After all, they weren’t being offered by the major ALM players, who were well entrenched in most app dev teams (IBM/Rational, HP/Mercury, Compuware, and Borland). So now that companies are getting educated on application security and the large ALM vendors (well, the largest two anyway) are acquiring security tools companies, I am more hopeful than ever that we are on our way to addressing more of the application security problem. Of course, both IBM and HP have a history of mangling acquisitions — Godspeed, SPI and Watchfire!! You’ll need it…. Related content opinion My Concerns with CyberSecurity Legislation – no teeth, paper audits, and “security” auditors By Ed Adams Jan 06, 2012 3 mins Data and Information Security opinion Sony CISO Reporting to Executive Management. Maybe Cyber Security Czar will follow suit? By Ed Adams Nov 17, 2011 2 mins Data and Information Security opinion Sony appoints CISO in response to PlayStation attacks……but reports to the CIO????? By Ed Adams Oct 28, 2011 2 mins Data and Information Security IT Leadership opinion Q&A with Myself - Thoughts on Sony, DOD, RSA, IMF & Lockheed Martin By Ed Adams Sep 22, 2011 3 mins Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe