Software Security $$$ Numbers

Date August 12, 2008

On my trip out to DC a few weeks back I stopped over to see Gary McGraw for a bit.  On of the things he showed me was some numbers of security companies revenue and growth.  I can’t say I was sworn to secrecy on this, but he did say he was going to write something about it so stay tuned.  True to his word, Gary pinged me today with a link to the article – Software [In]security: Software Security Demand Rising.

There’s some good summary points that I’ll make in a bit, but I was actually quite surprised at some of the numbers – there’s a few companies in there that are making a lot of noise, and very well respected, but aren’t making all that much money.  I’ll leave it to you to figure out who I’m probably referring to.

Security tools are certainly growing, and the numbers that Watchfire and SPI sold for are in the ranges I’ve heard mumblings about.  I’m still concerned at those valuations though as whenever I’ve used these tools I’m always disappointed with the results – they seldom find stuff a good pen tester can find in a few hours.  I guess their benefit comes off through regression testing and when (if?) they are "trained" on the app.  There’s a huge investment in getting these testing tools to any kind of reasonable level, although I still thing they have a *long* way to go.

Good to see that Gary has included the services side of the space in here as (he notes) it’s really hard to track.  I’ve heard more that one person say that the west-coast is doing a lot of business in pen testing whereas the east-coast is doing code reviews / threat modeling / architecture type work.  I’m not sure that I see it as that cut-and-dried, but it’s an interesting observation if Gary is seeing it (and he would see it more than I would with all the connections he has).  In any case, I would agree that pen testing is a good *starting* point as clients get a lot of "bang for their buck" and it’s a way of pointing out how broken things are.  What is necessary then is to build backwards into why the software/system got like that in the first place.  The danger however is when the pen tester doesn’t find all that much which provides very little leverage towards taking a deeper look – clients consider systems "safe" if nothing major has been found in the 2 weeks someone might have had to have a look, whereas it’s been well documented that attacker can take a very long time to get to know a system before attacking it.

Finally, in summary, I think there’s good news in the software security space.  Despite the looming recession in the USA (which face it, if it does happen the rest of the world will inevitably feel some consequences), the space is continuing to grow nicely.  The reason I think is just as one poster on the MFE Yahoo message board put (I don’t know why I go there because it’s full of crap) – most companies are defensive, and just because a recession is coming you don’t lower your insurance premiums.  Companies know that their weak points are more and more their software, so they are attempting to protect them.  For people in the space that’s good as skills are in great demand – pretty much every security company I know is trying to hire, but having problems in finding good people.

I guess this is a "wait and see" situation, but it’s good for Gary to gather and put together these numbers outside of the hugely expensive Garner reports.  It does however look like security in general, and software security specifically, is getting the attention that it deserves.

Category Posted in Industry


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>