What's behind the security acquisition spree?

It must be buying season in the security industry, because there seems to be a new acquisition announced each day. Two recent purchases grabbed my attention. Last week, IBM bought application firewall vendor Watchfire, adding the company to its Rational Software division. Not to be outdone, Hewlett-Packard on Tuesday grabbed application vulnerability tools vendor SPI Dynamics, adding value to another recent addition, Mercury. Why all the activity in the application security space?

1. Web applications are the binary equivalent of Swiss cheese. Many are written rapidly by developers who are paid to add new business logic and meet deadlines. Security testing is often eschewed.

2. Developers have limited skills. How many leading computer science programs teach secure software development? Not many. Carnegie-Mellon and Berkeley have programs, but these are relatively new. If you graduated from MIT in 1999, chances are that your security coding chops aren't very good.

3. The bad guys know about the Swiss cheese and limited developer skills. Some of the holes are so big that hacking Web applications is like "shooting fish in a barrel" to the black hat community.

The logic behind these acquisitions is simple--if you can't build security in, then at least layer it on. This is blasphemy to purists, but it's better than nothing. HP and IBM recognize this and see their development tools businesses getting sucked into the security scrum anyway. Might as well have a homegrown solution of some sort.

These purchases make sense for HP and IBM, but we as an industry still must recognize and deal with the fact that we are writing poor code. Personally, I would love to see the software industry get together and be more active in raising the visibility of this issue, working with leading technical schools, and promoting secure development training. Microsoft is onboard with its SDL, and Oracle works with Fortify to add security to its code (albeit there are incestuous relationships between these two companies). Secure development benefits everyone, so in the words of the immortal Rodney King, "Why can't we all get along?"