Separate from an economy in recession I’m excited to be a part of market with a healthy, if not impressive, growth clip. Gary McGraw (Cigital) published his Software Security annual revenue numbers for 2008. By combining software security tools, Software-as-a-Service providers, and professional services it comes really close to a half billion dollars. This means a lot to us vendors, their investors, and would be acquires -- for average enterprise, feel free to ignore. Instead focus on the particular solutions you need rather than basing vendor selection on prevailing winds. To do otherwise is similar to buying a house locally based upon national real estate averages.
2008 showed scanning tool (black and white box) sales as continuing to climb, but the heavily fragmented pen-testing side are those who are pulling in the lions share of the cash. This is to be expected if I was right about the general market migration mirroring that of network security. Time will tell. However, there was some analysis where I had to take issue with some of Gary’s conclusions, to which I’m hopeful he’ll set me straight.
"In 2007, the white box code review companies’ combined revenue eclipsed the black box Web app testing tool vendors’ combined revenue. As Figure 2 above shows, this trend continues in 2008. I think this is a very healthy development, demonstrating that the market is becoming ever more interested in solving software security issues and not simply diagnosing them."
Not so fast! Is that really fair to assume? By the same logic could we also conclude that McDonalds offers better meat than Morton’s (a popular steakhouse) because of the volume sold. Or, is that equally unfair? Here's another bit that doesn't feel right and deserves context...
"I am aware of 35 large-scale software security initiatives currently underway."
Certainly there are more than 35 deployed Web Application Firewalls in the world (or even in the U.S), but we wouldn’t automatically conclude that organizations are happier to band-aid the software (in)-security problem than fix it at the source.
When it’s all said and done, I like numbers. Publish what we have, good or bad, analyze them and improve overtime.