1) Cenzic is recasting their Hailstorm ARC product as a central reporting dashboard for competing commercial web application vulnerability scanners (AppScan, WebInspect, Fortify, etc) A webappsec SIM? Organizations who buy copies of multiple scanners do so because during evaluation the reports were wildly inconsistent (the PCI Council noticed this as well). So some organizations buy it all to get “more coverage”. What seems odd is Cenzic is placing less emphasis on the value of their vulnerability identification and repositioning as a central UI previously described by Network Computing as “An Unpretty Face”.
2) Watchfire (now IBM), bastion of scanner products, is now promoting the enterprise value of Software-as-a-Service (Saas) for web application vulnerability assessment!!? Inconceivable! The equivalent would be if Qualys all of a sudden started offering a network scanner product and hyping the ROI of in-house scanning. I guess I should be flattered, since WhiteHat has been pioneering the model since 2003. The webappsec VA market is definitely moving towards services and the battle is going to be won on terms of ease of deployment/use/scale.
3) Google buys everything, even security companies apparently. So why would Google build their own black box fuzzing tool (its called Lemon) to scan their websites for XSS and SQL Injection? I mean, its not like they’re short of cash or anything. Maybe they decided rolling their own would be more effective than buying a commercial product. That would be telling. Or the purchase of Watchfire and SPI Dynamics, putting the stand-alone web application vulnerability scanner market in limbo, Google wants a piece of the action. I’m sure Chris Hoff would make me eat my words again if they did that. ;)