Tuesday, August 12, 2008

Application Security Vendors Counting their Millions

Software security sage Gary McGraw (CTO, Cigital) published his market research on what he believes are the 2007 revenue numbers for application security vendors. Speaking for myself, I can neither confirm nor deny the accuracy of this data, certainly when it comes to WhiteHat.

Fortify: $29.2 million
Coverity: $27.2 million
Klockwork: $26 million
Watchfire (IBM): $24.1 million
SPI Dynamics (HP): $22.3 million
Cenzic + Codenomicon + WhiteHat: $12.5 million
Ounce Labs: $9.5 million

$150.8 million total for the tools / SaaS market

“The source code analysis space is now larger than the black box testing tools space….”

Sort of, but more on that in a moment.

“Tools don't run themselves”

Ain’t that the truth.

“The hard-to-track software security services space checks in around $100-140 million in 2007, with growth just shy of 20% over 2006. Services can be divided into three tracks: training (around $7 million), risk assessment ($45-60 million) and penetration testing ($50-75 million).”

I’m not sure about the risk assessment number, but I’m thinking the estimates for training and penetration testing is probably orders of magnitude lower than they should be. The rates for larger players including IBM Global Services, Verizon, Symantec, Ernst & Young, PwC, and KPMG aren’t cheap. And to some extent neither are the smaller players such as Matasano, SecTheory, iSec, Leviathan, Denim Group, Foundstone, Gotham, NGSS, FishNet, Aspect, SANS, IOActive, Immunity, NTO, NGS, BlueInfy, Net-Square and dozens of other regional players. No wonder the overall market totals are tough to track, but each takes their piece of the pie.

I believe when it comes to the black-box testing of web applications, services are likely 5x larger than the tools industry – especially if you consider that few organizations these days haven’t had a professional vulnerability assessment (and its tough to capture international sales as well). The opposite is true for white-box testing where tool purchases a way more common due to the costs of a line-by-line source code review by a consultant. Then we have WAF sales driven by VA sales, which makes sense because an organization typically must identify a need before they can justify the fix. The same was true of network firewalls, patch management, and A/V markets.

All in the all trajectory for the entire web application security segment is going up, and fast. PCI-DSS 6.6 is certainly one stimulant, but so is all the web hacking going on these days. Great numbers Gary, thanks for sharing!


Anonymous said...

hi jeremiah,

You bet. The companies I included in my thinking on services were:
security innovation

I was not able to corroborate the services numbers with Gartner since they don't track services companies like they track product companies.

The analysts are starting to track things more accurately now that the space in total is getting up towards 500M. Of note, Gartner and Forrester are particularly active.

Rock on software security.


dre said...

@ gary:

There are 11 other service companies in the US/Canada and at least 4 EMEA that you really seem to have left out of your list. I think that all 11 of the US/Canada ones are obvious, so it really pains me to find them missing.

I'd be curious to see the disparity between Gartner, Forrester, and The Burton Group in their listings of softsec/appsec service providers, even if they don't track their revenue.

Morten Bonde said...

@ Andre:

What are the 4 EMEA companies you feel is missing from Jeremiah's list ???
I am currently looking for European players in this space and could definitely use any pointer you guys have :-)