Security UPDATE, Web exclusive, April 16, 2003
* SECURITY INDUSTRY TRENDS: CONSOLIDATION AND INTEGRATION
If you've watched security companies in general over the past year, a noticeable trend seems to be emerging: consolidation. What might consolidation mean for the security segment of the computer industry as a whole?
Large companies, such as Computer Associates (CA), Network Associates, Symantec, and Internet Security Systems (ISS), have over time built suites of products. Whereas in the past, a given security technology vendor might provide one or two products, larger vendors now offer several products integrated into suites and into even broader management platforms.
Although many security management platforms are available, complete cross-platform communication between different vendors' products is still uncommon. Of course, software development kits (SDKs) support some interactivity, such as virus scanners communicating with firewalls to prevent viruses from entering a network. But by and large, cross-platform communication (vendor to vendor) among security products is still a challenge.
The current situation is probably natural. After all, vendors want to protect and enlarge their market space. But is that really beneficial to computer users as a whole? How can niche security vendors continue to compete? Interoperability might offer an answer.
The Organization for the Advancement of Structured Information Standards (OASIS) \[http://www.oasis-open.org/home/index.php\] recently announced a new standard, the Application Vulnerability Description Language (AVDL). \[http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl\] According to the description, AVDL "is a new security interoperability standard being proposed by leading application security vendors as part of the OASIS standards process. The goal of AVDL is to create a uniform way of describing application security vulnerabilities using XML."
AVDL's effect will be to let security-related applications interoperate. Initially, five companies are proposing AVDL: Citadel Security Software, GuardedNet, NetContinuum, SPI Dynamics, and Teros. The five companies offer a range of security products that detect vulnerabilities, automate vulnerability remediation, aggregate event and log information, protect Web applications, and more. With a standard such as AVDL implemented in the listed security categories as well as other product categories, users who don't buy single-vendor suites can more easily integrate information sources for reporting and action.
But which other companies \[http://www.oasis-open.org/about/contributors.php\] will support AVDL? Many large companies support the OASIS project, but fewer actually contribute to it. I think that the larger companies might prefer to consolidate rather than to integrate.
The security market's consolidation trend might be similar to the last decade's consolidation within the ISP market and the communications market. Smaller companies were often either forced out of the market or assimilated by larger companies. How long can niche security companies last, even if they have great products?
I think AVDL is a good way for niche vendors to team up for expanded interoperability, and it might offer a survival strategy in the consolidating market. AVDL would let users build a sort of "virtual suite" of individual products of their own choosing. At the same time, AVDL could help niche vendors avoid having industry giants squash them out of the market over time if consolidation becomes a key market factor as we witnessed with ISPs and communications companies.