When IBM and HP made their recent purchases (Go Big-Blue!) there was a lot of uneasy stirring everywhere. Some from genuine concern, some from pure jealousy. There were of course little sneers aimed at sowing fear in the hearts of automated web scanners clients. Shaking up what looks like a pretty sturdy future. It fueled the belligerent fire that was already burning. Recent back-and-forths got to a point where even Ory, that stays away from this usually, had to comment on them in a recent blog post. It's all degrading into a weird Latin-American Telenovela. In that case, the up side of these purchases (and future ones, I'm sure) is the calming affect. People tend to feel a bit more secure in a large nest. In addition, big companies frown when employees make them look bad with inconsiderate trash-talk. It looks like that's just what is needed: a little adult supervision. Like street gangs, some are resorting to cyber-graffiti. We all want to feel rebellious and anti-establishmental, but it needs to calm down before someone gets cyber-violent on somebody.
The final trash-bit that prompted Ory's comments were answered to in a classy fashion. Very Classy. Nicely done. Very grown up. This? not so much. The link, sadly, is no longer there...I guess the adults were keeping an eye out after all. I'm referring to an interesting, to say the least, response to a recent court filing of Cenzic vs. SPI. There has got to be a better way of expression then School-yard rules. The hacking world (web-application research or not, it's still hacking) is feared and misunderstood in the world, and this does not really inspire the kind of feelings that says "Hey, these guys are serious, professional, and we should all take notice". Really? A sarcastic, juvenile "Yo' Mama" was the best thing you could come up with? An adult, intelligent human being?
Save it for the basketball court. We all feel passionate about our work, but it can certainly be kept on a professional level.
Now, don't get me wrong. I'm sure that 17th century mathematicians trash-talked each other in the back of the chapels "Newton stole my derivation for that..." and "I can show Euler where he can shove his graph for this..." . I'm sure that if Farnsworth vs. Zworykins and Marconi vs. Baird had access to the blogosphere, they would be every bit as nasty as we can be. Albeit, a little more clever, I would bet.
And they sued. Oh man, did they sue. Which brings me back to IBM.
IBM holds about 40,000 patents world wide. It has generated and filed for tens of thousands more, I would imagine. Now, IBM isn't looking to corner any markets with these ideas. It's not going to generate the next $100BN in revenue. Microsoft crossed the 5000 mark in 2006. Contrary to common opinions, Microsoft generates the bulk of its revenue from cornering markets, not suing for patent rights.
So why are they doing it? Why invest millions in research and in patent applications? 40,000 patents represent hundreds of millions of dollars in filing fees alone. Well, they serves as a counterweight for cross-licensing patent agreements. Beside being bitter business enemies, IBM and Microsoft have one of the biggest cross-licensing agreement out there. "Share and share alike" may be an over generous description, but it is certainly beneficial for everyone. Whoever does the best job wins. That's how the big boys play it. That's how the adults manage their business.
I wonder how many people have heard of Farnsworth or Zworykins. The number of people that heard of Marconi is larger by several orders of magnitude (albeit, still not enough people are aware of him). Why? Because at the end of the day he did a better job. He made a better radio and gave us a better TV. No matter who was there first and who owns this patent or other.
We've talked about the OS wars. I have no strong feelings either way. I want what's easiest for me to use. And at the end of the day, if we have more competition, we're all better off. The only reason we should want Mac and Linux to charge forward, is so the world can get a better Windows! In that case, everyone wins. (I'm a Mac user, if anyone out there wanders)
Everyone should understand, as has been remarked before, that we need to synergize (how markety of me) pen-testing, code scanning, and automated testing . But in each field, we must have fair and professional competition. Otherwise, all the world will get is a crappy Windows-esque application for our web-application security needs.
Suing for patent rights on something so vague and encompassing is truly the last resort of the desperate. It wont get anything done. Patent cases take years and years, and they never saved a company from the market forces. They make a lot of lawyer wealthy, but no one ever got rich from hard work, they say (SCO vs Linux, anyone?).
Anyway, we need to be a bit classier in our collaborations and competitions. Academic research on one hand and business competition on the other. They are not mutually exclusive.
We should give each other credit for the work, and still out-do each other in field.
Dare I ask: Why can't we all just...get along? (You have to imagine Jack Nicholson asking this of the Martian ambassador for the right affect, although being stabbed in the back countermands my point).
Last note: I used Telenovela in counter to Ory's Soap Opera because this will not go on forever, and the end is predictable.
Does this also spell the end for companies just starting out that feel that they could create a webapp security scanner (aka fault-injector) that is superior to FortifySoftware Tracer, Acunetix, SyHunt, Hailstorm, beSTORM, AppScan, WebInspect, and Veracode?
Where are these companies? Why don't they exist? What's going to happen to the web application vulnerability scanner market?
Posted by: dre | August 22, 2007 at 09:31 PM
Not necessarily.
First of all, remember that this is a young industry. I hail from the Telecom industry, where you're still an up-and-coming company if you've only been around for 10 to 15 years. Give them time. The market will grow, and we will see a fourth option in the future (to pen-testing, code scanners, app-scanners). It's the nature of things.
The "Legacy" telephony platforms got blindsided by VOIP. I'm sure we'll get blindsided by something new. God knows what Silverlight and the likes hold in store for us.
The industry will grow. More and more of our lives migrates to the web. There will be plenty of technologies to hack and to protect. Plenty of space to roam in. Plenty of money to be made.
Someone is always looking for the next web search-engine, the next firewall, the next application server. They will look for the next tool to make their web-application safer.
Posted by: Shahar Sperling | August 22, 2007 at 11:04 PM