DevSecOps acquisitions follow enterprise IT shift

The change to DevSecOps has altered who buys company IT protection products and solutions, triggering IT vendor consolidation and new instruments that target safe application development.

IT gurus nonetheless discussion the actual definition of DevSecOps — for some, it describes organizational adjustments and who requires duty for securing IT means. For many others, it’s about what instruments are employed to safe applications, and in which components of the application lifecycle. So considerably, the typical ground among numerous DevSecOps definitions is that IT organizations are imagining additional collaboratively to develop safe applications.

This change essentially adjustments the way those organizations evaluate and invest in IT vendors’ products and solutions.

DevSecOps acquisitions follow enterprise IT shiftDaniel Kennedy

“Developers and protection are doing the job additional carefully together, and additional instruments are becoming created for developers to be equipped to do protection checks in the study course of their working day-to-working day work opportunities,” stated Daniel Kennedy, an analyst at 451 Investigation, a division of S&P International.

The firm’s analysis on the use of application protection instruments involving 2015 and 2020 mirrored 70% protection users in 2015, which shifted to a fifty/fifty break up involving protection pros and developers in 2020.

M&A action spurred by this pattern has continued for the previous two decades, but analysts report continual acceleration. In 2019, the 451 Investigation M&A KnowledgeBase identified nine DevSecOps acquisitions in 2020, that increased to sixteen. So considerably in 2021, 451 Investigation has tracked 21 DevSecOps transactions.

Developers and protection are doing the job additional carefully together, and additional instruments are becoming created for developers to be equipped to do protection checks in the study course of their working day-to-working day work opportunities.
Daniel KennedyAnalyst, 451 Investigation

Amid this year’s DevSecOps mergers, there are a few wide themes: the consolidation of earlier specialised protection instruments increased integration involving protection monitoring and IT efficiency monitoring instruments as aspect of a concurrent change toward application observability and the alignment of protection functions with DevOps computer software development and deployment processes, also regarded as “shifting left.”

IT protection professionals combine

Cloud-indigenous protection enterprise Okta’s $six.five billion acquisition of Auth0, 1st publicized in March and accomplished in May possibly, is a fantastic illustration of a vendor pushed to enchantment to developers.

Okta recognized itself among company DevOps organizations worried with dispersed IT infrastructure as they moved to cloud computing. Auth0’s instruments also tackle obtain to cloud means but emphasis on assisting developers combine their applications with identity management providers.

Financial ratings enterprise Moody’s employed Okta’s Sophisticated Server Access, solitary indication-on (SSO) and multifactor authentication products and solutions more than the previous a few decades to retain protection amid a cloud migration, transition to containers and its own M&A action. Most not long ago, the enterprise employed Okta’s SSO instruments to accommodate a change to distant function during the COVID-19 pandemic.

George KurianGeorge Kurian

“We have completed a lot of function with distinct use circumstances and Okta,” stated George Kurian, senior vice president of cybersecurity expert services for New York-dependent Moody’s. “Now we’re doing the job on unifying our application development, solitary indication-on … and cellular experiences.”

Kurian hadn’t made a decision no matter whether to use Auth0 as of early April, but stated he was open to considering it in the foreseeable future.

“Auth0 provides me a wonderful toolkit to [join] into my application, so my developers do not have to determine out how to do it,” he stated. “We do not have a lot of public-going through apps … [but] there are some products and solutions like Moodys.com, and some of the new environmental web-sites that we’re environment up, that it would be valuable for.”

In other places, the increased attractiveness of Kubernetes for cloud-indigenous applications brought protection sellers together from adjacent regions of container-dependent infrastructure. Aqua Protection acquired  infrastructure-as-code protection participant Tfsec in July, although Sysdig folded in infrastructure-as-code protection instruments from Apolicy.

IT protection and monitoring merge into observability

Sysdig, founded in 2013 as a container monitoring system, was among the 1st these kinds of sellers to insert protection monitoring to its products and solutions — a blend that’s increasingly the norm.

Sumo Logic, originally a cloud-dependent log monitoring vendor, has followed a identical path. It acquired protection analytics enterprise JASK previous 12 months to insert to its protection data and event management (SIEM) computer software. This 12 months, Sumo acquired protection orchestration, automation and reaction computer software vendor DFLabs. Application efficiency monitoring vendor Datadog also expanded its protection capabilities with the acquisition of Sqreen in February.

For existing users of these monitoring products and solutions, acquisitions can be a double-edged sword, relying on how considerably the acquisition overlaps with instruments that customer previously has.

“The degree of effort and hard work for us to alter instruments is very substantial,” stated Andy Domeier, senior director of technology operations at SPS Commerce, a Minneapolis-dependent communications community for offer chain and logistics companies. “The worth proposition is more challenging to explain for an existing customer you are striving to get to change as opposed to a brand name-new customer.”

However, as a Sumo Logic customer, JASK has been a welcome addition, Domeier stated.

“We have been in the industry exclusively for that technology,” he stated. “In that situation, we would like to use Sumo Logic. Why would I want to shovel the logs into yet another tool for SIEM?”

Sysdig’s enlargement also features cloud protection posture management (CSPM), a escalating category, where by foreseeable future consolidation is also likely.

Fernando MontenegroFernando Montenegro

“Some sellers are looking to get a broader look at of general company threat management,” stated Fernando Montenegro, an analyst at 451 Investigation.

Protection shifts left — and appropriate

With DevSecOps, IT organizations combine application protection into the DevOps shipping and delivery method considerably previously. In reaction, protection automation computer software sellers snapped up protection exam automation sellers, as with Palo Alto Networks’ acquisition of Bridgecrew, accomplished in March.

CI/CD sellers these kinds of as JFrog shifted left and constructed these kinds of instruments into application release pipelines straight. A lot more not long ago, these sellers have also begun to “change appropriate” to mail generation facts to developers so they can prioritize fixes. JFrog took a stage into this realm with its Vdoo invest in in June.

In the meantime, GitLab users foresee the firm’s acquisition of synthetic intelligence/equipment learning (AI/ML) vendor UnReview in June will sooner or later have DevSecOps implications. UnReview identifies suitable code reviewers during the computer software development method and controls code critique workloads.

“Getting the tool determine gurus in distinct coding regions will reduce a lot of the hold off in getting the suitable source,” stated Doug Rickert, senior item protection supervisor at Here Systems, a location expert services and mapping enterprise dependent in the Netherlands. 

Ultimately, DevOps infrastructure system sellers these kinds of as VMware and Pink Hat are making in protection automation capabilities. Pink Hat was among the sellers that kicked off this year’s M&A spree with its acquisition of Kubernetes protection vendor StackRox in January. Pink Hat guardian enterprise IBM not long ago acquired BoxBoat, which is doing the job with the Section of Defense on container-dependent computer software offer chain protection. In March, VMware discovered plans to insert protection coverage capabilities acquired with Mesh 7 to its Tanzu Kubernetes system.

“When a thing gets an expectation in the industry, large sellers start out to tuck it into their offerings,” stated 451’s Kennedy. “DevOps has been close to for a although now, and cloud-indigenous, container-dependent applications, so now protection capabilities are expected.”

Beth Pariseau, senior information author at TechTarget, is an award-profitable veteran of IT journalism. She can be attained at [email protected] or on Twitter @PariseauTT.