Arms race M&A in application security

Contact: Brenon Daly

If IBM and Hewlett-Packard basically matched each other’s deal size in the first round of M&A for application security, HP has gone much bigger than Big Blue in the second round. In fact, we gather that the price tag for HP’s recent purchase of Fortify Software is more than 10 times larger than the amount IBM paid last summer for rival static code analysis vendor Ounce Labs. (When IBM announced the deal, we speculated that HP may well work out its own tit-for-tat deal, reaching for its partner Fortify.)

Terms weren’t revealed on either the Fortify or Ounce Lab transactions. However, we gather that IBM picked up Ounce Labs for about $25m and that HP likely paid about $275m (including an earnout) for Fortify. Our understanding is that Ounce Labs garnered roughly 3 times trailing sales, while Fortify went for about 4.6x trailing sales of about $60m.

Those deals, which were separated by roughly a year, came after both tech giants had made acquisitions of dynamic code analysis vendors within two weeks of one another. Back in mid-2007, IBM purchased Watchfire for an estimated $140m, roughly matching HP’s $135m acquisition of SPI Dynamics. Both transactions were done at more than 5x trailing sales, according to our understanding. For those keeping track of the arms race M&A by these two tech superpowers, the collective bill for their application security purchases now exceeds a half-billion dollars.

Select application security acquisitions

Date announced Acquirer Target Deal value Target trailing revenue
August 17, 2010 HP Fortify Software $275m* $60m*
July 28, 2009 IBM Ounce labs $25m* $8m*
June 19, 2007 HP SPI Dynamics $135m* $20m*
June 6, 2007 IBM Watchfire $140m* $30m*

Source: The 451 M&A KnowledgeBase *451 Group estimate