SAP Ups Enterprise Security Ante With Deal To Resell HP Fortify

SAP is stepping up its push to secure Fortune 1000 enterprise applications with an announcement Wednesday that it has signed an agreement for its direct sales force to resell Hewlett -Packard's Fortify application security software.

The deal extends an SAP reseller relationship that already covers HP's LoadRunner software aimed at analyzing and preventing application performance problems.

SAP is teaming Fortify not only with LoadRunner, but also with its own SAP Code Vulnerability Analzyer. "That is a very compelling offer for customers at a key time when people are trying to figure out how they reduce these vulnerabilities so they are not the next Sony or the next Target," said Tom Roberts, SAP Global Vice President of Third Party Solutions.

[Related: HP Making Security Push Heading Into Discover Event]

The deal was driven in large part by customer demand, including a Middle East client that experienced a data breach and reached out to SAP to help secure the business, said Roberts. "That spurred some of the discussions to accelerate the relationship with HP around Fortify," he said.

SAP looked at the full spectrum of security offerings on the market and decided that HP had the best product set focused on end-to-end applications from quality testing to application security, said Roberts. SAP is offering the solution under the name SAP Fortify Software by HP.

HP, which has been somewhat of an underdog in the security market, recently was recognized as a leader in the application security testing market in the 2014 Application Security Testing market for HP Fortify.

The end-to-end approach to security that is being championed by HP is a big differentiator for SAP, which has seen Fortune 1000 demand for solutions that cover the full IT spectrum from application code testing to application security, as "opposed to just trying to plug a hole," said Roberts.

"That is very unique," Roberts said of the end-to-end SAP enterprise application security philosophy. "I would argue it is the only way to be successful at security. If you don't look at that full spectrum, from quality to security, you are going to end up with vulnerabilities. All the (security) best-of-breeds have to be coupled with something else or they will fall short. They will all do great at what their focus is, but it's like when somebody can't see the forest for the trees. It is the gaps between the trees where the vulnerabilities come from."

That end-to-end technology focus supports a National Institute For Standards and Technology report that found 92 percent of exploitable vulnerabiltiies are from application software, said Roberts. With many enterprise customers augmenting or adding to applications in a move to the cloud, the chances for application vulnerabilities go up considerably. "That is where vulnerabilities start to get introduced," he said.

Although the initial focus is on SAP's direct sales force, Roberts said the company will look closely in the future at the possibility of getting SAP solution providers to sell the Fortify security product in the midmarket.

"We are going to do that once we get established on the direct sales side," said Roberts. "Over time, we'll look at the economics and make sure it makes sense for solution providers. I think there is an opportunity there, but that is the second phase of this."

The HP third-party solutions agreement is only one of about five-to-seven that SAP inks each year and one of about 40 overall as part of a focus on extending the SAP ERP franchise with additional products, said Roberts.

"There is a deep investment to make sure of the interoperability and that all of the pieces make sense," he said. "There is a deep due diligence on these decisions. It isn't just shaking hands over dinner."