Synopsys announced its intention to acquire WhiteHat from NTT for $330 million in cash. WhiteHat was acquired by the Japanese telecommunications provider NTT back in 2019. The subsidiary was later rebranded to NTT Application Security. In the press release, Synopsys emphasized the strength of the WhiteHat brand, its dynamic application security testing (DAST) offering, and the SaaS capabilities that the acquisition brings.

Synopsys’ superpower has been acquiring great products and integrating them to create an application security portfolio while valuing the expertise they bring — previous acquisitions include Tinfoil Security (2020), Black Duck (2017), and Cigital (2015). This portfolio has largely focused on application security products on-premises, which has helped Synopsys win and retain aerospace and defense, financial services, and automotive customers who need sensitive data to stay onsite.

Synopsys Gains A More Credible SaaS Story

WhiteHat gives Synopsys an immediate boost in its SaaS offerings. Synopsys’ Polaris SaaS platform launched in 2019 for customers looking to offload operational responsibility of application security testing but who require a different sales, services, and development motion than their on-prem offering. SaaS is part of WhiteHat’s DNA. WhiteHat brings not only development and security chops but also heavy hitters from other SaaS application security vendors in its go-to-market team.

WhiteHat Finally Gets A Chance To Level Up

For the folks at WhiteHat, the acquisition is promising. No longer a tiny fish in a giant telecom pond, the WhiteHat team will be partners at the table, bringing much-welcomed DAST and SaaS expertise to a company that has experience with application security and talent retention.

This Acquisition Is Fraught With Challenges

What was left out of the press release is more interesting than what was included. Over the next several months, Synopsys will need to address the following questions:

  • What about Tinfoil? Synopsys already has a DAST offering. Synopsys acquired Tinfoil Security in January 2020 for its DAST and API testing offering. At the time of the acquisition, API testing was newer, and Synopsys seemed to have more interest in the API security portion of the product than the DAST portion. But questions still remain about whether Tinfoil’s DAST measures up and what happens to the Tinfoil brainpower when WhiteHat is brought on board.
  • How will Synopsys address the SAST and SCA overlaps? Also omitted from the press release were WhiteHat’s newly released Vantage SaaS platform powered by ShiftLeft and WhiteHat’s other product offerings: SAST, SCA, MAST, and eLearning. What does Synopsys do with the WhiteHat technology when it already has competitive products in overlapping spaces?
  • Will automation or manual intervention win out? In recent years, WhiteHat has made strides toward automation and away from its manual scan reviews performed by security professionals. These types of labor-intensive reviews seem antiquated in the face of DevSecOps or even the “secure everywhere” movement, which demands modernization, speed, and accuracy.

Time will be the final arbiter on the acquisition. If past performance is an indicator of future success, however, Synopsys just took a step into the future with new customers and a SaaS bent.

(written with Isabelle Raposo, research associate at Forrester)