Watchfire: Is Your Site Seaworthy?By Baselinemag | Posted 2005-03-07 Email Print
Watchfire helps companies identify security vulnerabilities in their Web sites.
Watchfire's mission is to make sure a Web site won't be looted by piratesor sink because the crew failed to make it watertightas it sails the Internet's oceans.
The company started nine years ago with a simple tool that found Web links that pointed to nonexistent pages. Now a 200-employee company, Watchfire has moved beyond fixing broken links to offer software and services that monitor a slew of potential problems with a company's sites.
Its products can discover, for example, whether a site fails to meet government privacy regulations or if it's susceptible to someone stealing customer data using a hack that exploits a vulnerability in the way certain databases deliver packets of information to Web applications. "If you have hundreds of thousands of Web pages, there's no way you can be sure they're conforming to policies or standards except by using automated tools such as those from Watchfire," says Brian Tretick, a principal with Ernst & Young who has used Watchfire products to analyze clients' security and privacy practices.
What's not so great about Watchfire? Customers say its pricing is inflexible. Analog Devices, a semiconductor maker in Norwood, Mass., pays $108,000 per year for WebXM Quality, which scans 300,000 pages and provides 36 reports on such areas as page-loading times. Janelle Oveson, Analog Devices' e-business manager, says WebXM is "a proven toolit's reliable and it works." But she'd prefer to purchase reports à la carte, because her team doesn't use all of the product's features. "Their pricing is an all-or-nothing proposition," Oveson says.
Another caveat from customers: AppShield, the Web application firewall Watchfire obtained when it acquired Sanctum last year, is complex software and it can cause even an experienced technician to unintentionally cripple a Web site. That's because it allows only predefined behavior, so any Web applications written with nonstandard code may also be blocked.
"When we deployed AppShield, we thought we'd created all the right rules," says Jason Painter, network security engineer at laser equipment maker Coherent. "Then we turned it on and got complaints from our customers that the site wasn't working."
That's why it's important that a security expert analyze the results of Watchfire's site-scanning tools in collaboration with a site's Web developers, says Paul Petersen, security manager for international law firm Baker & McKenzie: "A security person alone probably wouldn't be able to interpret the results."
Revenue: $30M to $50M annual run rate
Funding to date: $42M
Investors: Altamira, Banc of America Equity Partners, Goldman Sachs, Kodiak Venture Partners, Polaris Venture Partners, RBC Dain Rauscher, Sprout Group
Coast Software, IBM, Kavado, Keynote Systems, Mercury Interactive, Microsoft, Segue Software, Teros, Vignette
Retail: Home Depot; Sears, Roebuck & Co.
Financial: AXA Financial, Bank of America, Charles Schwab, H&R Block, Wells Fargo
Pharmaceutical: GlaxoSmithKline, Merck, Novartis, Wyeth Pharmaceuticals
Manufacturing: ChevronTexaco, John Deere, Procter & Gamble
1996 Founded as Tetranet Software in Kanata, Ontario
1999 Changes name to Watchfire
2001 Receives $25M in second-round funding
2002 Names Peter McKay president and CEO
2004 Acquires Web security software vendor Sanctum
Sources: Company reports, Baseline research