HP Security App Takes Life Cycle Approach

Seven months after ending a two-way lawsuit over patents with competitor Cenzic, Hewlett-Packard (NYSE: HPQ) has unveiled the latest release of its Application Security Center.

This new version ensures applications are tested for security throughout the development process, from requirements all the way through production, instead of testing after the application has already been created, cutting development costs and enhancing security.

HP will offer the product in Software as a Service, or SaaS , form.

“The life cycle approach seems obvious in retrospect; you can’t add security at the end,” Billy Hoffman, manager of the HP Web security research group, told InternetNews.com.

Traditionally, developers have “always viewed security vulnerabilities as something the IT staff takes care of” because, previously, security problems were at the infrastructure level, which IT maintained. Now that the infrastructure has become relatively secure, hackers are directly attacking the application, Hoffman said.

The situation has been exacerbated by the increasingly complex and rich applications offered, “with the explosion in the past year or two of AJAX applications and Rich Internet Applications (RIAs), and the trend among businesses to put more and more functionality out there for the user,” Erik Peterson, HP’s senior director of products for Application Security Center, told InternetNews.com.

Securing applications is not about user rights and control and identity management; it’s about finding unintended functionality in the applications, Peterson said.

For example, an e-commerce site looks up database tables to check a customer’s credit card number and shipping address, and its unintended functionality is that it can be tricked into reading and dumping all the information in that table into a hacker’s account.

Building security into an application from the start holds down development costs — it’s “100 times more expensive to fix a software vulnerability just before it’s going out the door or after it’s shipped than to fix it right from the start,” Hoffman said.

The foundation of HP Application Security Center is the HP Assessment Management Platform. DevInspect (for developers), QAInspect (for QA teams) and WebInspect ( for operations and security experts) sit on top of the platform.

DevInspect combines static and dynamic analysis of code, and supports Microsoft Visual Studio 2008, Visual Studio 2005 and Eclipse.

QAInspect includes security-defect management capabilities that let QA teams filter, prioritize and assign defects based on the risk to the business; WebInspect has been enhanced with faster runtimes and improved scanning accuracy for the most frequently exploited vulnerabilities, including cross-site scripting and structured query language, or SQL injections.

HP will offer Assessment Management Platform in SaaS mode.

The HP Web Security Research Group has added and updated checks in Application Security Center for RIAs, including critical vulnerabilities in Apache and MySpace plug-ins, and researched new security issues for Web 2.0 technologies, including AJAX, Adobe Flash and Microsoft Silverlight.

The new security checks are automatically updated for customers within 24 hours, whereas the industry standard is every quarter, according to Petersen. “A lot of our customers see updates two to three times a day,” he added.

Next page: The back story

Page 2 of 2

The back story

HP acquired SPI Dynamics last September, as the latter was locked in a legal battle with Cenzic.

Back in September 2006, SPI Dynamics had sued Cenzic for allegedly violating its method of locating vulnerabilities. In July 2007, Cenzic fired back with its own lawsuit, five months after getting a patent for its own vulnerability search method in February.

Last October, one month after HP bought SPI Dynamics, the lawsuits were settled, with HP and Cenzic agreeing to cross-license each others’ technologies.

Developers heavily criticized Cenzic’s suit. Many of them believed Cenzic’s patent had no merit and that its countersuit was essentially a move to delay HP’s acquisition of SPI Dynamics.

Still, HP’s announcement did not impress Peter Christy, an analyst at Internet Research Group — especially the SaaS part of it.

“HP is interested in SaaS, and it’s of high strategic importance to HP Labs, and they were talking about offering printing as a service,” he told InternetNews.com.

“They have competitors — Cenzic — that already offer vulnerability testing as a service rather than as software, so in this case, it’s one specific HP business playing catch-up with the competition.”

News Around the Web