HP Security App Takes Life Cycle Approach

Application Security Center will tackle security from the start.

By Richard Adhikari | Posted May 28, 2008
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Seven months after ending a two-way lawsuit over patents with competitor Cenzic, Hewlett-Packard (NYSE: HPQ) has unveiled the latest release of its Application Security Center.

This new version ensures applications are tested for security throughout the development process, from requirements all the way through production, instead of testing after the application has already been created, cutting development costs and enhancing security.

HP will offer the product in Software as a Service, or SaaS (define), form.

"The life cycle approach seems obvious in retrospect; you can't add security at the end," Billy Hoffman, manager of the HP Web security research group, told InternetNews.com.

Traditionally, developers have "always viewed security vulnerabilities as something the IT staff takes care of" because, previously, security problems were at the infrastructure level, which IT maintained. Now that the infrastructure has become relatively secure, hackers are directly attacking the application, Hoffman said.

The situation has been exacerbated by the increasingly complex and rich applications offered, "with the explosion in the past year or two of AJAX (define) applications and Rich Internet Applications (RIAs), and the trend among businesses to put more and more functionality out there for the user," Erik Peterson, HP's senior director of products for Application Security Center, told InternetNews.com.

Securing applications is not about user rights and control and identity management; it's about finding unintended functionality in the applications, Peterson said.

For example, an e-commerce site looks up database tables to check a customer's credit card number and shipping address, and its unintended functionality is that it can be tricked into reading and dumping all the information in that table into a hacker's account.

Building security into an application from the start holds down development costs -- it's "100 times more expensive to fix a software vulnerability just before it's going out the door or after it's shipped than to fix it right from the start," Hoffman said.

The foundation of HP Application Security Center is the HP Assessment Management Platform. DevInspect (for developers), QAInspect (for QA teams) and WebInspect ( for operations and security experts) sit on top of the platform.

DevInspect combines static and dynamic analysis of code, and supports Microsoft Visual Studio 2008, Visual Studio 2005 and Eclipse.

QAInspect includes security-defect management capabilities that let QA teams filter, prioritize and assign defects based on the risk to the business; WebInspect has been enhanced with faster runtimes and improved scanning accuracy for the most frequently exploited vulnerabilities, including cross-site scripting and structured query language, or SQL (define) injections.

HP will offer Assessment Management Platform in SaaS mode.

The HP Web Security Research Group has added and updated checks in Application Security Center for RIAs, including critical vulnerabilities in Apache and MySpace plug-ins, and researched new security issues for Web 2.0 technologies, including AJAX, Adobe Flash and Microsoft Silverlight.

The new security checks are automatically updated for customers within 24 hours, whereas the industry standard is every quarter, according to Petersen. "A lot of our customers see updates two to three times a day," he added.

Next page: The back story

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter