HP preaches early security assurance with new service

Hewlett-Packard Co. is offering a new assessment service that aims to place security design at the beginning of the software development lifecycle in light of the vulnerabilities, some yet to be catalogued, that applications could be housing.


An application can house multiple vulnerabilities, many of which have not been identified, fixed, patched and listed as part of the U.S. National Vulnerability Database, containing some 40,000 known entities, said John Diamant, secure product development specialist with Palo Alto, Calif.-based HP.


“We believe the number of unique vulnerabilities is in the order of 800,000,” said Diamant.


With the new Comprehensive Applications Threat Analysis service, HP will perform an analysis of the application to be developed, its functionality, and how and where it will be deployed in order to enhance, not replace, the traditional security assurance process, said Diamant.


The problem is that development teams tend to take a reactive and costly approach to security assurance at the tail-end of the development process that often result in latent vulnerabilities post-development, said Diamant.

“It’s a service and an approach designed to address a severe IT-wide security assurance problem,” he said. “The cost of fixing defects goes up by some degrees of orders of magnitude over time … from the beginning to the end of the lifecycle,” said Diamant.


The service has two components: Security Requirements Gap Analysis to ensure apps reflect security requirements, and Architectural Threat Analysis to ensure a degree of resiliency in the app design.


James Quin, lead research analyst with London, Ont.-based Info-Tech Research Group Ltd., said there is certainly value in a service offering that aims to place more priority on security assurance in the development lifecycle, but the question is whether businesses will make use of it.


“Whether it is undervalued enough to warrant the development of an entire service bureau is debatable,” said Quin.

That said, Quin thinks there is the potential for a market for HP’s new service. The challenge among development teams is one of conflicting priorities crammed into a short timeframe where security assurance often takes a back seat to core functionality, he said.


“As a result, often development teams just don’t have the expertise to appropriately engineer security into applications while under development,” said Quin.
Earlier in June, Armonk, New York-based IBM Corp. announced similar news as part of its “security by design” strategy. The company updated its AppScan product line with newly released AppScan Source Edition designed to address the problem of security vulnerabilities during application development.

Follow Kathleen Lau on Twitter: @KathleenLau 

Related Download
3 reasons why Hyperconverged is the cost-efficient, simplified infrastructure for the modern data center Sponsor: Lenovo
3 reasons why Hyperconverged is the cost-efficient, simplified infrastructure for the modern data center
Find out how Hyperconverged systems can help you meet the challenges of the modern IT department. Click here to find out more.
Register Now