HP may not be known as a regular player in the IT security space, but the company is trying to change that by updating a pair of products it gained through an acquisition almost two years ago.
Late last week the company announced its HP Assessment Management Platform 8.0, as well as WebInspect 8.0 and a set of project services for companies using applications it would host on their behalf. The tools are designed to help organizations scan and test software programs, particularly before they go into production environments.
The products were among the assets HP gained in Sept. 2007 when it completed the acquisition of SPI Dynamics, an Atlanta-based firm, for an undisclosed amount. At the time, HP positioned the purchase as a complement to its service management offerings, given that SPI Dynamics’ tools were already integrated with its Quality Center software.
Nick Bell, senior manager of HP’s products, application security, software and solutions group, said he has seen a big shift in customer awareness around application security issues as more software is accessed through Web browsers.
“If you look at the large enterprises today, there’s a growing number of applications within their organization. It’s gone to tens of Web applications to hundreds of thousands. There are some that have up to 30,000,” he said. “They’re challenged by understanding what applications exist out there, because the business units seem to be the ones who actually own the applications. They’re throwing up these applications all the time.”
The Assessment Management Platform, which starts at US$85,000, is designed to help IT managers run multiple scanning tools, one of which is WebInspect. The products can help users determine which applications contain priority data, said Bell, and which are most vulnerable. WebInspect uses sensors to scan a user’s IP privileges, for example, or do deep auditing and offer suggestions to deal with problems in JavaScript or Flash.
While IBM bought Ottawa-based Watchfire, which provided similar products and services, there aren’t that many other prominent firms that deal with application security specifically, other than Cenzic in Santa Clara, California. James Quin, a security analyst with London, Ont.-based Info-Tech Research Group, said HP may be trying to corner a market that hasn’t grown too large yet.
“They’ve put themselves a little bit behind the eight-ball, because it’s a huge requirement for every organization out there. This could be HP’s way of finding their niche . . . the question is whether it’s too little, too late,” he said. “This is more of a prevention rather than cure type of solution.”
Bell noted that HP recently released SwiftScan, a Flash security tool, for free, in order to help promote HP’s growing presence in application security. He said the company is also trying to appeal to organizations outside the Fortune 500, through software-as-a-service versions of the Assessment Management Platform last year.
“Medium-sized business are becoming increasingly interested, because they don’t necessarily have the resources or all the infrastructure to be able to support this all the time. SaaS gets them access to those kinds of capabilities,” he said.
U.S. customers such as Sony Pictures Entertainment already use WebInspect today to help spot errors that could bring the company in violation of the Sarbanes-Oxley Act. Bell said Canadian firms might be equally interested in using its products and services to help comply with the PCI-DSS regulations.