Hewlett-Packard Co. is offering a new assessment service that aims to place security design at the beginning of the software development lifecycle in light of the vulnerabilities, some yet to be catalogued, that applications could be housing.
An application can house multiple vulnerabilities, many of which have not been identified, fixed, patched and listed as part of the U.S. National Vulnerability Database, containing some 40,000 known entities, said John Diamant, secure product development specialist with Palo Alto, Calif.-based HP.
“We believe the number of unique vulnerabilities is in the order of 800,000,” said Diamant.
With the new Comprehensive Applications Threat Analysis service, HP will perform an analysis of the application to be developed, its functionality, and how and where it will be deployed in order to enhance, not replace, the traditional security assurance process, said Diamant.
“It’s a service and an approach designed to address a severe IT-wide security assurance problem,” he said. “The cost of fixing defects goes up by some degrees of orders of magnitude over time … from the beginning to the end of the lifecycle,” said Diamant.
The service has two components: Security Requirements Gap Analysis to ensure apps reflect security requirements, and Architectural Threat Analysis to ensure a degree of resiliency in the app design.
James Quin, lead research analyst with London, Ont.-based Info-Tech Research Group Ltd., said there is certainly value in a service offering that aims to place more priority on security assurance in the development lifecycle, but the question is whether businesses will make use of it.
“Whether it is undervalued enough to warrant the development of an entire service bureau is debatable,” said Quin.
That said, Quin thinks there is the potential for a market for HP’s new service. The challenge among development teams is one of conflicting priorities crammed into a short timeframe where security assurance often takes a back seat to core functionality, he said.
Follow Kathleen Lau on Twitter: @KathleenLau