HP's App Security Center Upgraded and Delivered as a Service
- By John K. Waters
Hewlett-Packard may not be the first name that comes to mind when the conversation turns to application security, but since its acquisition of SPI Dynamics last year, HP has increased its investment in research, product enhancements, and new services in the application security area.
This week, for example, the Palo Alto, CA-based company is showing off new features in its Web application security suite, called Application Security Center, along with a new Software as a Service (SaaS) delivery model.
"When it comes to security, organizations have traditionally focused on their networks, deploying firewall technologies, or locking down their servers by deploying host or network IDS or IPS technology," said Erik Peterson, director of products for HP's Application Security Center group. "But they haven't been watching their applications, which have emerged as the soft underbelly of the Internet."
The HP app security group was born with the SPI Dynamics acquisition last September. Peterson is a former VP of the acquired company.
The Application Security Center comprises four products designed to work together to fit into different phases of the application development lifecycle, Peterson explained. "There's this classic gap between the security teams and the application teams," he said in a recent interview. "We're bridging that gap by approaching security from a lifecycle perspective. Our goal is to provide an organization with the tools they need to lock down, secure, and test their Web applications for security defects from that perspective."
Those products include the HP Assessment Management Platform, the solution's foundation; HP DevInspect, a tool for developers; HP QAInspect, which is aimed at quality assurance teams; and HP WebInspect, for the operations and security experts.
The developer component, DevInspect, is designed to integrate with Microsoft's Visual Studio 2008 and Visual Studio 2005, as well as Eclipse, and to provide security testing capabilities from within these familiar tools. DevInspect 5.0, which is part of this week's announcement, employs an improved "hybrid analysis" technology. This technology combines black box testing and dynamic analysis capabilities in a single tool.
HP also disclosed plans to offer the HP Assessment Management Platform as a service. Software-as-a-Service (SaaS), customers will be able to centralize all of their Web-application-security-assessment programs into a single solution maintained and managed by HP SaaS, the company said.
Security experts have been talking about the need to secure the application layer for a few years now, but businesses seem finally to be taking the idea seriously. Some scary statistics are likely fueling that interest. In its 2007 Internet security threat report, Symantec stated that 61 percentof all IT vulnerabilities discovered today can be attributed to application-level flaws. In a recent survey, analysts at Forrester Research found that 77 percent of enterprises and SMBs now consider application security to be an important IT initiative, and 35 percent have already adopted or plan to adopt app security measures this year.
"The attacks that we're seeing today on the Web have gone from kids trying to gain a little fame by defacing your Web site to professional criminals who are making real money," Peterson adds. "Because people organizations are doing so much business on the Web, that's where the pros are directing their attention from an attacks perspective."
The enhancements to HP Application Security Center are available now. The new SaaS services are expected in August.
John K. Waters is a freelance journalist and author based in Palo Alto, CA.