HP Application Security Goes SAAS

HP has expanded its application security business with a series of upgrades.

Hewlett-Packard is taking a software-as-a-service approach to security in its latest push to help organizations secure their Web applications.

The company has plans to launch a service it calls the HP Assessment Management Platform in August to help customers centralize all of their Web application security analysis programs into a complete solution maintained and managed by HP. The announcement comes on the heels of a major upgrade of the company's Application Security Center, which includes new versions of its application assessment and quality assurance programs available today.

"This is HP's first SAAS offering for application security," said Tim Van Ash, director of global service portfolio for HP's software-as-a-service business unit. "In the past we partnered with a third party for infrastructure security assessments as part of load-testing offerings. The issue is how to enable a true enterprise approach and scale, and this can't be done by companies today with limited expertise in both the domain and products. Taking a SAAS approach allows the security team to offer these assessment services to the enterprise to the teams who really need them."

With the upgrade of HP Application Security Center comes updated releases of HP DevInspect, HPQAInspect and HPWebInspect. In HP DevInspect 5.0, the company has added the ability to automatically correlate the results between the static and dynamic testing phases and to use that correlation to help prioritize the results. Previously, the results were presented separately.

HP QAInspect 5.0 integrates security defect management with HP Quality Center software. With defect staging and consolidation capabilities, application teams can filter, prioritize and assign defects based on risk to the business in order to help detect and address problems faster, HP officials said. Version 5.0 of HP WebInspect features faster runtimes and improved scanning accuracy for common security vulnerabilities such as cross-site scripting and SQL injection.

SPI Acquisition Bridges Web Security Gap

The latest security push comes roughly a year after HP acquired SPI Dynamics to bolster its position in application quality management. SPI Dynamics specialized in securing Web applications during the development process. Among the executives who came over after the acquisition is Billy Hoffman, who now heads the Web Security Research Group at HP Labs.

To Hoffman, the latest releases help bridge what he called a Web security gap that can plague enterprises during application development by providing common ground for developers and security pros.

"Your average developer, QA guy doesn't really know all the security issues that your security team has," Hoffman said. "With the DevInspect and QAInspect products, we kind of shifted the conversation, so we're not really talking about security vulnerabilities because at their heart security vulnerabilities are really software defects."

Gartner analyst Joseph Feiman said organizations need to be vigilant throughout the entire application lifecycle - from requirements definition to development, testing and ultimately through production - in order to ensure its applications are secure.

"While customer-facing applications may be the lifeblood of a business, if they are not secured, they can provide an open door for hackers to a company's most sensitive data," Feiman said in a statement.