HP Fortify Brings Real-Time Threat Analysis to Application Development

HP announced an application security analysis tool that can discover the root cause of software vulnerabilities by observing attacks in real time.

Hewlett-Packard expanded its security solutions with a new real-time analysis tool based on the company's Fortify acquisition.

The new HP Fortify Real-Time Hybrid Analysis allows organizations to discover the root cause of software vulnerabilities by observing attacks in real time, HP said April 12. With real-time analysis, organizations can proactively reduce business risk and minimize the time spent finding the vulnerability after an attack.

Security vulnerabilities, such as SQL-injection bugs, can be included at any time during application design, development, testing and maintenance, so it is important for organizations to be able to find and detect them as quickly as possible.

"HP Fortify brings together the correlation of static and dynamic analysis," Subbu Iyer, senior director of products, application lifecycle management at HP Software, told eWEEK.

The real-time product can observe an attack while it's in progress and identify what kind of attack it is. It then examines the application source code to identify which line contains the vulnerability and flags it so that developers can fix it.

HP Fortify Real-Time Hybrid Analysis can be used with the new HP Fortify 360 v3.0 and HP Application Security Center 9.0 for broader security coverage, Iyer said.

With HP Fortify 360 Server, organizations can assess existing code for threat vulnerabilities and compliance violations before a security attack. The information collected is then flagged and prioritized, so that development teams can work with the application owners to assess the risks of fixing the issues versus delaying the repair.

HP also announced new versions of its WebInspect vulnerability analysis and HP Assessment Management Platform applications. WebInspect 9.0 includes new macro recording and session-management features.

These tools can be used to automate application testing to ensure the security holes have been closed.

It allows the organization to take "informed risks," Iyer said. When there are a limited number of developers available, it is important to be able to see a prioritized list of vulnerabilities. With the HP Fortify platform, it is possible to prioritize based on business needs or even urgency, Iyer said. The analysis tools can determine whether a bug can wait a week before fixing or if it needs to be done in days.

The real-time analysis system can also take into account the existing deployment cycle to determine whether the detected vulnerability has already been fixed in a scheduled code update, Iyer said

A recent study of more than 150 organizations conducted by Aberdeen Group found that the average total cost to remediate a single application-security incident is approximately $300,000.

The real-time analysis platform is the first real integration of HP's security efforts with the assets gained from HP's Fortify acquisition in August 2010. HP and Fortify had been collaborating on security even before the acquisition.

The new HP Fortify releases are offered through multiple delivery models, including on-premise, on-demand software as a service and as managed services.

HP is planning on expanding real-time analysis for production-monitoring systems, Iyer said. These new security products are elements of the HP Security Intelligence and Risk Management Framework.