HP Offers New Security Service For Application Development

“We take a proactive approach, building security in from the very beginning. We’re starting at the beginning of an application life cycle, rather than in the midst of it,” said John Diamant, HP’s Secure Product Development Strategist.

The HP Comprehensive Applications Threat Analysis service was made available worldwide on Thursday. HP, headquartered in Palo Alto, Calif., has been doing proactive, early life cycle security analysis for its own in-house application development cycles for several years, Diamant said, and recently decided to make the service available to organizations engaged in similar processes.

“You can’t eliminate bugs. All complex systems are going to have some defect. So our approach is to provide architectures and design that reduce the probability of a defect becoming a vulnerability,” he said.

Diamant said that tackling security issues early in the development cycle can significantly reduce costs associated with finding and fixing latent vulnerabilities either late in the development cycle, or worse, after release of an application.

“We’re able to greatly reduce the probability and severity of these vulnerabilities. People are investing lots of money today in late life-cycle assurance. We can make major inroads into that cost center,” he said.

The HP Comprehensive Applications Threat Analysis service includes two pillars. The first is Security Requirements Gap Analysis, which focuses is on identifying legally mandated technical security requirements.

The second pillar of the service is Architectural Threat Analysis, which looks for changes in application architecture and seeks to cut client rework costs associated with vulnerability-finding activities like security scans and penetration tests, according to HP.

Diamant said the service wasn’t tailored for any particular vertical, but rather for a broad range of industries and organizations developing applications or systems to be reviewed for potential security risks.

“Latent vulnerabilities affect IT development across both the public and private sectors, and all the different vertical industries from health care to manufacturing,” he said.

One early Comprehensive Applications Threat Analysis customer, the E-Government division of the State of Oregon, said HP provided the service “efficiently” and delivered “reliable security advice.”

“We implemented the HP-proposed solutions and are extremely pleased with the security quality assessment as well as recommendations,” said Wallace B. Rodgers, E-Government program manager for Oregon.