HP New Service Squashes Vulnerabilities In Development

HP has introduced Comprehensive Applications Threat Analysis (CATA), a new service to help software developers address security risks as early as possible in the development process. CATA services adds HP security experts to development teams in order to identify potential security vulnerabilities when the software is being designed, when the code is written and when the is application tested.

According the the U.S. National Vulnerability Database, about 40,000 software vulnerabilities have been identified, says John Diamant, Secure Product development strategist and Comprehensive Applications Threat Analysis service lead, but HP estimates that there are 20 times as many vulnerabilities built into software that haven't yet been identified, let alone having them fixed. Also, even when a patch is identified and a patch created, there's gap between when the patch is released and IT managers apply it to their software.

"We're about designing and building in security very early on in application development so that there are fewer vulnerabilities that are released with an application and, therefore, that window doesn't exist for any vulnerability that we're able to avoid during development," said Diamant. HP's threat analysis starts early on when a development team is determining the system requirements -- that is, what they want the software to do -- and the architectural design of the application, he adds. The Applications Threat Analysis service was recently used by the state of Oregon. "During the security assessment, the HP team identified risks and proposed solutions to mitigate current and future vulnerabilities," said Wallace Rodgers, program manager of the state's e-government service.

The HP service mirrors the efforts of Microsoft's Security Development Lifecycle (SDL) initiative to also have security experts working alongside developers who are designing the applications features and functionality. However, Diamant argues HP's involvement comes earlier in the development life cycle than does Microsoft's. HP touts the credentials of its security consultants as very knowledgeable about identifying vulnerabilities in software.

Some developers may develop a false sense of security if they identify a few vulnerabilities during the development process,, because there are likely many more that they missed, Diamant said, adding that HP can demonstrate a return-on-investment from the service by showing how vulnerabilities have been weeded out before the software is released. "We reduce the cost by minimizing reworking, by catching and avoiding the vulnerabilities that would end up showing up later in the life cycle."