HP aims at IBM with application vulnerability scanning as service

By Neil Roiter, Senior Technology Editor, Information Security magazine 29 May 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The application vulnerability assessment market was just starting to hit its stride, when HP and IBM shook things up last summer, acquiring leading vendors SPI Dynamics and Watchfire in rapid succession, leaving Cenzic as the largest remaining independent player.

HP and IBM will be working with companies that already have solid internal expertise on solving application security issues and outsource some scanning tasks. Chenxi Wang, principal analyst, Forrester Research Inc.

Developments in these technologies attract intensified interest, given the proliferation of Web applications and growing concern over automated attacks, coupled with strong compliance pressure, largely from PCI-DSS.

So, it's no surprise that HP announced its first major upgrade to the former SPI product line and included a software-as-a-service (SaaS) component of its HP Assessment Management Platform. IBM/Watchfire already offers its flagship product as a service, AppScan Enterprise Edition OnDemand.

The other significant application scanning SaaS player, WhiteHat Security, offers a very different model. HP and IBM's offerings are designed primarily to leave application security primarily in the hands of the customer, complementing their internal software development lifecycle processes with their consulting and professional services expertise to help customers deploy and get the most out of their investment. WhiteHat is a pureplay scanning service, conducting daily automated scans supported by human review.

"HP and IBM will be working with companies that already have solid internal expertise on solving application security issues and outsource some scanning tasks," said Chenxi Wang, principal analyst at Cambridge, Mass.-based Forrester Research Inc. "Internally, they are holding on to some of the resolution part. HP and IBM come in and do professional services to help solve problems."

Vulnerability scanning market: Will HP do the right thing with SPI Dynamics? Analysts say HP can dramatically boost its security with the purchase of SPI Dynamics, but some users worry about SPI's technology wilting under the new ownership. Watchfire will help IBM build application security: Analysts have been pushing the Security 3.0 concept this week at Gartner's IT Security Summit, and one analyst says IBM's acquisition of Watchfire illustrates the trend. IBM's Watchfire halts network research, focuses on Web apps: Watchfire is halting its network and host-based research to focus solely on Web application security as part of its integration into IBM.

Wang said the HP and IBM models could scale better than WhiteHat's, whose human review element improves accuracy and reduces false positives, but, she said it is not as well-suited to deal with thousands of applications daily. IBM and, to a lesser extent, HP, have the huge consulting resources to meet that kind of demand.

In addition to the service, which will be available in August, HP announced enhancements to its three major product components, WebInspect, its core application security scanning tool, and DevInsspect and QAInspect, which uncover in security flaws within the developer and quality assurance environments respectively.

DevInspect 5.0 features "hybrid analysis." That is, it takes the results of static scans and feeds it into successive dynamic scanning, which helps pinpoint major flaws more accurately and improve the tool's efficiency. QAInspect 5.0 integrates with HP Quality Center software, a platform that helps prioritize and manage remediation through the software development lifcycle.

HP said one its strengths is presenting security defects in a way developers and QA personnel can grasp intuitively.

"When we said these are just software defects, that we're essentially building tools to help you find automatically security software defects, we really got a lot of buy-in" said Mark Sarbiewski, HP senior director of product marketing. "It's tailored to make it very comfortable for developers and QA professionals to handle security defects."

WebInspect 7.7 features faster runtime and improved accuracy for detecting major flaws, especially cross-site scripting and SQL injection vulnerabilities, HP said.

There are also improvements in the Web Security Research Group, which, HP said, has additional resources and intensified focus on plug-in technologies and security issues in Web 2.0 technologies, such as Asynchronous JavaScript and XML (AJAX), Adobe Flash and Microsoft Silverlight.

One question to watch: With two industry giants in this market, will customers be drawn to the company they favor, or focus on the product capabilities on their own merit? Forrester's Wang thinks it depends on the customer.

"If they are existing customers for their software lifecycle products such as Mercury or Rational, it probably makes sense to look at their security products," she said. "But, independent evaluators of products tend to be a little less concerned about buying into the HP product portfolio or IBM product portfolio, partially because these are market-leading products, and customers are looking for best of breed technologies."

Tags: Web Application Security,  Software Development Methodology,  Vulnerability Risk Assessment,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks Software Development Methodology nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Twitter worm attack highlights social network flaws Vulnerability Risk Assessment Are Web application penetration tests still important? McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Vulnerability test methods for application security assessments Free HP SWFScan tool detects Adobe Flash flaws PCI QSA assurance program penalizes assessors Information security book excerpts and reviews New York drafts language demanding secure code Security experts identify 25 dangerous coding errors Microsoft Windows XML flaw exploits test desktop antimalware Vulnerability Risk Assessment Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary