News Stay informed about the latest enterprise technology news and product updates.

HP aims at IBM with application vulnerability scanning as service

HP offers application scanning as a service to meet IBM's Watchfire AppScan OnDemand software. Interest is being driven by the growing use of Web applications.

The application vulnerability assessment market was just starting to hit its stride, when HP and IBM shook things up last summer, acquiring leading vendors SPI Dynamics and Watchfire in rapid succession, leaving Cenzic as the largest remaining independent player.

HP and IBM will be working with companies that already have solid internal expertise on solving application security issues and outsource some scanning tasks.
Chenxi Wang,
principal analystForrester Research Inc.

Developments in these technologies attract intensified interest, given the proliferation of Web applications and growing concern over automated attacks, coupled with strong compliance pressure, largely from PCI-DSS.

So, it's no surprise that HP announced its first major upgrade to the former SPI product line and included a software-as-a-service (SaaS) component of its HP Assessment Management Platform. IBM/Watchfire already offers its flagship product as a service, AppScan Enterprise Edition OnDemand.

The other significant application scanning SaaS player, WhiteHat Security, offers a very different model. HP and IBM's offerings are designed primarily to leave application security primarily in the hands of the customer, complementing their internal software development lifecycle processes with their consulting and professional services expertise to help customers deploy and get the most out of their investment. WhiteHat is a pureplay scanning service, conducting daily automated scans supported by human review.

"HP and IBM will be working with companies that already have solid internal expertise on solving application security issues and outsource some scanning tasks," said Chenxi Wang, principal analyst at Cambridge, Mass.-based Forrester Research Inc. "Internally, they are holding on to some of the resolution part. HP and IBM come in and do professional services to help solve problems."

Vulnerability scanning market:
Will HP do the right thing with SPI Dynamics? Analysts say HP can dramatically boost its security with the purchase of SPI Dynamics, but some users worry about SPI's technology wilting under the new ownership.

Watchfire will help IBM build application security
: Analysts have been pushing the Security 3.0 concept this week at Gartner's IT Security Summit, and one analyst says IBM's acquisition of Watchfire illustrates the trend.

IBM's Watchfire halts network research, focuses on Web apps: Watchfire is halting its network and host-based research to focus solely on Web application security as part of its integration into IBM.

Wang said the HP and IBM models could scale better than WhiteHat's, whose human review element improves accuracy and reduces false positives, but, she said it is not as well-suited to deal with thousands of applications daily. IBM and, to a lesser extent, HP, have the huge consulting resources to meet that kind of demand.

In addition to the service, which will be available in August, HP announced enhancements to its three major product components, WebInspect, its core application security scanning tool, and DevInsspect and QAInspect, which uncover in security flaws within the developer and quality assurance environments respectively.

DevInspect 5.0 features "hybrid analysis." That is, it takes the results of static scans and feeds it into successive dynamic scanning, which helps pinpoint major flaws more accurately and improve the tool's efficiency. QAInspect 5.0 integrates with HP Quality Center software, a platform that helps prioritize and manage remediation through the software development lifcycle.

HP said one its strengths is presenting security defects in a way developers and QA personnel can grasp intuitively.

"When we said these are just software defects, that we're essentially building tools to help you find automatically security software defects, we really got a lot of buy-in" said Mark Sarbiewski, HP senior director of product marketing. "It's tailored to make it very comfortable for developers and QA professionals to handle security defects."

WebInspect 7.7 features faster runtime and improved accuracy for detecting major flaws, especially cross-site scripting and SQL injection vulnerabilities, HP said.

There are also improvements in the Web Security Research Group, which, HP said, has additional resources and intensified focus on plug-in technologies and security issues in Web 2.0 technologies, such as Asynchronous JavaScript and XML (AJAX), Adobe Flash and Microsoft Silverlight.

One question to watch: With two industry giants in this market, will customers be drawn to the company they favor, or focus on the product capabilities on their own merit? Forrester's Wang thinks it depends on the customer.

"If they are existing customers for their software lifecycle products such as Mercury or Rational, it probably makes sense to look at their security products," she said. "But, independent evaluators of products tend to be a little less concerned about buying into the HP product portfolio or IBM product portfolio, partially because these are market-leading products, and customers are looking for best of breed technologies."

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.