Thursday, June 10, 2010

HP service aims to lower cost and risk by tackling vulnerabilities early in 'devops' cycle

Security breaches and the cost of repairing and patching enterprise applications hang like a cloud over every company doing business today. HP is taking direct aim at that problem today with release of a security service that aims to prevent vulnerabilities and to bake security and reliability in at the earliest stages of application design and architecture.

Part of HP's Secure Advantage, the Comprehensive Applications Threat Analysis (CATA) service provides architectural and design guidance alongside recommendations for security controls and best practices. By addressing and eliminating application vulnerabilities as early in the lifecycle as possible, companies stand to gain incredible returns on investment (ROI) and drastically lower total cost of ownership (TCO) across the "devOps" process, according to HP. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

"Customers are under increasing pressure from threats that exploit security weaknesses that were either missed or insufficiently addressed during the early lifecycle phases," said Chris Whitener, chief security strategist of Secure Advantage. Whitener added that he believes HP is the first company to come to market with such a service.

HP has been using this service internally for more than six years and, according to Whitener, has seen a return of 5- 20-times on the cost of implementation. And this, he says, is just on things that can be measured. The service has freed up a lot of schedule time formerly spent in finding and fixing application vulnerabilities.

Two problems

Many other risk-analysis programs come later in the development process, meaning that developers often miss vulnerabilities at the earliest stages of design. That brings up two problems, according to John Diamant, HP's Secure Product Development strategist, the risks associated with the vulnerabilities and the cost of patching the software.

"By addressing these vulnerabilities early in the process," Diamant said, "we're able to reduce the risk and eliminate the cost of repair."

The new service offers two main thrusts for increased security:
  • A gap analysis to examine applications and identify often-missed technical security requirements imposed by laws, regulations, or best practices.
  • An architectural threat analysis, which identifies changes in application architecture to reduce the risk of latent security defects. This also eliminates or lowers costs from security scans, penetration tests, and other vulnerability investigations.
While lowering development costs, using a security service early in the lifecycle can also lower the threat of security breaches, which can cost in the millions of dollars in fines and penalties, as well as the fallout in a loss of customer confidence.

Security and proper applications development, of course, come into particular focus when cloud computing models and virtualization are employed, and where an application is expected to scale dramatically and dynamically.

Although HP plans to develop a training program sometime in the future, right now, this is offered as a service using HP personnel who have been schooled in the processes and who have been using it inside HP for years. For more information, go to http://h10134.www1.hp.com/services/applications-security-analysis/.

You may also be interested in: