HP announced the first major updates to its HP Application Security Center offering since its purchase last year
of application security specialist SPI Dynamics. Now, the former SPI Dynamics' QAInspect offers advanced security defect management integration with HP's Quality Center software, which HP has been selling since its blockbuster $4.5 billion acquisition of Mercury Interactive in 2006.
HP cites Vanson Bourne research that indicates that less than 27% of IT professionals say that their development or quality assurance teams share in responsibility for application security. Taken as a whole, the enhancements to HP's tool suite are designed to make best security practices an integral part of an organization's application lifecycle processes. That means including QA and development team members, along with security and operations team members, in the quest to stop security breaches.
Along with the updates, HP announced a hosted Software as a Service (SaaS) version of HP Application Security Center.
Desktop security has long been offered as a service. Can application development security at the enterprise server level be handled as SaaS, too? Yes, says Joseph Feiman, senior analyst and vice president at Gartner.
"Offering security as a service is very important. There is a growing need for companies to rely on third parties for application security. That is a growing trend," he said. "With the announcement of the SPI Dynamics purchase, HP/Mercury confirmed it was becoming an application security company. They confirmed it again this year by integrating [SPI Dynamics products] into their infrastructure."
Additonally, with this release HP DevInspect provides a hybrid mode, combining static and dynamic analysis tools in an integrated development environment. Support is now offered for developers who want to work in Eclipse, Visual Studio 2005, or Visual Studio 2008. The new HP QAInspect integration provides defect staging that allows teams to filter, prioritize, and assign defects for fixes.
SPI Dynamics had integrations with Mercury software suites in place prior to HP's purchases of the two companies. Clearly, tighter integration is in store now that SPI and Mercury are both part of HP. An example is the new HP QAInspect integration.
"We wanted to improve the process from the QA professional's point of view. So we addressed the workflow issues," said Eric Peterson, director of products for HP's Application Security Center group.
Peterson indicated security vulnerability testing workflow has more nuance than functional testing, which he described basically as "binary."
"My challenge as a QA pro is how to prioritize, route, and manage [those flaws]," he said. Prioritization is especially important because the potential vulnerability does not represent a "go/no-go" phenomenon, as is more often the case with other classes of bugs.
The third component of the suite's upgrade is improvements to HP WebInspect. It now has improved scanning accuracy for tracking cross-site scripting and SQL injection flaws, as well as improved abilities for inspecting Ajax applications.
Billy Hoffman, who heads HP's Web Security Research Group, said the software supports a process that deals with security vulnerabilities as merely another class of software defects. He said this is a promising method that works well with developers' established programming procedures.
"Developers have to understand that vulnerabilities are software defects. We change the conversation so that vulnerabilities are just another class of defect," said Hoffman. "We give them the tools to automate testing for these defects."
When vulnerability bugs are handled within a familiar defect-tracing system, Hoffman indicated, some of the burdensome mystery is taken out of the process of secure application development.