HP Adds Real-Time Threat Analysis For Developers

Hewlett-Packard expanded its security products with a new real-time analysis tool based on the company’s Fortify acquisition.

The new HP Fortify Real-Time Hybrid Analysis allows organisations to discover the root cause of software vulnerabilities by observing attacks in real time, HP said. With real-time analysis, organisations can proactively reduce business risk and minimise the time spent finding the vulnerability after an attack.

Attacks Can Be Monitored

Security vulnerabilities, such as SQL-injection bugs, can be included at any time during application design, development, testing and maintenance, so it is important for organisations to be able to find and detect them as quickly as possible.

“HP Fortify brings together the correlation of static and dynamic analysis,” Subbu Iyer, senior director of products, application lifecycle management at HP Software, told eWEEK.

The real-time product can observe an attack while it is in progress and identify what kind of attack it is. It then examines the application source code to identify which line contains the vulnerability and flags it so that developers can fix it.

HP Fortify Real-Time Hybrid Analysis can be used with the new HP Fortify 360 v3.0 and HP Application Security Center 9.0 for broader security coverage, Iyer said.

With HP Fortify 360 Server, organisations can assess existing code for threat vulnerabilities and compliance violations before a security attack. The information collected is then flagged and prioritised, so that development teams can work with the application owners to assess the risks of fixing the issues versus delaying the repair.

HP also announced new versions of its WebInspect vulnerability analysis and HP Assessment Management Platform applications. WebInspect 9.0 includes new macro recording and session-management features.

These tools can be used to automate application testing to ensure the security holes have been closed.

It allows the organisation to take “informed risks”, Iyer said. When there are a limited number of developers available, it is important to be able to see a prioritised list of vulnerabilities. With the HP Fortify platform, it is possible to prioritise based on business needs or even urgency, Iyer said. The analysis tools can determine whether a bug can wait a week before fixing or if it needs to be done in days.

The real-time analysis system can also take into account the existing deployment cycle to determine whether the detected vulnerability has already been fixed in a scheduled code update, Iyer said

A recent study of more than 150 organisations conducted by Aberdeen Group found that the average total cost to remediate a single application-security incident is approximately $300,000.

The real-time analysis platform is the first real integration of HP’s security efforts with the assets gained from HP’s Fortify acquisition in August 2010. HP and Fortify had been collaborating on security even before the acquisition.

The new HP Fortify releases are offered through multiple delivery models, including on-premise, on-demand software as a service and as managed services.

HP is planning on expanding real-time analysis for production-monitoring systems, Iyer said. These new security products are elements of the HP Security Intelligence and Risk Management Framework.