Application Quality Finally Gets Tied to Security

Michael Vizard

With the acquisition of Fortify Software by Hewlett-Packard this week, it's clear that the major vendors are beginning to zone in on application security.

As attacks across the security landscape shift toward applications and away from operating systems and the network perimeter, responsibility for security is increasingly shifting toward developers.

Although Fortify has been a long-time partner of HP, Subbu Iyer, senior director of products for HP Software, said HP felt that the need to bring security and application development teams closer together created a requirement to bring Fortify's products inside the HP portfolio.

The challenge, said Iyer, is that even when security teams identify issues, there's no easy process by which those problems can be identified and remediated within the application quality control process.

As companies such as HP and IBM work to solve this issue, however, they are likely to find that relative upstarts such as Coverity and  CAST Software are already addressing the issue from a perspective of quality control. Coverity, which recently partnered with Armorize Technologies, is capturing application security data and identifying them as defects during the application development process. CAST Software, meanwhile, includes security issues as part of its tools for analyzing ERP applications.

The end result is that a lot more security issues begin to be addressed during the development process, rather than after the fact.

Unfortunately, it may take a while before IT organizations can alter their processes to take into account new approaches to application security. But as IT organizations address application security issues within the context of the application development process, it means that major improvements to application security and quality are finally in the offing.

Add Comment      Leave a comment on this blog post
Aug 20, 2010 2:08 PM Lev Lesokhin Lev Lesokhin  says:
Mike, good post. I'm writing you from CAST and I appreciate the mention. Certainly yesterday's acquisition by Intel further underscores your point. The technology suppliers are starting to see an opportunity in integrating security concerns and awareness into the regular way of doing things - whether it's SDLC or putting chips into devices. At CAST, we've taken an integrated view of security as well, by looking at it as part of a broader structural quality problem. We look at ERP, as you correctly mention, and most major techno's you'll find in IT (Java EE, .NET, Cobol, etc.). Most developers will tell you that many software security problems are similar to those that cause general stability issues as well. Most IT managers uptime, performance and security as non-functional risk they need to manage. HP's acquisition makes a lot of sense in the context of their overall leadership in software testing and an apparent desire to move upstream in the SDLC. Lev Lesokhin VP Worldwide Marketing Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.