Hewlett-Packard wants to change the way IT organizations go about building applications. We all know that too often security is an afterthought when it comes to building applications. That invariably leads to huge amounts of costs when a security vulnerability is eventually discovered.
HP today rolled out a Comprehensive Applications Threat Analysis service that includes HP security personnel coming to the customer's site to evaluate and make recommendations to changes in the way applications are developed.
According to Chris Whitener, chief security strategist for HP, the company has been using this security methodology for the last six years to secure its products. And Whitener concedes there has been some resistance to changing the way developers work, particularly as it relates to security issues. But Whitener says the effort has more than paid for itself with dramatic improvements in the security of HP applications.
The challenge for most IT organizations these days is that any number of services and consulting firms are pushing application security methodologies. It's hard to distinguish which methodology is inherently better than another, but Whitener says the HP approach has already been proven to stand the test of time within HP.
Application vulnerabilities are not only costly to fix, they are now the primary focus of hackers looking to steal valuable data versus merely breaking into systems to show their off their hacking skills. As such, companies are increasingly going to be held accountable for the security of their applications.
For example, when there was a rise in bank robberies in New York City recently, the police commissioner chided the banks for building retail outlets with lax security precautions. It won't be long before government officials start taking the same tone with application developers.
And while there's no such thing as the perfectly secure application, a big part of the HP methodology is to teach developers how to build applications in a way that minimizes the effects of a breach while also reducing the costs of fixing a vulnerability, says Whitener. As part of the effort, developers not only need to assess their own work, but also the security resiliency of the underlying components that are relying on from vendors or code they are reusing that was developed by someone else.
HP estimates that there are somewhere in the neighborhood of 800,000 known and unknown vulnerabilities in software today, so it's only a matter of time before a developer runs into one of them. Whitener says HP can help customers avoid most of them, but the real test comes when it comes time to figure out how easy it is to fix one of the vulnerabilities once they finally encountered.