Thinking Outside the Application Security Box

Michael Vizard

Hewlett-Packard wants to change the way IT organizations go about building applications. We all know that too often security is an afterthought when it comes to building applications. That invariably leads to huge amounts of costs when a security vulnerability is eventually discovered.

HP today rolled out a Comprehensive Applications Threat Analysis service that includes HP security personnel coming to the customer's site to evaluate and make recommendations to changes in the way applications are developed.

According to Chris Whitener, chief security strategist for HP, the company has been using this security methodology for the last six years to secure its products. And Whitener concedes there has been some resistance to changing the way developers work, particularly as it relates to security issues. But Whitener says the effort has more than paid for itself with dramatic improvements in the security of HP applications.

The challenge for most IT organizations these days is that any number of services and consulting firms are pushing application security methodologies. It's hard to distinguish which methodology is inherently better than another, but Whitener says the HP approach has already been proven to stand the test of time within HP.
Application vulnerabilities are not only costly to fix, they are now the primary focus of hackers looking to steal valuable data versus merely breaking into systems to show their off their hacking skills. As such, companies are increasingly going to be held accountable for the security of their applications.

For example, when there was a rise in bank robberies in New York City recently, the police commissioner chided the banks for building retail outlets with lax security precautions. It won't be long before government officials start taking the same tone with application developers.

And while there's no such thing as the perfectly secure application, a big part of the HP methodology is to teach developers how to build applications in a way that minimizes the effects of a breach while also reducing the costs of fixing a vulnerability, says Whitener. As part of the effort, developers not only need to assess their own work, but also the security resiliency of the underlying components that are relying on from vendors or code they are reusing that was developed by someone else.

HP estimates that there are somewhere in the neighborhood of 800,000 known and unknown vulnerabilities in software today, so it's only a matter of time before a developer runs into one of them. Whitener says HP can help customers avoid most of them, but the real test comes when it comes time to figure out how easy it is to fix one of the vulnerabilities once they finally encountered.

Add Comment      Leave a comment on this blog post
Jun 23, 2010 12:30 PM Rob Lewis Rob Lewis  says:

Hi Mike,

I think that the SDL approach is  getting missing thinking into the box web app security. It makes a lot of sense. Your last sentence is slightly unclear, and I assume it to mean that it is much more economical to fix in the development stage than post release. THAT issue is the real test-what to do with all (millions) of the high risk Web app vulnerabilities that are already out there.

For an enterprise it could take man years of work and millions of dollars to remediate a high risk vulnerability in an application that might have 20 more critiical apps layered on top of, and they might be too critical to shut down.

That requires a real thinking out of the box solution and we are about to launch one. See:


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.