HP Security App Takes Life Cycle Approach

Seven months after ending a two-way lawsuit over patents with competitor Cenzic, Hewlett-Packard has unveiled the latest release of its Application Security Center.

This new version ensures applications are tested for security throughout the development process, from requirements all the way through production, instead of testing after the application has already been created, cutting development costs and enhancing security.

HP will offer the product in Software as a Service, or SaaS (define), form.

"The life cycle approach seems obvious in retrospect; you can't add security at the end," Billy Hoffman, manager of the HP Web security research group, told InternetNews.com.

Traditionally, developers have "always viewed security vulnerabilities as something the IT staff takes care of" because, previously, security problems were at the infrastructure level, which IT maintained. Now that the infrastructure has become relatively secure, hackers are directly attacking the application, Hoffman said.

The situation has been exacerbated by the increasingly complex and rich applications offered, "with the explosion in the past year or two of AJAX (define) applications and Rich Internet Applications (RIAs), and the trend among businesses to put more and more functionality out there for the user," Erik Peterson, HP's senior director of products for Application Security Center, told InternetNews.com.

Securing applications is not about user rights and control and identity management; it's about finding unintended functionality in the applications, Peterson said.