Numerous security tools on the market today perform static analysis, penetration testing and security audits on application code that has already been written.
But what if you could stop vulnerabilities before they reach the code stage? [login]
That’s where a new service from HP (NYSE: HPQ) dubbed Comprehensive Applications Threat Analysis (CATA) may be able to help out application developers. CATA is an effort to provide an early life-cycle security assessment service that could help to prevent security vulnerabilities in application development.
The service made its debut the same week that rival IBM (NYSE: IBM) announced its own new initiative to secure application development.
“We have certified security reviewers in this process and what the service provides is an assessment of the application development early on in the life cycle,” John Diamant, HP’s CATA service lead, told InternetNews.com. “So we come in and gather information about the system under review and provide an assessment of it.”
Diamant added that as part of the engagement HP performs a gap analysis to identify how an application under development should meet security requirements. HP will also perform an architectural threat analysis to ensure that the application is capable of implementing those requirements.
The new service can be complementary to HP’s other application-development security products, including the Application Security Center, though Diamant stressed that the early life-cycle component of CATA is key.
“This can be applied prior to any code actually being written,” Diamant said. “This can be applied at the time an application is being considered in order to identify the security requirement of a particular market. Then with architecture and design analysis — potentially before any code is written — [the application] can be analyzed for security resiliency.”
While CATA can also benefit later stages of development, Diamant noted implementing it earlier in the process can increase the ROI for enterprises.
“By applying CATA early, it is possible to minimize the introduction of vulnerabilities and thus completely eliminate the need to fix vulnerabilities that are avoided as a result,” he said.
HP does have some internal tools and templates that it will be using for CATA, though Diamant stressed having trained HP personnel is critical. He noted that the CATA approach is heavily dependent on the human expertise and skill of HP’s consultants.
Among the issues CATA is attempting to resolve is the fact that development teams aren’t always familiar with all the security and regulatory compliance requirements in place in a particular market vertical.
Additionally, some common vulnerabilities such as buffer overflows and SQL injections can be addressed as part of proper application planning.
“There is a wide variety of architectural resiliency analysis that we do that deals not just with a specific vulnerability, but also with modifying the architecture in such a way as to greatly reduce the probably that an arbitrary defect will become a security vulnerability,” Diamant said.
As an example, he explained that a buffer overflow may or may not become a security vulnerability depending on how the application is designed and where the buffer overflow occurs. Diamant added that CATA is able to identify the areas in an application design that are at the greatest risk, which can then be given additional focus and scrutiny to minimize or eliminate vulnerability impacts.
“We recognize that software development results in defects being present in code,” he said. “It’s not possible or practical for large complex application to be totally bug-free. As a result our approach is not to expect to be able to find all defects, but rather to provide design guidance to ensure that the vast majority of defects don’t become vulnerabilities.”
Tags: HP, security, developer, CATA, vulnerabilities