HP takes on Microsoft on application security

New threat analysis service stops bugs during software development

Microsoft drew a crowd at the RSA Conference 2010 in San Francisco in March to a breakout session on its Security Development Lifecycle (SDL) initiative to build software applications from day one with security in mind. Meanwhile, HP's John Diamant was speaking at the same conference about what he thinks might be an even better approach.

HP today announced the availability of its new Comprehensive Applications Threat Analysis service in which HP security experts will guide developers through the application creation process and prevent vulnerabilities from being built into the software in the first place.

"What we're doing is we're moving earlier into the lifecycle with a focus on architecture and design and requirements analysis specifically for security," said Diamant, HP's secure product development strategist and comprehensive applications threat analysis service lead, in an interview.

From the way he described HP's threat analysis service, it sounded to me a lot like what Microsoft describes as SDL. Diamant says while both HP and Microsoft have the same goal of giving security a seat at the software development table, along with functionality and features, he says HP starts even earlier in the process than does Microsoft.

"We have an emphasis on the first two phases, the requirements analysis and architectural threat analysis, while combining it with later in the lifecycle ... whereas the Microsoft model tends to be primarily in the mid-to-late lifecycle. It includes some architectural analysis but it tends to have its center of gravity later in the lifecycle," Diamant says. HP also offers what he calls an "ROI-centered approach" that demonstrates how preventing bugs from being built into the software saves companies the cost of creating and deploying patches or suffering losses because of damage caused by a bug.

HP is also touting the security expertise of its service team. Diamant, for instance, is a Certified Secure Software Lifecycle Professional (CSSPL), a vendor-neutral certification for spotting potential vulnerabilities during software development. Developers with some security expertise may gain a false sense of security that they're doing things right if they discover and head off a few vulnerabilities in the process because there will always be more.

"Doing security assessment yourself is a little bit like a do-it-yourself surgery kit," he says.

But a review of Microsoft's SDL initiative shows they are thinking along the same lines as HP. "The best opportunity to influence the security design of a product is early in the product lifecycle," wrote Michael Howard, Microsoft's senior security program manager, in a blog post. Howard goes on to describe how SDL addresses security concerns through "threat modeling," in the development phase, through code review, testing, documentation and in a final security review before release.

Howard touts SDL as a success, because, "We have seen the number of security defects reduced by approximately 50 to 60 percent when we follow SDL." Great, but that means 40 to 50 percent of defects still go unnoticed.

In the end it may not be that Microsoft's or HP's approach to software security development lifecycle is any better or worse, but that greater focus on security is still an emerging discipline in software development. A survey by Errata Security released in late March showed some industry awareness of Microsoft SDL and other security development lifecycle offerings, but little actual implementation of the practices. When asked which methodology is being implemented in their organization, more than 18 percent responded "none" and just under 13 percent answered "ad hoc," meaning they make it up as they go along. Errata said objections to implementing security development lifecycle practices were that it was too time-consuming (about 11 percent), lack of awareness (9 percent), requires too many resources (less than 8 percent) or is too expensive (less than 3 percent).

In other words, there's a wide open market for HP, Microsoft and others to market SDL practices to developers. Diamant hopes HP can step in once customers realize what they should be doing but find themselves in over their head.

"Once people realize that it's important to do something about it, there simply isn't enough pervasive security expertise embedded within development teams to get this right," he says.


Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022