A step behind IBM, HP this week unveiled a service aimed at helping reduce application vulnerabilities during the development cycle, ideally saving companies the costs and headaches associated with fixing holes once apps have gone live.
Dubbed HP Comprehensive Applications Threat Analysis (CATA), the service provides companies with architectural and design guidance, as well as recommended security goals and best practices. The announcement comes days after IBM unveiled a similar service called Application Source Code Security Assessment, through which Big Blue consultants test applications, identify security and compliance risks, and provide detailed recommendations to address any problems.
[ Also on InfoWorld.com: AT&T's iPad security fumble is just the tip of the iceberg. | The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
Application security has become increasingly important of late as more companies are exposing their data and apps via environments such as SOA and cloud computing. Deploying vulnerable applications can also put organizations at costly regulatory risk. Both IBM and HP are making the case that companies need to identify potential issues with their applications early on, during the development phase, rather than facing the hefty costs associating with fixing problems after apps have already been deployed.
According to HP, security vulnerability costs include rework (up to 100 times the development costs or more), noncompliance penalties (up to $3.5 million per incident for PCI-DSS), planned and unplanned downtime due to security patching and incidents ($1 million per hour, on average), and breach disclosure costs ($6.7 million per breach).
HP's CATA service includes two key components. Through the Security Requirements Gap Analysis, the company provides clients with advice and tools for fixing and avoiding security issues. "This capability closely examines applications to identify often-missed technical security requirements imposed by relevant laws, regulations or practices," according to HP's announcement.