Can HP's 'Security-as-a-Service' Product Change How Agencies Secure Apps?

HP bills its latest security software offering to government customers as the first cloud-based “security software-as-a-service” solution to meet requirements under the Federal Risk and Authorization Management Program.

In truth, HP’s latest offering, HP Fortify on Demand, is unique among FedRAMP’s growing list of compliant solutions. Government customers can use Fortify to perform security assessments of new or existing application code, websites and end-to-end mobile app security testing through the cloud, an important feature given that various research cited by HP contends that 70 percent of data breaches now occur through software -- not network -- vulnerabilities.

Rob Roy, chief technology officer for HP’s enterprise security products, told me the demand from government customers pushed HP to get Fortify on Demand through the FedRAMP process. It took approximately two years and significant investment, but Roy said he believes it worthwhile because public and private sector organizations continue to struggle with the security of their software, which he refers to as the “soft cheese center” or most organizations.

“Which applications do you protect? The best answer is you have to protect them all,” Roy said, adding that the civilian sector of government operates some 150,000 applications. “We’re seeing that as a growing industry.”

Fortify on Demand is a layered software-as-a-service that operates on top of HP’s FedRAMP-compliant infrastructure-as-a-service offering, Helion for Public Sector. The service operates continually out of multiple HP data centers used exclusively by government customers. It allows agencies to submit and upload software code for analysis by the cloud-based service.

Roy said the service generates a report outlining vulnerabilities and how to fix them within 48 hours -- a guarantee offered within HP’s service-level agreements.

Fortify handles code written in “pretty much any language out there” and multiple levels of service with price points low enough in some circumstances that developers can simply charge their credit card.

The reports generated by Fortify suggest remediation that developers, either from the government customer or a third party, can act upon.

“We want to automate the review and analysis of government software to help developers at their desktops actually fix software and remove vulnerabilities that are the leading cause of breaches,” Roy said.  

(Image via Gil C / Shutterstock.com)