HP Software Wednesday updated its security products to help customers scan Web-based applications for vulnerabilities.
On display at HP's booth during next week's RSA Conference in San Francisco, WebInspect 8.0, HP's Web-application scanning tool, has been upgraded to support vulnerability scans of Adobe Flash and Web 2.0 technologies. The server-based HP Assessment Management Platform 8.0 is a vulnerability-assessment tool for managing multiple scanning tools, including WebInspect 8.0, and generating audit and remediation reports for an enterprise network.
The HP vulnerability-assessment tools are typically used in application-program development to catch programming errors, such as cross-site scripting, which inadvertently create vulnerabilities in applications that hackers can exploit, says Jeff Morgan, HP Software product manager for enterprise solutions.
With the latest version of the tools, “we're delving into Flash and de-compiling it,” Morgan says. “On the JavaScript side, we're executing it as the user world. We can test things before production or in production for quality assurance.”
If the WebInspect 8.0 tool identifies problems in JavaScript, for example, it will flag it and make a recommendation for remediation.
Sony Pictures Entertainment, which produces movies as well as home entertainment products, uses the HP vulnerability-assessment tools as part of its software-development life-cycle management.
Sony Pictures Entertainment will scan applications to check for vulnerabilities in its medium- to high-risk applications, including financial, says Erika Peccioutto, executive director of enterprise technology quality at the Culver City, Calif.-based division of Sony.
“We have 25 different development teams and my group scans all the applications,” she notes. Scanning to detect software vulnerabilities helps ensure compliance with regulations that include the Sarbanes-Oxley Act and the European data-protection laws, she says.
Application scanning can help build in security from the time a new application is planned through its deployment and after,Peccioutto says, noting that scans are a budgeted part of the methodical process to catch any errors before an application goes live.
Cross-site scripting and SQL injection errors are among the most commonly caught in past years, says Jeff Cox, senior software engineer at Sony Pictures Entertainment. But the latest generation of programming errors often originate in input-validation issues associated with Flash and Ajax JavaScipt programming, the focus of HP's latest vulnerability-assessment upgrade.
