HP Gains U.S. Approval for Software Security Tool

Hewlett-Packard joins a growing list of commercial cloud vendors authorized to provide cloud services to the federal government, becoming the first to offer a security software tool.

HP claimed this week it is the first commercial vendor authorized to provide a security software-as-a-service offering. The tool, HP Fortify on Demand, was approved under the Federal Risk and Authorization Management Program, or FedRAMP. The beefed up security tool responds to growing threats to government networks along with the need to compartmentalize classified, sensitive and personal information on government networks.

According to the company, more than 70 percent of government network breaches can be traced to software vulnerabilities. Most stem from software programming errors. HP cited budget shortfalls and "staff expertise" as primary reasons for coding errors.

Security analysts are more blunt in their assessment of federal IT administrators, noting a growing lack of expertise in managing government networks. They site a series of errors by contractors and agency IT administrators related to implementation of federal health care exchanges as a glaring example. Last year, for example, a government IT administrator connected a server to the Internet while testing a system being implemented under the Affordable Care Act. The test platform was quickly breached.

HP claims to be addressing software security flaws with its cloud-based Fortify offering that it said allows agencies to get a better handle on software vulnerabilities. The tool is described as a managed application security testing service that can be used to either check the security of individual applications or launch a comprehensive security sweep. HP said the system scales to hundreds of web, mobile, in-house or third-party applications.

HP previously gained FedRAMP authorization for its infrastructure-as-a-service, HP Helion Managed Virtual Private Cloud for Public Sector. The newly approved SaaS offering would run on top of the approved public cloud.

This week's FedRAMP approval means the Fortify software security service is provisionally authorized for federal agency use. Government IT administrators could use the tool to perform security assessments of application code along with web services testing and mobile application security testing.

The tool allows for static code scanning of Java, .NET and other programming languages for security defects at the code layer. That is followed by an audit review with a static auditor. The security assessments cover more than 600 vulnerability categories and services, the company claimed.

Whether that is enough security remains to be seen since government networks, especially military networks, are under constant siege by hackers probing for security weaknesses.

HP asserts that its Fortify on Demand approach would allow federal agencies to shift from merely responding to breaches to addressing "the root cause of vulnerabilities by securing software from conception through the entire development lifecycle," according to Rob Roy, chief technology officer for HP's Enterprise Security Products unit for the public sector.