Detecting and fixing vulnerabilities in software can often be a complicated process. To help streamline that process, HP has come together with code analysis vendor Fortify to combine the benefits of dynamic and static code analysis.
HP (NYSE: HPQ) and Fortify have dubbed their solution Hybrid 2.0, as it is technology that leverages applications from both vendors and bridges the gap between penetration testing and vulnerability root-cause analysis within source code.
“Hybrid 2.0 brings together static analysis, the inside-out view, with dynamic analysis, the ‘outside-in’ view, and taking it to a new level,” Jeff Morgan, product manager at HP software, told InternetNews.com. “We’re actively linking dynamic and static processes through some new and unique technology, and that will drastically increase what we can do.”
Specifically, the joint solution involves HP Assessment Management Platform (AMP), Fortify Source Code Analysis (SCA) and Fortify Program Trace Analyzer (PTA) working together to connect penetration test results directly to source code analysis results.
HP’s AMP provides application penetration testing capabilities, which are linked with Fortify’s PTA. When placed within a Web application as a penetration test is being performed, PTA traces the attack request to help identify the specific line of code that is at risk.
“Now you have a penetration test attacking the application [and a] program trace analyzer observing the attack and identifying the exact line of code where the application is vulnerable, and then you can easily correlate that line of code with a static analysis,” Fortify Product Manager Russ Spitler told InternetNews.com. “So now you can take that line of code and identity all of the different attacks that could potentially exploit that same vulnerability.”
Both Spitler and Morgan said that the drive to link HP’s software with Fortify’s came about due to customer demand. Spitler said that there are already a number of joint customers using both products independently. By building the new integration points, the two vendors are aiming to provide a best-of-breed solution that leverages both HP and Fortify’s technologies.
As to how the new HP/Fortify Hybrid 2.0 solution will actually be packaged and sold, that’s still in the process of being finalized. Spitler said that he expects Hybrid 2.0 to be available in the second half of 2010, though it’s not clear yet how the solution will sold. He did add that he expects existing customers of either HP or Fortify to be able to easily acquire whatever they need to deploy a full Hybrid 2.0 solution.
HP and Fortify aren’t the only vendors trying to create a bridge between dynamic and static analysis.
Rival IBM acquired static analysis vendor Ounce Labs in 2009 and has since been in the process of integrating the technology into its overall application security portfolio. Part of the broader IBM (NYSE: IBM) effort also involves linking developer tools from IBM Rational with operations tools from IBM Tivoli to secure application development.