HP announced Wednesday that its Fortify on Demand program has become the first security software-as-a-service offering to earn a FedRAMP authorization.
The cloud-based Fortify will allow agencies to run security assessments of application code and Web services, running code audits for static languages like Java and .NET while running penetration testing for any Web-hosted code. The service tests against 600 vulnerability categories and services without having to install anything, regardless of where the application resides.
“Now you are using a network to guard a network, so you get the benefits of security, but you also get the benefits of extra expertise and cost savings,” said Al Kinney, HP’s director of public sector cybersecurity. “One of the problems with Fortify or any software product is having the expertise in-house that knows how to use more than the first five pages of the user manual. By putting this into a service, we have the expertise to accept your applications and give you answers that will give you fewer false positives and more detail.”
Scott Gaydos, HP’s public sector CTO, said Fortify allows government agencies to perform security assessments of application code, web services and mobile applications without requiring any additional software to install or manage.
“Before a product moves out of development and into integration…[Fortify] dumps out potential remediations that then, some human expertise will determine whether the remediations are false positives or are they real,” Gaydos said. “This service starts to hit some of those attack vectors before you’ve ever deployed a piece of software, or an edge device or things you would worry about after production.”
As more agencies embrace cloud technology, Gaydos sees a mix of thinking that spans old and new ideas, setting a landscape in the federal government he refers to as “hybrid IT.”
“There’s traditional IT that’s hosting a lot of these legacy systems and then maybe there is some on-premise private cloud work that’s underway, maybe some virtual private cloud work, and that’s the reality of today’s environment for a CIO to be able to operate,” Gaydos said. “Hybrid IT is the reality. It’s not so much that people are warming to it — it simply is.”
HP sees this hybrid IT driving the way government agencies develop their own applications while also closing security holes in existing legacy systems. As agencies move toward more agile development, baking in application security — especially on the civilian side — is often an afterthought that leads to remediation work when a vulnerability is found or exploited.
Earl Matthews, HP’s vice president of public sector enterprise security solutions, said security needs to be a focal point from the beginning.
“For far too long, [application security has] been punted to the network to provide these boundaries, moats and measures,” Matthews said. “When you get to the core of it, it’s about the data and how you protect it.”
Matthews said with Fortify, even agencies that have embraced hybrid IT are now able to add security into the hardware life cycle of their cloud-based applications.
“The biggest bang for the buck is application security, rewriting applications that can now be [used] in a new style of business that everyone keeps talking about,” he said.