HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

HP and Fortify Advance Vulnerability Testing with Hybrid 2.0

HP and Fortify Colloborate on Static Analysis (SAST) & Dynamic Analysis (DAST)

HP and Fortify Software recently announced a joint collaboration that will help customers more efficiently manage and reduce critical security vulnerabilities across the entire application life cycle. Fortify 360's Static Application Security Testing (SAST) technology will be integrated with HP Application Security Center and HP Quality Center software solutions to give enterprise users increased visibility into application security across development, quality assurance and security operations.

These two assessment techniques, static/source code analysis and dynamic/runtime analysis, have come to dominate the application development and testing worlds. Each technique has different strengths and the ability to identify vulnerabilities that the other cannot. While source code analysis is capable of finding insecure programming practices that have potentially rendered the code vulnerable to malicious attacks, it can be limited by the types of languages that have been utilized in crafting the application and can only find potential vulnerabilities rather than actionable results. While dynamic analysis is beneficial because it eliminates language dependency and the need for parsing the source or binary code into an analyzable form, it can also be limited by the fact that it does not have access to the source code, and if unable to "guess" where some pages or files are located, can provide a false sense of security by producing numerous “false negatives”.

Hybrid Analysis

The combination hybrid analysis approach of Hybrid 2.0 will provide a new level of insight into the strengths and weaknesses of an application that can be used to rapidly zero in on “readily exploitable” vulnerabilities. This hybrid analysis approach can provide broad code coverage, identify all points of input to an application, track data as it moves through an application, and then validate the vulnerabilities it does find, ultimately resulting in more accurate results.

For more information, visit http://www.hp.com/go/hybridanalysis.

You can also register to download the Hybrid 2.0: The Next Generation of Integrate Static and Dynamic Security Analysis white paper here.

Finally, to read the press release, visit

| ‎03-11-2010 10:49 PM

This post was mentioned on Twitter by HP_AppSecurity: HP and Fortify Colloborate on Static Analysis (SAST) & Dynamic Analysis (DAST):

http://ow.ly/1hl5P #web #security

| ‎03-15-2010 01:47 AM

Logging into that HP Download Centre does not yeild the White Paper :smileysad: Interestingly, returning to the link with an active logged-in session yeilds the New User Registration Form. Smells funny! Would love to read that White Paper still if it can be made available.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.