HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Top 3 Reasons you need Hybrid Analysis

When trying to assess an application for security, the more you learn, the better you can test. That's one reason combining Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) into a hybrid analysis approach can yield better results than using either method individually. It's somewhat of a 'two heads are better than one' approach.  Here are some of the main reasons why using Hybrid Analysis 2.0 is better than either DAST or SAST alone.


More complete Testing:


The first version of hybrid analysis only aggregated DAST and SAST vulnerabilities and occasionally grouped vulnerabilities discovered by both methodologies. While useful for validation, it did not dramatically improve scanning results (which, to be fair, wasn’t its intent). The primary challenge with using DAST & SAST together has always been how to effectively connect the observed behavior of a web application under test into details about why the application behaved a particular way. By unlocking this connection, organizations can focus on the issues that are most critical to their operation, making developers more productive by revealing the root cause within their code. Hybrid Analysis 2.0 represents a significant leap forward in this area. It's a truer integration of DAST & SAST and not simply a method of post-analysis/scan incidental correlation. Instead, results are constantly re-examined so that active correlation during scans can directly link together more vulnerabilities. Put simply, vulnerabilities discovered in web applications can be traced to the actual source of the vulnerability. SAST provides prioritized attack surfaces to direct DAST testing.  And by identifying all points of input to an application, and then tracing that data step-by-step through the application, organizations get a much truer understanding of their security risks and exposure.


Better prioritization of findings:


Hybrid Analysis 2.0 utilizes proximity correlation to re-prioritize the riskiest issues. Applying this technology results in dramatic improvement in the number of correlated results – thus providing both the "proof" of a successful attack and the code-level vulnerability details necessary to fix the problem.  Ultimately, better prioritization of risks lets the most critical vulnerabilities - those that are the most exploitable and damaging - be addressed first.


Reduces the time and cost to fix vulnerabilities in the code:


According to the National Institute of Standards and Technology (NIST), it is 6.5 times more expensive to fix a flaw in development than during design, 15 times more in testing, and 100 times more in development. With Hybrid Analysis 2.0, organizations can quickly locate their most critical application vulnerabilities and fix them before their products are released. And, ultimately, reducing expense in both time and money is what it's all about.


For more information on Hybrid Analysis 2.0, visit http://www.hp.com/go/hybridanalysis.



Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.