HP to deliver vulnerability scanning service by year's end

Computerworld - Hewlett-Packard Co. plans to deliver a new security vulnerability scanning and remediation service by the end of the year that is designed to help companies identify and fix weak spots on their corporate networks, a senior company executive said this week.
The service will be based on an HP technology called Active Counter Measures, which the company has been internally testing for more than two years, according to Tony Redmond, vice president and chief technology officer at HP Services.
HP's service will allow companies to identify flaws in any network-connected device, including servers, desktop PCs, notebooks and even "transiently" connected devices such as PDAs, Redmond said. It can also be used to protect vulnerable systems via measures such as installing patches, imposing network access restrictions or quarantining the systems.
The move by HP will put it in a crowded field. Several companies, including IBM and Computer Associates International Inc., and security firms, such as Internet Security Systems Inc. and Qualys Inc., already offer similar services or hardware and software products for automated vulnerability assessment, discovery, remediation and reporting.
Whether HP would have any advantage over that competition will depend on the specifics of their offering, said Rusty Robinson, a technical manager at Intrado Inc., a provider of 9-1-1 infrastructure systems and services based in Longmont, Colo.
But HP's entry into this security area would increase competition, he said. "It would just be one more company in the marketplace to get those services from," Robinson said.
The fact that HP is among the larger vendors to offer such a service is also important, said David Krauthamer, director of information services at Advanced Fibre Communications, a Petaluma, Calif.-based manufacturer of telecommunication equipment. "The market has been pretty niched so far; HP can certainly bring their clout and scale to the market," Krauthamer said.
But the "fairly wide access" to internal systems that HP or other third parties will need to deliver this kind of service makes it a no-go at his company, said Brian Andersen, a systems programmer at the 17,500-employee, Denmark-based Danfoss A/S.
Danfoss, an industrial manufacturer of hydraulics, compressors and other material, does its own vulnerability testing, a job it wants to keep in-house, Andersen said, "so we know ourselves what's going on and how to fix it and not to let a third party into our network."
HP's planned service isn't the company's first foray into the security market. In fact, it has made a number of recent purchases to expand its portfolio of security products and services. InMarch HP acquired TruLogica Inc., a Dallas-based vendor of application provisioning software. In February, the company announced plans to acquire Novadigm Inc., a vendor of compliance management software. And last year, it purchased Baltimore Technologies Inc., a vendor of products for federated identity management.
So far, at least, HP has done a poor job of articulating how it plans to use these technologies to benefit users, said Pete Lindstrom, an analyst at Spire Security LLC, a Malvern, Pa.-based consultancy.
"HP seems to wax and wane in the security space," Lindstrom said. More than a year after the Baltimore purchase, for instance, "you just don't hear about the technology anymore," he said. "HP could probably be a formidable player if they wanted to, given their current suite of products and global reach."

Read more about security in Computerworld's Security Knowledge Center.