On Wednesday April 15^th we announced a major release of HP Applications Security Center's Assessment Management Platform.  Version 8.00 of the flagship enterprise web application security product brings innovations and feature across the system to enable our customers to:

Establish a web application security Center of Excellence which crosses the organization and the application lifecycle

• Leverage and scale the capabilities of you limited security resources and increase security testing coverage of your enterprises web assets by engaging resources outside your core application security team.
• Address application security earlier in the applications lifecycle to reduce rework and risk
• Free up your security specialists to focus on high value target sites and security activities
• Protect sensitive security information and control the use of powerful web application scanning tools through AMP's central management

• Integrate with IT systems to identify web assets the data that they expose and incorporate web application security into the greater Application Lifecycle and IT processes.

Build a unified picture of your corporate web application assets and security efforts across the enterprise to add business context, improve web application security efforts and make better business decisions.

• Focus on the areas of high risk to the business and identify coverage holes
• Communicate to business management in the context of business needs
• Identify organizational level trends and opportunities
• Track and manage application security process, compliance and vulnerabilities

Target Web 2.0 technology with best-in-class tools that

• Automatically decompile and statically analyze client-side Rich Internet Applications
• Automatically traverse client-side applications built entirely in JavaScript
• Accurately authenticate to complex web applications

Over the next few weeks I will be dedicating blog entries to each of the above areas and how you can use AMP 8.00 to improve and mature your Web Application Security program.  The team has done extensive work across the product to support these capabilities, and though we are going to delve deeper into the above areas and the features that support them across the next few weeks, I want to give you a taste of what is in this release.   Here is a brief list of what's new and improved in AMP 8.00.

New in the AMP 8.00

• Tagging / Custom Properties - Add asset, business, regulatory, project and process information through a flexible name / value pair tagging system to give context to the information and
• Identify coverage holes and areas of high risk
• Communicate to business management in the context of business needs
• Identify organizational level trends, risks, and opportunities
• Track and manage status and process
• Customizable and Enterprise Reporting - AMP 8.00 features a new enterprise level reporting system capable of considering data from across the system and rolling that up into enterprise level reports. This highly flexible system gives the customer the ability to create a custom reporting set that is build for their specific organizational and business needs to:
• Generate reports that rollup data to business level entities (ex. Business units, development team, functional area, etc.)
• Track projects across lifecycle and version changes.
• Visualize Trends across scans, sites, organizations, etc.
• Scan Monitoring - View rich, near real time, status information on scans executing on the AMP Sensors. The ability to monitor the scans progress in near real time dramatically simplifies this scenario. Reducing the time and effort required to configure and execute WAS scans.
• Pluggable "Send To" Integration Infrastructure - The "Send To" infrastructure allows the customer or ASC professional services to quickly build integrations between the AMP system and other key Application Lifecycle and IT systems.
• Flash Static Analysis - AMP Sensors can now decompile Shockwave Flash (SWF) files and then perform static analysis on the resulting ActionScript 3 code, detecting vulnerabilities such as insecure programming practices, insecure application deployment, Adobe "best practices" violations, and information disclosures.
• Optional Depth First Crawler - Depth-first crawling accommodates sites that enforce order-dependent navigation (where you must visit page A before you can visit page B).
• Java Model View Control (MVC) Support- Based on in-depth research by the HP DevInspect for Java team, AMP Sensors now supports applications built on the Java MVC platform by the use of the Depth First Crawler, Path-based Attacks, and Navigational Parameters.
• more...

Improved in AMP 8.00

• Enhanced Vulnerability Management and Viewing - Quickly review, manage and annotate vulnerabilities from within the AMP user interface. Give the extended application security team (including development, QA and lesser skilled technicians) the ability to perform the scan review process without the need of an extensive desktop tool.
• Scan Template Generation -  Easily provide a scan template for others stakeholders within the application lifecycle so that they may execute the scans, freeing up the security specialists, to focus on high value target sites and security policies.
• Revamped Web Macro Recorder - The Web Macro Recorder is now easier to use and incorporates a new algorithm for determining a logout condition.
• Scalability Enhancements - The fundamental data access and display methodology of the AMP system has been improved to greatly enhance the scalability and responsiveness of the AMP system.
• more...

The AMP 8.00 release is available now to all AMP customers with a current support contract.  AMP customers should contact HP technical Support for access to new software online at http://support.openview.hp.com/ or call 1-800-633-3600.  You will need your SAID and AMP License Token. 

For more information on this release, check out our

Press release: http://www.hp.com/hpinfo/newsroom/press/2009/090415xa.html

and

Launch page: www.hp.com/go/stophackers

and

watch this blog for more to come....

Jeff Morgan

Product Manager, HP Assessment Management Platform
HP Application Security Center