SWG Rational Marketing Software Delivery Program

Securing today’s
applications
Design, deliver and secure smarter software and services
2 Securing today’s applications

The What, Where and How of Application

Security
Why is application security such a hot issue moving into
2010 and beyond?
Applications are becoming more pervasive, organizations are
growing and implementing smarter software to support
business process, product development and daily operations.
The way businesses are dealing with their customers, their
partners and their own internal businesses is changing and
becoming more complex. New SOA-oriented architectures and
the extension of things like the electrical grid are becoming an
essential part of an organization’s everyday.

So it is natural that the security ramifications of deploying all

of these applications are a very important concern for
customers. They’ve generally done a very good job over the
last 10 or 15 years in understanding the established security
technologies for tasks like networking and operations, and
managing security procedures like access control or
authentication. But now, as these new applications roll out,
they’re really changing the game.
In many ways, these applications can exist in a couple of
worlds. Sometimes they can have portions of their behavior
inside a firewall, while sometimes it will be external to the
firewall, such as the web-facing front end to a legacy back-end
application. The possible security problems are not just the
threat surface that gets exposed with new applications, but are
also the composite of behaviors that goes on outside the
firewall at the front end of the application, and all of the
possible unintended consequences of the new exposure to the
internal application.
All of these things are conspiring together: the influx of new
applications, the increased importance of applications for core
business goals and the difficulty in terms of understanding the
way in which all these components will play together. These
forces are driving applications into a place of prominence in
the current environment.
Four strategic best practices for protecting web
applications
To address security-related issues as they pertain to web
applications, organizations can employ four broad, strategic
best practices.
1. Increase security awareness
This includes training, communication and monitoring
activities, preferably in cooperation with a consultant.
Training
Provide annual security training for all application team
members: developers, quality assurance professionals, analysts
and managers. Describe current attacks and a recommended
remediation process. Discuss the organization’s current
security practices. Require developers to attend training to
master the framework’s prebuilt security functions. Use
vendor-supplied material to train users on commercial off-the-
shelf (COTS) security tools, and include security training in
the project plan.
 SWG Rational Marketing Software Delivery Program

Communication 4. Integrate security testing throughout the development

Collect security best practices from across all teams and lines
of business in your organization. Distribute them in a brief
document and make them easily accessible on an intranet. Get
your IT security experts involved early and develop processes
that include peer mentoring. Assign a liaison from the security
team to every application team to help with application
requirements and design.
Monitoring
Ensure that managers stay aware of the security status of every
application in production. Track security errors through your
normal defect tracking and reporting infrastructures to give all
parties visibility.
2. Categorize application risk and liability
Every organization has limited resources and must manage
priorities. To help set security priorities, you can:
and delivery process
By integrating security testing throughout the delivery
lifecycle, you can have significant positive effects on the design,
development and testing of applications. You should base
functional requirements on security tests your application must
pass, making sure that your test framework.
Application security planning and security strategy should be
based on systematic process and practices and not symptomatic
issues that arise during a testing cycle.
The Business Case for Data Protection was the first study
to determine what senior executives think about the value
proposition of corporate data protection efforts within their
organizations
Poneman Business case for Data Protection (US)
Poneman Business case for Data Protection (UK

• efine risk thresholds and specify when the security team will
D
terminate application services.
• Categorize applications by risk factors (e.g., Internet or
intranet vs. extranet).
• Generate periodic risk reports based on security scans that
match issues to defined risk thresholds.
• Maintain a database that can analyze and rank applications by
risk, so you can inform teams of how their applications stack
up against deployed systems.

3. Set a zero-tolerance enforcement policy

An essential part of governing the development and delivery
process, a well-defined security policy can reduce your risk of
deploying vulnerable or noncompliant applications. During
inception, determine which tests the application must pass
before deployment, and inform all team members. Formally
review requirements and design specifications for security
issues during inception and elaboration—before coding begins.
Allow security exceptions only during design and only with
appropriate executive-level approval.
4 Securing today’s applications

Secure by Design
Innovation depends upon the safe and reliable operation of the
systems that will gather, transmit and analyze data,
communicate and act upon the results and advance the
capabilities of highly distributed organizations to unify and
focus on critical shared goals. This type of security, this type of
safety, is not something that can simply be bolted onto the
solutions as an afterthought. It must be considered from the
first requirements to the final implementation, and it must be
inherent in the capabilities that are brought to bear as these
complex problems are solved. The reliability of these solutions
cannot be jeopardized by delay. They must be Secure by Design.

Secure by Design demonstrates that cost-effective security

begins with the creation of secure systems from the start.
Time-to-market, maintenance and the devastating costs of
public breaches are reduced through the benefits of integrating
secure practices early in the development lifecycle. It is a
long-standing axiom that functional defects identified during
system development are orders of magnitude less costly to
repair than those found in production systems, and the benefits
and savings are even higher when it comes to security. Current
models show us that the average data breach costs an
organization roughly $6.6M, and that the average cost per lost
customer data record is over $200. These numbers are
staggering. Vulnerability within some Smarter Planet™ systems
is even more destructive, as some systems manage critical
infrastructure, and failure can disable entire regions or worse,
jeopardize lives.
A critical enabler of trust in this process is the ongoing
validation of the security of critical applications. System
development history has shown us that there is a natural
tendency for implementations to veer from their original
designs, and that constant reinforcement of design objectives
through testing and assessment are the most practical means of
arriving at a deliverable with the proper attributes. Security is
no different, but can be more difficult to assess. Security,
particularly at the coding and implementation level, is not a
widely understood discipline, and its inclusion in the set of
critical deliverables will only be possible as organizations
simplify and automate security checking in ways similar to
those employed for functional and performance testing. The
IBM® Rational® AppScan® suite of products has been created
to integrate within this environment, whether through
application scanning on the developer desktop, at the nightly
or weekly build server, or through targeted penetration testing
of the final application.
In practice, not every application can be protected from every
threat, and the continuous appearance of new attacks means
that today’s results will never be sufficient to guarantee
tomorrow’s safety. As a result, the path to maximizing the
security of an application begins by rigorously testing that
application today, and planning for its continuing testing as the
application, and the threats it encounters, evolve.
Automated source code analysis is widely recognized as the
most effective method of this type of testing early in the life
cycle, because it allows for a consistent and repeatable
assessment of source code without requiring the additional
assets that would be needed to field a completed system to test.
The best of these technologies provide the most valuable
results by pinpointing the vulnerability at the precise line of
code and detailing information about the type of flaw, degree of
criticality and how to fix it. Ethnical hacking is also an
important element of software security, but its value comes later
in the life cycle, when it can be used on a completed application
with a functional interface. Together, these approaches can
paint a picture which is both comprehensive in its scope and
useful in the level and amount of detail that it provides.

Securing components and systems from their inception
produces a flexibility and sense of assurance that fuels the
growth and adaptability of the Smarter Planet. Early
implementations of smarter projects are only the beginning of
the potential for integrating information and technology to
solve fundamental infrastructural problems. Systems which are
gathering information to optimize a Smarter City today may
well be repurposed in the future to bring smarter healthcare or
smarter communications to the same area. By designing the
core components with security in mind, adapting them to a
new area of use becomes much more straightforward,
eliminating the need to re-engineer the component for the
next role it may fulfill.
Roadblocks to building in security
Among the most common impediments to the adoption of
security testing in the software development life cycle, the
most difficult to overcome is typically the gap between
development group functions and the security team’s priorities.
The skill sets themselves are rarely present in the same
individual or even group, and organizationally there is very
little inherent synergy. While development goals focus on
product functionality and on-schedule delivery, security
analysts are often tasked with eliminating vulnerabilities and
implementing security controls only after the applications are
completed and deployed. Development is rewarded for
on-time delivery, while security is rewarded for preventing the
deployment of an insecure application. To effectively decrease
vulnerabilities created during the development process,
development and security teams must cooperate, and in all
cases, higher-level management support for improving security
during development is essential.
There also exists a general reluctance to alter an existing
software development life-cycle process which can delay
implementation of security testing. In these cases, an
understanding of the business-level benefits to be gained is
usually enough incentive to move things forward. There are
some common misconceptions about the potential and
difficulties of improving security within the development
process.
Fiction: The development schedule cannot delay any other
activities, not even to address security issues.
SWG Rational Marketing Software Delivery Program
Fact: There might be initial delays to the development cycle as
individuals learn the new system, but this is indisputably the
most time-efficient method for reducing software risk. The
process eventually reduces development time by instilling
good, secure coding practices among developers, and these
practices reduce time spent elsewhere in the cycle, such as
during security and acceptance testing of the final application.
Fiction: We are already doing peer review; therefore, we do
not need additional security code reviews.
Fact: A peer review is not a substitute for a security review.
Peer reviews are typically used to find functional bugs. Unless
reviewers have a deep understanding of application security,
many of the more critical security vulnerabilities and design
flaws are missed. In many cases, the best-intentioned user
requirement implemented without functional error can lead to
the greatest security risk. Common security errors will traverse
thousands of lines of code and many files, leading to a very
challenging, if not impossible, task of manual identification.
Assigning core responsibilities
Many enterprises still find it challenging to identify the most
appropriate method and resources to implement source code
analysis in their development life cycle. Utilizing a series of
workflow models to help guide the implementation of
automated source code scanning into an existing development
process is the most effective way to achieve a favorable
approach. Although it is clear that development organizations
6 Securing today’s applications
and processes each have their own distinct characteristics, the
functions below are primary to source code testing and must
be served by existing staff or experts brought in during
implementation.
Set security requirements: A manager or central source of
business requirements meets with groups with security
expertise to define the security requirements of the application,
the vulnerabilities that would most jeopardize its function, and
assign criticality based on business needs.
Configure analysis: Internal definitions are used to customize
the source code analysis tool to match policies, ensuring
sufficient and consistent review of applications.
Scan source code: The source code analysis tool is run against
the target application or parts of the application to pinpoint
vulnerabilities. These scans are commonly automated, but can
also be executed on demand.
Prioritize results: Staff members with knowledge of security
and the application study results to prioritize remediation and
resources workflow appropriately.
Remediate flaws: Vulnerabilities are eliminated by rewriting
code, removing flawed components, or adding security-related
functions.
Verify fixes: The code is rescanned and studied to ensure the
code changes have eliminated the vulnerability while
maintaining application functionality.
Organizations which have already adopted this methodology
have seen very positive results. One major telecommunications
firm has gone so far as to apply the knowledge of their relevant
threats and the operational implementation goals of their
software components to devise an automated testing regimen
that is kicked off regularly with the software build. The
information generated has already been tailored by the security
team, and the results are regularly reviewed to ensure relevance
and continuing accuracy. In the interim, each build
automatically assesses the security of the software, and forwards
any newly found vulnerabilities to the appropriate development
groups for remediation. This integrated process has led to
much faster cycle times, decreased rework, and a far better
performance during rigorous pre-deployment certification.
“Secure by Design” as a goal has two different meanings. The
first, as described here, relates to assembling the knowledge,
tools and processes to generate components and systems that
will perform reliably and securely, through efforts at all phases
of the construction lifecycle. The second meaning, though, is
equally important: As we enter this instrumented age, and we
come to expect technology to improve our day-to-day
existence in new ways, we must acknowledge our responsibility
to make our organizations “Secure by Design.” We must
educate ourselves and our teams on the importance of security,
on the cost savings and benefits of secure development, and on
the balance that must be reached between that concern and
concerns of functionality, performance, and time-to-market.
If we do this, then soon “secure” will be as natural a
characteristic of the Smarter Planet as “fast”, “stable”, or
“easy-to-use.”
For detailed information on three development models,
including workflows and best practices, please see the
whitepaper Secure at the Source in the Web Application
Security e-Kit.
 SWG Rational Marketing Software Delivery Program

Hackers and Malware this. A pop-up designed to look like an antivirus alert may read
“A virus has been detected on your system” and prompt a user
The proliferation of malware designed to infiltrate computer
to download a cleanup utility, which is actually malware (often
systems without the owners’ informed consent has become one
a Trojan horse). In the fall of 2009, a major national newspaper
of the most challenging security issues facing users today.
in the United States faced a version of this tactic in the form of
Hackers are engineering ever more sophisticated viruses,
a scam that was designed to scare users into buying useless
worms and Trojan horses that can outsmart traditional defense
antivirus software.
mechanisms.
In recent years, occurrences of legitimate websites serving
Malicious software can be distributed in a variety of ways,and
malware have become more widespread. Previously, cautious
attackers generally do not limit themselves to a single channel.
web surfers who avoided questionable sites, such as adult-
For a long time, email was the primary delivery mechanism,
oriented or illegal download sites, could reasonably expect to
and it is still significant today. Network vulnerabilities and
avoid attacks. This is not so today. Moreover, site owners rarely
instant messaging have also been used for pushing worms from
even know that the compromise has occurred. Consider the
one machine to another.
consequences. Users are no longer able to avoid exposure
through good judgment alone. The malware is delivered
Today, web applications are the primary delivery mechanisms
through the sites they use and trust on a regular basis—for
for malware via “drive-by downloads” or “social engineering.”
personal and business needs. Web gateways can no longer rely
A drive-by download happens when a user’s machine becomes
on blacklists of malicious sites without blocking legitimate sites
compromised simply by browsing an infected web page. The
as well. So how are users expected to protect themselves, and
browser executes components that are maliciously crafted to
how can website owners avoid putting their users in harm’s
exploit vulnerabilities in the browser, operating system or other
way? That question can’t be addressed without understanding
plug-ins as the page renders images, in-line scripts and videos,
how legitimate sites are compromised.
for example.
A look at how legitimate websites are compromised
Social engineering is a term used to describe tricking a user
In most cases, reputable websites are attacked using one or a
into performing some action, such as downloading a file or
combination of four primary methods.
accepting a prompt. “Scareware,” such as an alarming pop-up
that prompts users to perform an action, is a good example of Vulnerability exploitation
Vulnerabilities on a site are a favorite target of criminals. These
could be 0-day vulnerabilities in the software running the
website or vulnerabilities in the application-specific code. Such
vulnerabilities can allow attackers to deface the site, making it
link or serve malicious content. Exploiting 0-day or very recent
vulnerabilities in web infrastructure (for example, web servers,
application servers and operating systems) is the primary
method of compromising websites today.

Uploaded malware on user-driven sites

User-driven Web 2.0 community sites—including blogs, wikis
and social media sites—that let users create and post data likely
provides another popular malware delivery source. Worse,
technical vulnerabilities aren’t even necessary. If users are
8 Securing today’s applications

security tools. But this will only get them so far. As a result,
website owners have significant responsibilities in the matter,
as their users should expect a reasonable level of protection
against malicious code.

There are several ways companies and organizations can

protect the server side: an intrusion prevention system (IPS) or
similar network protection device that monitors outgoing
traffic, and server-side antivirus solutions. An IPS can examine
all traffic returned from the site and block anything deemed
malicious. The problem with this approach is the depth of the
analysis—the IPS needs to work at a very high velocity to
support huge volumes of data, and thus can only afford a
fraction of a second to analyze passing content. As a result, its
allowed to add content and links to the site, they may be
analysis is mostly limited to matching known malicious
uploading malicious items. For example, PDF document files
patterns against the content.
holding malicious content or images that exploit a security
hole in a graphics library can cause a legitimate website to
A server-side antivirus solution can be used to examine files on
serve malware.
the server and identify whether they are malicious. The
problem with this approach is visibility. Antivirus solutions are
Internal attacks
designed to look for viruses in files, but are limited in their
Website defenses are often not as robust when accessed from
ability to examine content residing in the databases where most
within an internal network. As a result, internal resources, such
applications store their dynamic content. Similarly, antivirus
as disgruntled employees or an employee who has been
solutions don’t see or understand web pages, making them
blackmailed, can modify a web application from within and
blind to content that is linked from the website but not hosted
make it serve or link to malware.
on them.
Third-party content
Currently, the most common way for criminals to make
Including third-party content such as ads or mashup
legitimate websites serve malware is by injecting an iframe that
applications can multiply the risk of malware on your website.
leads to a malicious site. The existing solutions discussed above
Third-party sources may be malicious or may have been
cannot find this very common manifestation of the problem.
compromised by yet another party, resulting in malware being
An alternative approach: HTTP-based malware scanning uses
served through your application’s pages. Consider an
a new approach, combining the HTTP view with antivirus-like
advertising service serving Flash–based advertising banners.
capabilities. Scanning and detection capabilities can help you
Flash applications are powerful and dynamic and have potent
overcome the inherent problems of existing security
scripting engines. If an advertising company is not properly
technologies.
vetting and analyzing each banner it posts, it may be serving
malicious banners that deliver malware.

Existing solutions Please see the demo of Rational AppScan std edition for a
How can users be expected to protect themselves from full view of the the AppScan Standard Edition and Express
products.
malware on legitimate websites? Certainly, users need to take
precautions by installing appropriate endpoint security
solutions, such as antivirus software, firewalls and other
 SWG Rational Marketing Software Delivery Program

Security and Cloud Computing Infrastructure sharing calls for a high degree of standardized
and process automation, which can help improve security by
Cloud computing is a flexible, cost-effective and proven
eliminating the risk of operator error and oversight. However,
delivery platform for providing business or consumer IT
the risks inherent with a massively-shared infrastructure mean
services over the Internet. Cloud resources can be rapidly
that cloud computing models must still place a strong emphasis
deployed and easily scaled, with all processes, applications and
on isolation, identity and compliance. In other words, the
services provided “on demand,” regardless of user location or
framework of governance, risk management and compliance
device. As a result, cloud computing gives organizations the
can be broken into five security focus areas:
opportunity to increase their service delivery efficiencies,
streamline IT management and better align IT services with
• People and Identity: Address the risks associated with user
dynamic business requirements.
access to corporate resources
• Data and Information: Understand, deploy and properly test
Both public and private cloud models are now in use. Available
controls for access to and usage of sensitive business data
to anyone with Internet access, public models include Software
• Application and Process: Help keep applications secure,
as a Service (SaaS) clouds like IBM LotusLive™, Platform as a
protected from malicious or fraudulent use, and hardened
Service (PaaS) clouds such as IBM Computing on Demand,
against failure
and Security and Data Protection as a Service (SDPaaS) clouds
• Network, Server and End Point: Optimize service availability
like the IBM Vulnerability Management Service.
by mitigating risks to network components
• Physical Infrastructure: Provide actionable intelligence on the
Private clouds are owned and used by a single organization.
desired state of physical infrastructure security and make
They offer many of the same benefits as public clouds, and
improvements
they give the owner organization greater flexibility and control.
Each focus area has its own value proposition and
Many organizations embrace both public and private cloud
corresponding financial payback that must be balanced.
computing by integrating the two models into hybrid clouds.
These hybrids are designed to meet specific business and
While cloud computing is often seen as increasing security
technology requirements, helping optimize security and
risks and introducing new threat vectors, it also presents an
privacy with a minimum investment in fixed IT costs. Although
exciting opportunity to improve security. Characteristics of
the benefits of cloud computing are clear, so is the need to
clouds such as standardization, automation and increased
develop proper security for cloud implementations.
visibility into the infrastructure can dramatically boost security
levels. For example, the use of a defined set of cloud interfaces,
In addition to the usual challenges of developing secure IT
along with centralized identity and access control policies, will
systems, cloud computing presents an added level of risk
reduce the risk of user access to unrelated resources. Running
because essential services are often outsourced to a third party.
computing services in isolated domains, providing default
The “externalized” aspect of outsourcing makes it harder to
encryption of data in motion and at rest, and controlling data
maintain data integrity and privacy, support data and service
through virtual storage have all become activities that can
availability and demonstrate compliance. As a result, clients
improve accountability and reduce the loss of data. In addition,
must establish trust relationships with their providers and
automated provisioning and reclamation of hardened run-time
understand risk in terms of how these providers implement,
images can reduce the attack surface and improve forensics.
deploy and manage security on their behalf. This “trust but
verify” relationship between cloud service providers and clients
is critical because the clients are still ultimately responsible for
compliance and protection of their critical data, even if that For more information on how the Rise of Cloud is creating
new requirements for Security please see our podcast.
workload has moved to the cloud.
10 Securing today’s applications

Security in Industry
Industry specific software assets that allow you to deploy
business solution with lower costs and risk:

Financial Services: Banking and Insurance companies need to

manage risk more efficiently, at a lower cost through online
channels including web-based applications and cloud-
implemented solutions. With the ever changing environment
facing financial institutions, maintaining system integrity and
automating all security and compliance initiatives is imperative
to keeping up with the integration of mergers and acquisitions.

Please review this case study of how a Financial Services

and Banking company managed a response to security
mandates.
Government: Growing concerns over government data
security driven by increasing vulnerabilities and cyber security
threats have agencies looking for cost-effective and efficient
solutions to manage their data systems, including fulfilling
various changing requirements for compliance (accessibility,
etc.) and security to governing bodies.
As Government agencies are opening citizen access to new
Internet-based services and establishing efficient methods for
creating trusted identities, the need for stronger authentication
and portal security is increasing. Greater accountability &
transparency means more exposure of data vulnerabilities.
Please review the case study of how a branch of the armed
forces secured the needs of the military.
Records (EHR), the access and security of health records is
becoming a pressing issue. A more reliable infrastructure
management, reducing the possibility and impact of security
vulnerabilities while adhering to industry regulations, is
needed.
Please see the demo of Rational AppScan std edition for a
full view of the the AppScan Standard Edition and Express
products.
Energy and Utilities: The “Smart Grid” raises privacy and
safety concerns, and standards like the North American
Electric Reliability Corporation (NERC) and the Federal
Energy Regulatory Commission (FERC) are driving
heightened protection from cyber attack. These efforts to
strengthen access and data loss are critical to the success of not
only the project, but also the customers that utilize the system.

Healthcare: Securing sensitive patient information and Please review the case study of an International
adhering to compliance mandates is an overwhelming Telecommunications Company.
requirement for all healthcare professionals at every level of
the industry. With funding for use of Electronic Health

Resources
Web Application Security e-Kit
IBM Rational AppScan can help you effectively design security
into your products and services early in the lifecycle, in a way
which is resilient to change. Download your complimentary
e-Kit now. You’ll receive white papers, demos, podcasts and
additional information on helping you design, deliver, and
manage smarter software and services faster, in a more secure
and cost-efficient manner.
Rational AppScan ROI Calculator
Automated application security analysis enables you to detect
exploitable vulnerabilities to protect against the threat of
cyber-attack and also significantly reduces costs associated with
manual vulnerability testing. This Rational AppScan ROI
calculator will help provide estimates on your ROI from
implementing a web application security testing solution
Podcasts:
“What, Why and How of Application Security”
In this podcast you can learn how application security strategy
and policy can mitigate risk and thus safeguard not only your
company’s informational assets but also your bottom line and
brand.
“Rise of Cloud is creating new requirements for Security”
In this BizTech Reports podcast, David Grant discusses the
new and elevated role application security must play to protect
vital corporate interests in as efficient a manner possible.
According to IBM X-Force’s most recent research from the
end of 2008, over 50% of all vulnerabilities disclosed last year
were related to the application layer.
“Securing software at the source is good for Quality”
Hear from Ryan Berg, Security Architect, IBM on how to
promote secure software delivery starting in QA. Learn how to
you ensure that security standards are met as part of your
quality measures.
SWG Rational Marketing Software Delivery Program
Whitepapers:
Poneman Business case for Data Protection (US)
Poneman Business case for Data Protection (UK)
The Business Case for Data Protection was conducted by
Ponemon Institute and sponsored by Ounce Labs, an IBM
Company. It is the first study to determine what senior
executives think about the value proposition of corporate data
protection efforts within their organizations
The Right Tool for the Right Job
A range of application security tools was developed to support
the efforts to secure the enterprise from the threat posed by
insecure applications. This white paper examines the most
common tools found in the enterprise application security
environment.
Trust, but Verify
This white paper will discuss the need for addressing security
concerns in outsourced applications. Will outline a framework
for addressing these concerns with outsourcing partners and
explore the role of source code review and related technologies
to assess and certify outsourced applications.
Knowledge is Power
Your software has a lot to say about data privacy. Your software
is the engine for your data, where it gets processed,
transformed, and transmitted. Understanding what your
software can tell you puts power in your hands.
Maintaining trust: protecting your website users from
malware
This paper explores the problem of malware and how it is
increasingly being delivered through legitimate websites.
Demos:
IBM’s Development and Test Enterprise Cloud Solution
IBM Smart Business Development & Test on the IBM Cloud
is your gateway to the cloud. With an ever-growing list of
images and functionality, you can provision, manage, and
customize your instances in minutes.
Rational AppScan Standard Edition
This demo takes you through the process of scanning a web
application for security vulnerabilities using Rational AppScan
Standard Edition.
Case Studies:
A branch of the armed forces secured the needs of the military
A financial services and banking company managed a response
to security mandates.
A financial services and banking company managed a
response to security mandates.
An International Telecommunication Company Building
security into the software development life cycle with low cost
and high value.
© Copyright IBM Corporation 2010
IBM Software Group
Route 100
Somers, NY 10589
U.S.A.
Produced in the United States of America
August 2010
All Rights Reserved
IBM, the IBM logo, ibm.com, Smarter Planet, the Smarter Planet logo,
AppScan, LotusLive and Rational are trademarks or registered trademarks
of International Business Machines Corporation in the United States, other
countries, or both. If these and other IBM trademarked terms are marked
on their first occurrence in this information with a trademark symbol (® or
™), these symbols indicate U.S. registered or common law trademarks
owned by IBM at the time this information was published. Such trademarks
may also be registered or common law trademarks in other countries. A
current list of IBM trademarks is available on the Web at “Copyright and
trademark information” at ibm.com/legal/copytrade.shtml
Please Recycle
ESW03001-USEN-01