Name Aaron Clark. Title: Security Shifts to the Application
|
|
- Paul Ramsey
- 6 years ago
- Views:
Transcription
1 Name Aaron Clark Title: Security Shifts to the Application
2 You re late to the party
3 Some found that out the hard way Night Dragon Sony LizaMoon HBGary Federal
4 Others were told they had to go PCI Disa STIG HIPAA FISMA NERC
5 Some looked at the costs 1,000,000x Security Flaw Unbudgeted Costs: Damage to Enterprise 10x 1x Functional Flaw Development Test Deployment Customer notification / care Government fines Litigation Reputational damage Brand erosion Cost to repair
6 The exposure is greater than you think
7 Web App Vulnerabilities Continue to Dominate Nearly half (49%) of all vulnerabilities are Web application vulnerabilities Cross-Site Scripting & SQL injection vulnerabilities continue to dominate
8 The Smarter Planet Our world is getting Instrumented Our world is getting Interconnected Our world is getting Intelligent
9 More Justification for Application Security Action 89% of records breached from hacks were leverage SQL Injection flaws 79% of breached organizations subject to PCI were found to be non-compliant 92% of compromised records were compromised using Web applications as the attack pathway Verizon 2010 data Breach Investigations Report
10 Security is never first It should never be last
11 So, why are there problems? We code the vulnerabilities Inadequate training of programmers Inadequate security specifications Inadequate security review and testing Lack of security management during SDLC Lack of adequate technology Conflicting objectives
12 Compounded by: Software Security Myths Network defenses provides protection Meets Compliance == Secure Website uses SSL, it s secure Vulnerabilities in internal apps are not important Annual penetration tests are an adequate safety measure Encryption of data is adequate safety measure
13 Security Landscape Technologies Distinguishing Network Firewalls: Perimeter protection mechanisms to block traffic in real-time. But websites have to be publicly available, thus port 80 and port 443 are enabled for access which makes Network Firewalls incapable of blocking application-layer attacks Intrusion Detection / Prevention Systems (IDS / IPS) Also considered a perimeter protection mechanism. They monitor data flow through the network in real-time. They are incapable of blocking application-layer attacks since they are not application-aware operating at the network level Application Firewalls: Perimeter protection and are generally very effective, but difficult to configure and maintain (every time an application changes the firewall needs to be reconfigured). They can also reduce website response time and lead to lost revenue Some percentage of good traffic is inadvertently blocked too Network Scanners Network Scanners are incapable of extensive interactions with the application layer (even using application scanners they provide) so no matter how secure an organization makes their network, they would still be vulnerable to application-level attacks Database Scanners Do not scan or test web applications They focus solely on how well information is protected within the database itself
14 So, Why Prioritize Secure Software? To protect value To protect privacy To avoid costs associated with non-compliance Some of the impacts due to attacks Loss of value Sensitive data, Trade secrets, Intellectual property, Reputational damage, Market capitalization,.. Downtime Unavailability, Disruption Regulatory penalties Fines, Litigation, PR, Notification Fraud
15 A framework for security
16 Application Safety Protect Valuable Assets Multiple points of protection Manage secure Web applications Ongoing management and security with a suite of identity and access management solutions Secure code development and vulnerability management Identify vulnerabilities and malware Actionable information to correct the problems End-to-end Web application security Deliver security and performance in Web services and SOA Purpose-built XML and SOA solutions for security and performance Protect Web applications from potential attacks Block attacks that aim to exploit Web application vulnerabilities Integrate Web application security with existing network infrastructure
17 A Path to Secure Applications Application & resource protection in operation Web Application Protection IBM Security Identity & Access Management IBM Security Secure Web Services Production-Site Monitoring Operational Risk Mgmt Secure application development across design, code, build, test phases Deploy Application Final Security Audit Vulnerability Assessment Functioning Application Vulnerability Assessment of Source Code Policy & Requirements Definition IBM Security Services Proactive Risk Mitigation
18 Smarter Security for Smarter Products Smarter Products require secure applications Security needs to be built into the development process and addressed throughout the development lifecycle Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that: Provide integrated testing solutions for developers, QA, Security and Compliance stakeholders Leverage multiple appropriate testing technologies (static & dynamic analysis) Provide effortless security that allows development to be part of the solution Support governance, reporting and dashboards Can facilitate collaboration between development and security teams
19 The Application Security Challenge What? Need to mitigate the risk of a Security breach Need to find and remediate these vulnerabilities Must utilize a cost effective way of doing this that makes sense Who? Software security represents the intersection between security & development solution needs to be a joint collaboration Starts with Security Auditor (can also be outsourced) Larger organizations require the scaling of security testing into the development organization
20 Start to finish to start security
21 Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production Developers Developers Developers Application Security Testing Maturity
22 Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production % of Issue Found by Stage of SDLC Most Issues are found by security auditors prior to going live. Agile / Waterfall threshold? Application Deployed
23 Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production % of Issue Found by Stage of SDLC Desired Profile Agile / Waterfall threshold? Application Deployed
24 Cost Benefits of Early Detection (Web Application Vulnerability Assessment)
25 ROI Opportunity of Application Security Testing Cost Avoidance Of A Security Breach Costs of a security breach can include audit fees, legal fees, regulatory fines, lost customer revenue & brand damage Cost Savings Automated Testing Automated testing provides productivity savings over manual testing Cost Savings Testing Early in Dev Testing for vulnerabilities earlier in the development process can help avoid that unnecessary expense The cost to companies is $214 per compromised record** The average cost per data breach is $7.25 Million** ** Source: Ponemon Institute, Cost of a Data Breach, 2010 Outsourced audits can cost $10,000 to $50,000 per application At $20,000 an app, 50 audits will cost $1M. With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software) 80% of development costs are spent identifying and correcting defects Cost of finding & fixing problems: code stage is $80, QA/Testing is $960* Ex: 50 applications annually & 25 issues per application, testing at code stage saves $1.1M over testing at QA stage. * Source: GBS Industry standard study
26 Principles & Perceptions Secure Development (mis)perceptions Aligned closely with waterfall steps (design, development, delivery) Process intensive and heavyweight Requires a large number of artifacts Agile Principle #1: Our highest priority is to satisfy the customer through early and continuous delivery of valuable software Secure software increases the client value Agile focuses on customer need and security is a customer need
27 Automated application security testing The dynamic (and static) duo
28 Security Testing Technologies Combination Drives Greater Solution Accuracy Static Code Analysis = Whitebox - Looking at the code for security issues (code-level scanning) Total Potential Security Issues Dynamic Analysis = Blackbox Static Analysis Greatest accuracy Dynamic Analysis - Sending tests to a functioning application
29 Application Security Chart There are three basic components to securing an application: The actual application source code The infrastructure it runs on External components it requires Different technologies are needed to fully map the risk 30
30 31 Dynamic Security Analysis through Automation altoro.com/ altoro.com/feedback.jsp Crawl Site altoro.com/login.jsp altoro.com/logout.jsp Fuzz with Known Attacks altoro.com/editprofile.jsp Identify Vulnerabilities SQL Injection!
31 32 Static Security Analysis through DoPost() { String username = request.getparameter("username"); String password = request.getparameter("password"); String query = "SELECT * from tusers where " + "userid='" + username + "' " + "AND password='" + password + "'"; ResultSet rs = stmt.executequery(query); } DoPost Automation Compile & Translate Apply API Rules DoPost GetParam Str.Append ExecuteQuery DoPost GetParam Str.Append Apply Vulnerability Rules GetParam SQL Injection! Str.Append ExecuteQuery ExecuteQuery
32 Complimentary Security Assessment Static Findings directly tied to their locations in the source Test earlier in lifecycle Test sub-components of an application Easier automation Fast scanning Non-web-applications, infrastructure, middleware All control flows Illuminate architecture and logic Consistent Automation Dynamic Simpler configuration No cross-domain requirement Lower learning curve Findings include attack vectors Captures dynamic activity (Spring, Struts, CAB) Scan unsupported source languages 3 rd party applications (no source) Find configuration vulnerabilities Smaller finding sets 33
33 The combined result
34 IBM Rational AppScan Comprehensive Application Vulnerability Management SECURITY REQUIREMENTS CODE BUILD QA PRE-PROD PRODUCTION AppScan Enterprise AppScan ondemand Security Requirements Definition AppScan Source AppScan Build AppScan Tester AppScan Standard AppScan Standard Security requirements defined before design & implementation Build security testing into the IDE Automate Security / Compliance testing in the Build Process Security / compliance testing incorporated into testing & remediation workflows Security & Compliance Testing, oversight, control, policy, audits Outsourced testing for security audits & production site monitoring Application Security Best Practices & Education Dynamic Analysis/Blackbox Static Analysis/Whitebox -
35 AppScan Source Edition Workflow AppScan Source for Security Configure AppScan Source for Security, Automation, or Developer AppScan Source for Security AppScan Reporting Monitor Scan Triage AppScan Source for Security or AppScan Source for Remediation Remediate Assign AppScan Source for Security 36
36 What s the first step?
37 Application Security Maturity IBM Internal Use Only IBM Security Solutions Model UNAWARE CORRECTIVE BOLT ON BUILT IN Security assessment coverage Doing nothing External tests on production applications and security team centric testing Improve Security Testing Coverage Security testing before deployment Development Team QA Team Development Team QA Team Fully integrated system security Improve Collaboration of security issues Improve Compliance and Management reporting Assure Secure SDLC Security Team Security Team Security Team Time IBM Internal Use Only 38
38 Security maturity Corrective SDLC Coding Build QA Security Production 3 rd Party Pen Test % of Issue Found by Stage of SDLC Agile / Waterfall threshold? Application Deployed
39 Security maturity Bolt-On SDLC Coding Build QA Security Production 3 rd Party Pen Test Manual Pen Test % of Issue Found by Stage of SDLC Manual Code Review Automated Pen Test Automated Code Scan Agile / Waterfall threshold? Application Deployed
40 Security maturity Built-In SDLC Coding Build QA Security Production Manual Pen Test Manual Pen Test 3 rd Party Pen Test Manual Pen Test % of Issue Found by Stage of SDLC Manual Code Review Automated Pen Test Automated Code Scan Manual Code Review Automated Pen Test Automated Code Scan Automated Pen Test Manual Code Review Automated Pen Test Automated Code Scan Agile / Waterfall threshold? Application Deployed
41 Security maturity what works SDLC Coding Build QA Security Production 3 rd Party Pen Test Manual Pen Test % of Issue Found by Stage of SDLC Automated Code Scan Automated Code Scan Automated Pen Test Manual Code Review Automated Pen Test Automated Code Scan Agile / Waterfall threshold? Application Deployed
42 Patrick Vandenberg IBM Rational Security Ben Mayrides Cigital
43 Legal Disclaimer IBM Corporation All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete: Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete: All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus Sametime Unyte ). Subsequent references can drop IBM but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to for guidance on which trademarks require the or symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. If you reference Adobe in the text, please mark the first use and include the following; otherwise delete: Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. If you reference Java in the text, please mark the first use and include the following; otherwise delete: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. If you reference Microsoft and/or Windows in the text, please mark the first use and include the following, as applicable; otherwise delete: Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. If you reference Intel and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete: Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. If you reference UNIX in the text, please mark the first use and include the following; otherwise delete: UNIX is a registered trademark of The Open Group in the United States and other countries. If you reference Linux in your presentation, please mark the first use and include the following; otherwise delete: Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.
44 Try the new Rational AppScan ROI calculator Use ROI calculator on a Web application testing solution. Discover how you can: Automate application security analysis. Detect exploitable vulnerabilities, protecting against the threat of cyber-attack. Reduce the costs associated with manual vulnerability testing. Visit our Rational Application & Security Website and get the newest updates
45 Free trial download of IBM Rational AppScan software Protect against the threat of attacks, and data breaches with Rational AppScan IBM Rational application security software helps IT and security professionals protect against the threat of attacks and data breaches. If you use applications to collect or exchange sensitive or personal data, your job as a security professional is harder now than ever before. Download it now at no charge!
46 Improvement Between Application Testing Cycles Significant decline in the likelihood of finding application vulnerabilities in a retest In many cases this reduction is more than half that of the original Demonstrates the importance of testing applications but also follow up and mitigation Note: Charts show which vulnerabilities were 50% or more likely to appear in a Web assessment for each industry
47
48 False Positives Most of the time they are not actually false positives. These false false positives are one of two things Sources the business doesn t care about (getproperty is far too common an example) Data flows that are validated by validators that haven t been marked up There are cases where false positives are a problem, 9 out of 10 of these occur because we can t set a rule for the validation Set in a config file (servlet validators, struts validators, etc) Validators declared with annotations (aspect oriented coding does this) Validators that occur before one of our Source rules are triggered Microsoft built-in validation (this one is more of a false false positive) 49
Effective PMR Submission Best Practice. IBM Learn Customer Support
Effective PMR Submission Best Practice IBM Learn Customer Support PMR Best Practices When submitting a PMR, please make sure you provide as much information as you have. This allows the team to troubleshoot,
More informationIBM InfoSphere Data Replication s Change Data Capture (CDC) Fast Apply IBM Corporation
IBM InfoSphere Data Replication s Change Data Capture (CDC) Fast Apply Agenda - Overview of Fast Apply - When to use Fast Apply - The available strategies & when to use - Common concepts - How to configure
More information20 years of Lotus Notes and a look into the next 20 years Lotusphere Comes To You
20 years of Lotus Notes and a look into the next 20 years Lotusphere Comes To You Kevin Cavanaugh, Vice President, Messaging and Collaboration Lotus Software and WebSphere Portal email@us.ibm.com Organizations
More informationWeb Applications (Part 2) The Hackers New Target
Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application
More informationWhat s New in the IBM Lotus Notes Client. Kevin O Connell, Consulting Manager, IBM Asia Pacific
Technical Track What s New in the IBM Lotus Notes Client Kevin O Connell, Consulting Manager, IBM Asia Pacific ID101 What's New in the IBM Lotus Notes Client Kevin O'Connell Asia Pacific Consulting Manager
More informationCollaboration for a Greener World. Kevin O' Connell Consulting Manager, Lotus Software, IBM Asia Pacific
Collaboration for a Greener World Kevin O' Connell Consulting Manager, Lotus Software, IBM Asia Pacific Legal disclaimer IBM Corporation 2008. All Rights Reserved. The information contained in this publication
More informationIBM Db2 Warehouse on Cloud
IBM Db2 Warehouse on Cloud February 01, 2018 Ben Hudson, Offering Manager Noah Kuttler, Product Marketing CALL LOGISTICS Data Warehouse Community Share. Solve. Do More. There are 2 options to listen to
More informationHow to Develop Responsive Applications with IBM MQ Light (beta) Matthew Whitehead WebSphere MQ Development 1st July 2014
How to Develop Responsive Applications with IBM MQ Light (beta) Matthew Whitehead WebSphere MQ Development 1st July 2014 (Also see Mark Phillips' session at 3.25pm this afternoon) 2014 IBM Corporation
More informationAppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager
APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms www.hcltech.com The Evolution of Devops 2001 - Continuous
More informationInfoSphere Data Replication CDC Troubleshooting
InfoSphere Data Replication CDC Troubleshooting 1 Agenda How to approach a problem Collecting error information Troubleshooting Resources Questions 2 2 How to approach a problem 3 3 Understanding CDC Architecture
More informationOptimize Your Heterogeneous SOA Infrastructure
Optimize Your Heterogeneous SOA Infrastructure SHARE Boston 2010 Walter Falk IBM, Executive Director Cloud Business Development wfalk@us.ibm.com The world is getting smarter more instrumented, interconnected,
More informationWeb Applications Part 1 The Weak Link in Information Security Your Last Line of Defense
Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense Anthony Lim MBA FCITIL CISSP CSSLP Director, Security Rational Software - Asia Pacific 1 Hong Kong 17 Nov 2009 Welcome
More informationA Pragmatic Path to Compliance. Jaffa Law
A Pragmatic Path to Compliance Jaffa Law jaffalaw@hk1.ibm.com Introduction & Agenda What are the typical regulatory & corporate governance requirements? What do they imply in terms of adjusting the organization's
More informationIntegrate IBM Rational Application Developer and IBM Security AppScan Source Edition
Integrate IBM Rational Application Developer and IBM Security AppScan Source Edition Security testing for the Rational Application Developer application G Kiran Kumar Singh & Arnab Roy July 19, 2012 Page
More informationIBM Rational Software
IBM Rational Software Development Conference 2008 Our Vision for Application Security David Ng Rational Software Security, Asean IBM Software Group 2008 IBM Corporation Agenda Application Security Defined
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationHow to Secure Your Cloud with...a Cloud?
A New Era of Thinking How to Secure Your Cloud with...a Cloud? Eitan Worcel Offering Manager - Application Security on Cloud IBM Security 1 2016 IBM Corporation 1 A New Era of Thinking Agenda IBM Cloud
More informationThe Challenge of Managing WebSphere Farm Configuration. Rational Automation Framework for WebSphere
IBM Software Group The Challenge of Managing WebSphere Farm Configuration Rational Automation Framework for WebSphere Terence Chow Technical Specialist IBM Rational Hong Kong 2007 IBM Corporation Example:
More informationLotus Technical Night School XPages and RDBMS
Lotus Technical Night School XPages and RDBMS Note: Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing
More informationIBM Unified Communications and Collaboration. Get Social with UCC...
IBM Unified Communications and Collaboration Get Social with UCC... Rick Schonbrun Business Unit Executive, Worldwide Sales Unified Communications and Collaboration IBM Collaboration Solutions Group The
More informationBehind the Glitz - Is Life Better on Another Database Platform?
Behind the Glitz - Is Life Better on Another Database Platform? Rob Bestgen bestgen@us.ibm.com DB2 for i CoE We know the stories My Boss thinks we should move to SQL Server Oracle is being considered for
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationIBM Next Generation Intrusion Prevention System
IBM Next Generation Intrusion Prevention System Fadly Yahaya SWAT Optimizing the World s Infrastructure Oct 2012 Moscow 2012 IBM Corporation Please note: IBM s statements regarding its plans, directions,
More informationHacking 102 Integrating Web Application Security Testing into Development
Hacking 102 Integrating Web Application Security Testing into Development Greg Pedley - gpedley@au1.ibm.com Brett Wallace - bretwal@au1.ibm.com Denice Wong deniwong@au1.ibm.com An IBM Proof of Technology
More informationWhat is Penetration Testing?
What is Penetration Testing? March 2016 Table of Contents What is Penetration Testing?... 3 Why Perform Penetration Testing?... 4 How Often Should You Perform Penetration Testing?... 4 How Can You Benefit
More informationSECURITY TRAINING SECURITY TRAINING
SECURITY TRAINING SECURITY TRAINING Addressing software security effectively means applying a framework of focused activities throughout the software lifecycle in addition to implementing sundry security
More informationIBM Systems for Cognitive Solutions IBM Machine Learning for z/os
IBM Systems for Cognitive Solutions IBM Machine Learning for z/os Khadija Souissi IBM Client Center Boeblingen Machine Learning takes center stage Gartner identifies Machine Learning as the Top Trend in
More informationA Partner s Experience with Liberty Profile and Migrating to WebSphere Application Sever v8.5
A Partner s Experience with Liberty Profile and Migrating to WebSphere Application Sever v8.5 Vlad Khin, Architect, FJA-US Jim Holland, IBM Tom McManus, IBM Session Number: 1773 2013 IBM Corporation Please
More informationSYMANTEC DATA CENTER SECURITY
SYMANTEC DATA CENTER SECURITY SYMANTEC UNIFIED SECURITY STRATEGY Users Cyber Security Services Monitoring, Incident Response, Simulation, Adversary Threat Intelligence Data Threat Protection Information
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationIBM Lotus Sametime and Unified Communications and Collaboration. Strategy and Technical Roadmap
IBM Lotus Sametime and Unified Communications and Collaboration Strategy and Technical Roadmap stephen_londergan@us.ibm.com March 2007 A new reason to look at Lotus Sametime 2006: the year of Lotus Sametime.
More informationTechnical Deep Dive Session
Technical Deep Dive Session Today s agenda Planning your Lotus Notes & Domino 8 Rollout: Why Everyone Will Want Lotus Notes 8 Hardware and Software Requirements Install and Upgrade Options Pre-upgrade
More informationProduct Security Program
Product Security Program An overview of Carbon Black s Product Security Program and Practices Copyright 2016 Carbon Black, Inc. All rights reserved. Carbon Black is a registered trademark of Carbon Black,
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationIBM Corporation
1 Fernando Cortés Responsable de ventas de IBM Big Data. 16 Junio 2014 Big Data Analytics en Telco Analytics NOW Crecimiento de los datos 3 Fuentes de Datos Normalización Explotación y casos Datos Transaccionales
More informationHP Fortify Software Security Center
HP Fortify Software Security Center Proactively Eliminate Risk in Software Trust Your Software 92% of exploitable vulnerabilities are in software National Institute for Standards and Technology (NIST)
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationIBM Application Runtime Expert for i
IBM Application Runtime Expert for i Tim Rowe timmr@us.ibm.com Problem Application not working/starting How do you check everything that can affect your application? Backup File Owner & file size User
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationIBM Internet Security Systems Proventia Management SiteProtector
Supporting compliance and mitigating risk through centralized management of enterprise security devices IBM Internet Security Systems Proventia Management SiteProtector Highlights Reduces the costs and
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationTerminal Applications Scalability testing using Rational Performance Tester version 8.1
Terminal Applications Scalability testing using Rational Performance Tester version 8.1 A practical guide on 5250 Green Screen applications Version: 1.0 Date: 12/05/2009 Author: Benoit Marolleau Product
More informationFabrizio Patriarca. Come creare valore dalla GDPR
Fabrizio Patriarca Come creare valore dalla GDPR Disclaimer Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data
More informationComputing as a Service
IBM System & Technology Group Computing as a Service General Session Thursday, June 19, 2008 1:00 p.m. - 2:15 p.m. Conrad Room B/C (2nd Floor) Dave Gimpl, gimpl@us.ibm.com June 19, 08 Computing as a Service
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationHow Smarter Systems Deliver Smarter Economics and Optimized Business Continuity
9-November-2010 Singapore How Smarter Systems Deliver Smarter Economics and Optimized Business Continuity Shiva Anand Neiker Storage Sales Leader STG ASEAN How Smarter Systems Deliver Smarter Economics
More informationDATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI
DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI EXECUTIVE SUMMARY The shortage of cybersecurity skills Organizations continue to face a shortage of IT skill
More informationLawson M3 7.1 Large User Scaling on System i
Lawson M3 7.1 Large User Scaling on System i IBM System i Paul Swenson paulswen@us.ibm.com System i ERP, Lawson Team Version Date: November 15 2007 Statement of Approval... 3 Introduction... 4 Benchmark
More informationHello, and welcome to a searchsecurity.com. podcast: How Security is Well Suited for Agile Development.
[ MUSIC ] Hello, and welcome to a searchsecurity.com podcast: How Security is Well Suited for Agile Development. My name is Kyle Leroy, and I'll be moderating this podcast. I'd like to start by introducing
More informationRisk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23
Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance
More informationPractical Guide to Securing the SDLC
Practical Guide to Securing the SDLC Branko Ninkovic Dragonfly Technologies Founder Agenda Understanding the Threats Software versus Security Goals Secure Coding and Testing A Proactive Approach to Secure
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationDefense in Depth Security in the Enterprise
Defense in Depth Security in the Enterprise Mike Mulville SAIC Cyber Chief Technology Officer MulvilleM@saic.com Agenda The enterprise challenge - threat; vectors; and risk Traditional data protection
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationA Strategic Approach to Web Application Security
A STRATEGIC APPROACH TO WEB APP SECURITY WHITE PAPER A Strategic Approach to Web Application Security Extending security across the entire software development lifecycle The problem: websites are the new
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationIBM Multi-Factor Authentication in a Linux on IBM Z environment - Example with z/os MFA infrastructure
IBM Multi-Factor Authentication in a Linux on IBM Z environment - Example with z/os MFA infrastructure Dr. Manfred Gnirss IBM Client Center, Boeblingen 21.3.2018 2 Trademarks The following are trademarks
More informationCredit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank
Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank Introduction The 6,331 credit unions in the United States face a unique challenge when it comes to cybersecurity.
More informationAn ICS Whitepaper Choosing the Right Security Assessment
Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available
More informationIBM Rational Application Developer for WebSphere Software, Version 7.0
Visual application development for J2EE, Web, Web services and portal applications IBM Rational Application Developer for WebSphere Software, Version 7.0 Enables installation of only the features you need
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationCOMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY
COMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY Published January, 2018 : BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY Speed is nothing without control.
More informationSecuring Your Most Sensitive Data
Software-Defined Access Securing Your Most Sensitive Data Company Overview Digital Growth Means Digital Threats Digital technologies offer organizations unprecedented opportunities to innovate their way
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More informationApplication Security at Scale
Jake Marcinko Standards Manager, PCI Security Standards Council Jeff Williams CTO, Contrast Security Application Security at Scale AppSec at Scale Delivering Timely Security Solutions / Services to Meet
More informationRelease Notes. IBM Tivoli Identity Manager Rational ClearQuest Adapter for TDI 7.0. Version First Edition (January 15, 2011)
IBM Tivoli Identity Manager for TDI 7.0 Version 5.1.1 First Edition (January 15, 2011) This edition applies to version 5.1 of Tivoli Identity Manager and to all subsequent releases and modifications until
More informationExtending the liberty profile
Extending the liberty profile Dr Alex Mulholland, Senior Technical Staff Member IBM 1644 2013 IBM Corporation Content Overview of product extensions what, where, why? Features What they are Creating a
More informationSIEM: Five Requirements that Solve the Bigger Business Issues
SIEM: Five Requirements that Solve the Bigger Business Issues After more than a decade functioning in production environments, security information and event management (SIEM) solutions are now considered
More informationSecure Application Development. OWASP September 28, The OWASP Foundation
Secure Application Development September 28, 2011 Rohini Sulatycki Senior Security Consultant Trustwave rsulatycki@trustwave.com Copyright The Foundation Permission is granted to copy, distribute and/or
More informationIBM Security Network Protection Solutions
Systems IBM Security IBM Security Network Protection Solutions Pre-emptive protection to keep you Ahead of the Threat Tanmay Shah Product Lead Network Protection Appliances IBM Security Systems 1 IBM Security
More informationV6R1 System i Navigator: What s New
Agenda Key: Session Number: V6R1 System i Navigator: What s New Tim Kramer - timkram@us.ibm.com System i Navigator web enablement 8 Copyright IBM Corporation, 2008. All Rights Reserved. This publication
More informationExtending the value of your current collaboration investments now and in the future
Extending the value of your current collaboration investments now and in the future Simon Lee ASEAN Lotus Technical Manager 2007 IBM Corporation IBM Lotus collaboration product strategy Rich client Microsoft
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationSOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)
SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP) Adaptive Cybersecurity at the Speed of Your Business Attackers Evolve. Risk is in Constant Fluctuation. Security is a Never-ending Cycle.
More informationChoosing the Right Security Assessment
A Red Team Whitepaper Choosing the Right Security Navigating the various types of Security s and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding
More informationWebSphere Commerce Developer Professional
Software Product Compatibility Reports Product WebSphere Commerce Developer Professional 8.0.1+ Contents Included in this report Operating systems Glossary Disclaimers Report data as of 2018-03-15 02:04:22
More informationSecurity and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /
Security and Compliance Powered by the Cloud Ben Friedman / Strategic Accounts Director / bf@alertlogic.com Founded: 2002 Headquarters: Ownership: Houston, TX Privately Held Customers: 1,200 + Employees:
More informationImproving Security in the Application Development Life-cycle
Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com
More informationCyber Security Incident Response Fighting Fire with Fire
Cyber Security Incident Response Fighting Fire with Fire Arun Perinkolam, Senior Manager Deloitte & Touche LLP Professional Techniques T21 CRISC CGEIT CISM CISA AGENDA Companies like yours What is the
More informationIBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.
IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats. Enhancing cost to serve and pricing maturity Keeping up with quickly evolving ` Internet threats
More informationWhat's New in IBM Notes 9.0 Social Edition IBM Corporation
What's New in IBM Notes 9.0 Social Edition IBM Client Strategy The flexible and comprehensive collaboration solution the client the server Universal access Remain productive regardless of location Browser
More informationLab DSE Designing User Experience Concepts in Multi-Stream Configuration Management
Lab DSE-5063 Designing User Experience Concepts in Multi-Stream Configuration Management February 2015 Please Note IBM s statements regarding its plans, directions, and intent are subject to change or
More informationmhealth SECURITY: STATS AND SOLUTIONS
mhealth SECURITY: STATS AND SOLUTIONS www.eset.com WHAT IS mhealth? mhealth (also written as m-health) is an abbreviation for mobile health, a term used for the practice of medicine and public health supported
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationPonemon Institute s 2018 Cost of a Data Breach Study
Ponemon Institute s 2018 Cost of a Data Breach Study September 18, 2018 1 IBM Security Speakers Deborah Snyder CISO State of New York Dr. Larry Ponemon Chairman and Founder Ponemon Institute Megan Powell
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationImperva Incapsula Website Security
Imperva Incapsula Website Security DA T A SH E E T Application Security from the Cloud Imperva Incapsula cloud-based website security solution features the industry s leading WAF technology, as well as
More informationPT Unified Application Security Enforcement. ptsecurity.com
PT Unified Application Security Enforcement ptsecurity.com Positive Technologies: Ongoing research for the best solutions Penetration Testing ICS/SCADA Security Assessment Over 700 employees globally Over
More informationExam4Tests. Latest exam questions & answers help you to pass IT exam test easily
Exam4Tests http://www.exam4tests.com Latest exam questions & answers help you to pass IT exam test easily Exam : CISM Title : Certified Information Security Manager Vendor : ISACA Version : DEMO 1 / 10
More informationIBM SmartCloud Engage Security
White Paper March 2012 IBM SmartCloud Engage Security 2 IBM SmartCloud Engage Security Contents 3 Introduction 3 Security-rich Infrastructure 4 Policy Enforcement Points Provide Application Security 7
More informationVulnerability Management
Vulnerability Management Modern Vulnerability Management The IT landscape today is changing and because of that, vulnerability management needs to change too. IT environments today are filled with both
More informationAUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03
AUDIT REPORT Network Assessment Audit Audit Opinion: Needs Improvement Date: December 15, 2014 Report Number: 2014-IT-03 Table of Contents: Page Executive Summary Background 1 Audit Objectives and Scope
More informationWORKSHARE SECURITY OVERVIEW
WORKSHARE SECURITY OVERVIEW April 2016 COMPANY INFORMATION Workshare Security Overview Workshare Ltd. (UK) 20 Fashion Street London E1 6PX UK Workshare Website: www.workshare.com Workshare Inc. (USA) 625
More informationIBM SPSS Text Analytics for Surveys
Software Product Compatibility Reports Product IBM SPSS Text Analytics for Surveys 4.0.1.0 Contents Included in this report Operating systems Hypervisors (No hypervisors specified for this product) Prerequisites
More informationRelease Notes. IBM Tivoli Identity Manager Universal Provisioning Adapter. Version First Edition (June 14, 2010)
IBM Tivoli Identity Manager Version 5.1.2 First Edition (June 14, 2010) This edition applies to version 5.1 of Tivoli Identity Manager and to all subsequent releases and modifications until otherwise indicated
More information