IBM Security zSecure Support invites you to thi
Subject matter experts will be available to answer your questions, which you can ask through web chat during the presentation.
You might also be interested in the latest zSecure Newsletter.
It provides currency support for:
* z/OS 2.2
It extends support for these security standards:
* Security Technical Implementation Guide (STIG) 6.24
* Payment Card Industry Data Security Standard (PCI-DSS) 3.1.
It provides extended integration capabilities with:
* IBM Security QRadar SIEM
* IBM Security Identity Governance
* IBM Integrated Cryptographic Services Facility
Details can be found on the Service Management Connect - System z blog
in this blog entry by Jeroen Tiggelman.
Shahnawaz Backer has just published a ne
This new security community paper will be of interest to anyone who wants to make their web applications more secure against session hijacking attacks.
It's kind of scary to think about all the sensitive data lying around in file system in spreadsheets and documents of various kinds.But it's also quite likely that most organizations haven't really thought about this situation or even taken the time to assess the risk.
Guardium V10 introduces a new product offering, Activity Monitor for Files, which can help you meet compliance obligations and reduce the risks of major data breaches. It provides insight into your document and file content and usage patterns. File activity monitor lets you discover, track, and control access to sensitive files on either local or networked file systems. File activity monitor complements database activity monitoring and leverages the core platform capabilities that exist in the flagship DAM offering. Join this tech talk and you will learn:
I hope you can join us for this discussion on this newest Guardium offering on October 22nd.
In the 3Q
z/OS V2R2 was announced on July 28, 2015 with a planned availability date of September 30, 2015.
A summary of the toleration fixes that have been made available for zSecure 1.13.0, 1.13.1, 2.1.0, and 2.1.1 can be found on the Service Management Connect - System z blog.
You might also be interested in the following page that was recently added to the zSecure wiki: Samp
Securing devices and protecting content and data have been at the forefront of enterprises investments as organizations work to secure the mobile enterprise but the same can't be said for safe guarding applications. Software applications support the most sensitive and strategically important business processes of most enterprises. Yet application security is one of the most neglected fields of cyber security.
The IBM X-Force has released the latest edition of its X-Force Threat Intelligence Quarterly and the theme in this report is "ransomware" and "the dark web." You can register and download the report for free at the download page.
In this -X-Force video, the team discusses how the dark web is used to launch attacks and what your organization needs to do about it.
Generally, iOS is claimed to be secure. Each app requires passing Apple’s vetting process before being published to the App Store. Additionally, the iOS framework is strict, for instance not allowing to install unauthorized apps on the device, or perform any modification on the app files. This prevents malicious apps from reaching the iOS environment. However, this doesn’t prevent security vulnerabilities that stem from a valid app’s code. The iOS Analyzer covers this gap, by detecting these issues and supplying the information required to fix them.
Our solution relies on IBM’s innovative Glass Box technology, leveraging it to mobile space. The Mobi
Running the iOS Analyzer
The first step to using the iOS Analyzer it to generate the IPAX file. The IPAX file contains the user application after it was linked with the proprietary iOS Analyzer library, which allows the iOS Analyzer to monitor the application code during runtime.
To generate the IPAX file, download the IPAX Generator utility from the iOS Analyzer . You can then run the IPAX Generator through the command line, supplying the path to your Xcode project or workspace. The IPAX Generator automatically downloads the latest version of the iOS Analyzer library and will build and package the application with the library linked to it. The resulting IPAX file will contain the built application. It is also strongly encrypted to protect your privacy.
In order to test your application, simply upload the IPAX file to the iOS Analyzer. You may supply some additional information, such as user credentials, if the application requires it.
The iOS Analyzer will then automatically crawl your app, detecting any possible security vulnerabilities. Once the scan is done, a comprehensive report will be generated, which will include details for each vulnerability, such as the description of the security issue, how and where it was found in the app code, and how to fix it.
This post submitted by:
IBM Security Team
Now that IBM Guardium data protection software has been moved into IBM Security, we have even more opportunities to deepen the integration between the deep database insights from Guardium with the big picture point of view from the QRadar Security Intelligence Platform. Guardium has been sending events, audit data, and CVE test results to QRadar for a long time. In this talk you’ll learn more about how insights from QRadar can be sent the other way, to Guardium, to dynamically enhance and speed Guardium’s data security capabilities.
This September 8th talk will cover the following:
37% of all security risk begin at the application layer. Software applications support the most sensitive and strategically important business processes of most enterprises. Yet Application Security is one of the most neglected fields of security. That puts pressure on every team in the organization—from developers, IT, and up to the CISO. Security is no longer an IT issue, it's a business issue and developers are at the forefront.
Learn what you can do to find application vulnerabilities
David Marshak, Jason Todd, and Kris Duer from IBM Security's AppScan team, Lead Analytics Developer AppScan, IBM Security will be leading a webinar of ,moving your Static Application Security Testing to the cloud and using advanced analytics to help find risks in your applications. Here's how they describe the webinar:
"In this session we will introduce IBM Static Analyzer (now in beta) and show how it greatly simplifies static analysis (or white box) security scanning. We will discuss and demonstrate how it can easily integrate into the development lifecycle, as well as how it uses advanced analytics to produce targeted/actionable results to enable you to remediate security vulnerabilities."
This webinar will be held on Thu, Aug 13, 2015 from 12:00 PM - 1:00 PM EDT
Nilesh Patel has just published a new how-to guide on the security on developerWorks community titled "Aut
Here's the abstract:
In today's dynamic infrastructure world, every organization runs with multiple Line
I'm happy to announce we've just published Ori Pomerantz's guide to crea
I'm happy to announce we've just published Ori Pomerantz's guide to crea
Find out more about the "top suspects" in today's application security challenges and how IBM can help!
Kathryn Zeidenstein, Oded Sofer, Allon Adir, and Rosa Miroshnikov hav just published a ne
Rahul Relan and Parag Gokhale have just published a ne
IBM Security Identity Manger (ISIM) virtual appliances are deployed in a cluster to provide high availability and scalability. Such deployments need a load balancer to manage workload distribution. This document describes how to configuration Nginx, Apache HTTP Server, and IBM HTTP Server as Load balancers for ISIM.
Securing applications – whether on the Web, on mobile, or on desktop – is more important than ever. But many developers aren’t experts in security, and most existing security testing tools aren’t made for non-experts to use. IBM Security is lowering the barriers to application security testing with its new cloud-based security analysis services.
One of those services, IBM Static Analyzer, provides a simple way to scan your application code for security vulnerabilities and is now avai
Static Application Security Testing
Static Application Security Testing, or SAST, refers to security testing that is performed without actually executing the target application. Instead, the application’s source code or binaries are analyzed to look for potential vulnerabilities, such as the use of unsafe APIs or failure to properly validate untrusted data. Static analysis is a powerful testing technique because it directly identifies the underlying causes of vulnerabilities, without actually having to exploit them in the running application. IBM recommends combining SAST with Dynamic Application Security Testing (DAST) or Interactive Application Security Testing (IAST), to maximize the effectiveness of your testing. This blog focuses solely on SAST.
Making SAST simple
Traditionally, SAST has largely been the domain of security experts, and static analysis tools have reflected that reality. Static Analyzer marks a new approach to SAST, with a focus on making things easy.
Because Static Analyzer runs on the cloud, there’s no need for dedicated hardware and no complicated installation or configuration. Static Analyzer also simplifies the entire application testing process, from preparing the application for analysis to understanding and evaluating your results. Static Analyzer is designed to get out of the way, fitting in with the development tools you already use, and to present you with only the most relevant, actionable results.
One significant challenge with traditional SAST tools is the volume of results they produce. Many of the “issues” they find don’t actually represent exploitable vulnerabilities when the application is running in the real world. It takes time, security expertise, and knowledge of the application to figure out which of those issues need fixing, and which simply represent false positives. Static Analyzer includes a new technology called Intelligent Finding Analytics, or IFA, which combs through the results and applies machine learning to identify the findings that are most likely to represent real, actionable security issues, delivering only these most valuable results directly to developers.
Prepare, test, fix
Using Static Analyzer to secure an application involves three simple steps: Prepare, test, and fix.
To prepare your application for analysis, you need to create an intermediate representation of it, which we call an IRX file. This representation is neither the full source nor binary form of the application, but contains the information about method calls and data flow that’s required by the analysis engine to perform SAST in the cloud. It is also strongly encrypted to protect your application.
To create an IRX file, you’ll use the Static Analyzer Client Utility, which you can download the first time you use the Static Analyzer service. This lightweight utility integrates into your Maven build, Eclipse workspace, or other environments (via a command-line tool) to prepare Java applications for analysis. It automatically discovers built artifacts and creates the IRX with minimal configuration – often none at all.
Testing is as simple as dragging and dropping the IRX file into the Static Analyzer Web interface to begin the analysis. When the analysis is complete, a report is generated, listing all of the actionable issues that are discovered.
For each issue, the report includes a trace showing the vulnerable path through the application and describes the nature of the vulnerability and how to fix it. It even groups together related issues with a common fix, and suggests where that fix should go.
All of this information makes it easier for developers to understand and fix the issues identified in their applications.
Try Static Analyzer beta today
Static Analyzer is available now as a free beta on Bluemix. Currently, it supports scanning Java applications, and the Client Utility runs on Windows and Linux, with additional language and platform support to come. You can see
IBM Security Services has released its 201
Over 62 percent of incidents targeted just three industries
From the report:
"The data for 2014 shows a marked departure from the trends reported for both 2012 and 2013. While the finance and insurance category remains in its top spot as the most targeted industry, the information and communications category took over second place from manufacturing. And although retail held onto fourth place in the rankings, that industry experienced 3.2 percent more incidents in 2014 than it did in the previous year (see Figure 2). That represents the largest percentage change among the four industries remaining from the previous year’s top five. As noted earlier, 2014 saw the compromise of a significant number of retail records. "
About this report
Get your copy of the report
Read more about the findings and trends by downloading the