Comments (3) Visits (612)
Click here for a new Wiki entry introducing a video by Chris Meenan of IBM Security Systems. This video provides an extensive demonstration of the IBM Security QRadar Intelligence Platform.
Comments (3) Visits (2344)
See below for an announcement from Kathryn Zeidenstein about some new video tutorials on InfoSphere Guardium policies
Hi community members
Back in 2011 or so the lab services team had done a LotusLive education session on policies that was very well received. I have taken the first of these presentations and broken it into 4 modules that are now hosted on the InfoSphere Guardium YouTube channel.
You can find links to all 4 of the modules on this new page on the InfoSphere Guardium community wiki. http
Here are the direct links:
Break out the popcorn!!
Have a great weekend.
Comment (1) Visits (849)
Leyla Aravopoulos, Kenneth Cheung, and William Frontiero have just published a new how-to guide that shows how to use the application import feature of AppScan Source to import a deployed application's binaries into AppScan Source for static analysis. This approach avoids the typical pitfalls of static web application scanning associated with compilation features, missing libraries, etc., while improving application coverage. This how to guide will be of interest to anyone anyone who has faced challenges with traditional configuration of Static Analysis tools.
Comment (1) Visits (3675)
Arxan Technologies has post
You might also be interested in....
Defending against malware: A holistic approach to one of today’s biggest IT risks
This white paper will examine the changing strategies that malware has employed in recent years, explain the typical sequence of events that occurs during an attack, and describe how an integrated defense can help keep the enterprise safe from these advanced persistent threats.
Comment (1) Visits (1910)
David Jarvis, senior consultant at the IBM Center for Applied Insights discusses the key guidance in IBM's report, "Cybersecurity education for the next generation."
About the report
To understand how cybersecurity academic programs, throughout the world, are evolving-- and in the process identify both challenges and emerging leading practices -- IBM interviewed faculty members and department heads from 15 programs in six different countries. Study participants were selected from over 200 programs followed by the IBM Cyber Security Innovation initiative. To fairly represent a diversity of perspectives, we selected programs from various geographies with varying levels of maturity.
Understanding the Need:
Nilesh Patel has just published a new how-to guide on the security on developerWorks community titled "Aut
Here's the abstract:
In today's dynamic infrastructure world, every organization runs with multiple Line
I'm happy to announce we've just published Ori Pomerantz's guide to crea
I'm happy to announce we've just published Ori Pomerantz's guide to crea
Find out more about the "top suspects" in today's application security challenges and how IBM can help!
Kathryn Zeidenstein, Oded Sofer, Allon Adir, and Rosa Miroshnikov hav just published a ne
Rahul Relan and Parag Gokhale have just published a ne
IBM Security Identity Manger (ISIM) virtual appliances are deployed in a cluster to provide high availability and scalability. Such deployments need a load balancer to manage workload distribution. This document describes how to configuration Nginx, Apache HTTP Server, and IBM HTTP Server as Load balancers for ISIM.
Securing applications – whether on the Web, on mobile, or on desktop – is more important than ever. But many developers aren’t experts in security, and most existing security testing tools aren’t made for non-experts to use. IBM Security is lowering the barriers to application security testing with its new cloud-based security analysis services.
One of those services, IBM Static Analyzer, provides a simple way to scan your application code for security vulnerabilities and is now avai
Static Application Security Testing
Static Application Security Testing, or SAST, refers to security testing that is performed without actually executing the target application. Instead, the application’s source code or binaries are analyzed to look for potential vulnerabilities, such as the use of unsafe APIs or failure to properly validate untrusted data. Static analysis is a powerful testing technique because it directly identifies the underlying causes of vulnerabilities, without actually having to exploit them in the running application. IBM recommends combining SAST with Dynamic Application Security Testing (DAST) or Interactive Application Security Testing (IAST), to maximize the effectiveness of your testing. This blog focuses solely on SAST.
Making SAST simple
Traditionally, SAST has largely been the domain of security experts, and static analysis tools have reflected that reality. Static Analyzer marks a new approach to SAST, with a focus on making things easy.
Because Static Analyzer runs on the cloud, there’s no need for dedicated hardware and no complicated installation or configuration. Static Analyzer also simplifies the entire application testing process, from preparing the application for analysis to understanding and evaluating your results. Static Analyzer is designed to get out of the way, fitting in with the development tools you already use, and to present you with only the most relevant, actionable results.
One significant challenge with traditional SAST tools is the volume of results they produce. Many of the “issues” they find don’t actually represent exploitable vulnerabilities when the application is running in the real world. It takes time, security expertise, and knowledge of the application to figure out which of those issues need fixing, and which simply represent false positives. Static Analyzer includes a new technology called Intelligent Finding Analytics, or IFA, which combs through the results and applies machine learning to identify the findings that are most likely to represent real, actionable security issues, delivering only these most valuable results directly to developers.
Prepare, test, fix
Using Static Analyzer to secure an application involves three simple steps: Prepare, test, and fix.
To prepare your application for analysis, you need to create an intermediate representation of it, which we call an IRX file. This representation is neither the full source nor binary form of the application, but contains the information about method calls and data flow that’s required by the analysis engine to perform SAST in the cloud. It is also strongly encrypted to protect your application.
To create an IRX file, you’ll use the Static Analyzer Client Utility, which you can download the first time you use the Static Analyzer service. This lightweight utility integrates into your Maven build, Eclipse workspace, or other environments (via a command-line tool) to prepare Java applications for analysis. It automatically discovers built artifacts and creates the IRX with minimal configuration – often none at all.
Testing is as simple as dragging and dropping the IRX file into the Static Analyzer Web interface to begin the analysis. When the analysis is complete, a report is generated, listing all of the actionable issues that are discovered.
For each issue, the report includes a trace showing the vulnerable path through the application and describes the nature of the vulnerability and how to fix it. It even groups together related issues with a common fix, and suggests where that fix should go.
All of this information makes it easier for developers to understand and fix the issues identified in their applications.
Try Static Analyzer beta today
Static Analyzer is available now as a free beta on Bluemix. Currently, it supports scanning Java applications, and the Client Utility runs on Windows and Linux, with additional language and platform support to come. You can see
IBM Security Services has released its 201
Over 62 percent of incidents targeted just three industries
From the report:
"The data for 2014 shows a marked departure from the trends reported for both 2012 and 2013. While the finance and insurance category remains in its top spot as the most targeted industry, the information and communications category took over second place from manufacturing. And although retail held onto fourth place in the rankings, that industry experienced 3.2 percent more incidents in 2014 than it did in the previous year (see Figure 2). That represents the largest percentage change among the four industries remaining from the previous year’s top five. As noted earlier, 2014 saw the compromise of a significant number of retail records. "
About this report
Get your copy of the report
Read more about the findings and trends by downloading the
Guardium is known for its ability to integrate with a wide variety of other technologies and products. In this upcoming tech talk John Haldeman, from Information Insights, describes some recent integration work he’s been doing to support some interesting use cases. Perhaps you’ll learn something new you can try in your environment. The following integration use cases will be described:
For recordings and slides from previous tech talks, visit the Tech Talk page on the Guardium developerWorks Community
Rishi S Balaji, Bhavik H Shah, Suraj Kumar, and Sunil Lakshmana have just published a new community guide called "Dev
IBM Counter Fraud Management (ICFM) is a product from IBM that provides an integrated platform for businesses that need to develop counter fraud solutions. The platform provides the necessary components that are commonly required by counter fraud solutions, across all industries thus reducing the time and effort required in the development of counter fraud solutions. It also provides end –to–end implementations of certain industry use cases such as Know Your Customer, List Screening, Anti-Money Laundering, to name a few. Developing industry solutions leveraging the ICFM platform requires an understanding of what comes out of the box and how to leverage the platform features to accelerate the development process. This article describes these steps, starting from requirements, gathering to design and implementation.
The target audience includes technical architects and developers who are involved in solution development using the IBM ICFM platform. The expected technical level of expertise is intermediate or above.