Many IBM products use the IBM Global Security Kit component for SSL and other encryption tasks. Oktawian Powązka has just published a new white paper at the security on developerWorks community that goes into detail about what you can and can't do with GSKit for FIPS and Suie B compliance. This white paper is a must read for anyone who has to worry about compliance to these standards.http://ow.ly/vR7uT
You might also be interested in:
Encrypting Data With Confidence:
IBM published a new white paper on encrypting data at enterprise scale. Learn about encrypting mission critical data with confidence and reduce security risks across the enterprise and beyond. Download "Encrypting Data With Confidence."
Reddit AMA with IBM's Application Security Team May 13, 2015 11am ET
We're from IBM's Application Security team, and we'll be here at your disposal, to answer questions that you might have. Discussion topics in this session will include cloud-based security and mobile security in the application development space, but we'll be standing ready to answer additional questions that you might have. Join us on May 13th, and help us drive the discussion!
Wei Wei Zhang, Cheng-Yu Yu and Jia Li Chen have just published a new security community white paper on how to make sure issues found with AppScan Enterprise are correctly logged and processed in Rational Team Concert. Putting these two platforms together can help ensure you have a rock-solid development process and that no issue gets left behind.
IBM Security AppScan Enterprise(ASE) can integrate with the IBM Rational Team Concert(RTC) for defect tracking. This article will introduce how to configure ASE with RTC, how to solve the connection problem with RTC and the problem occurred during reporting the defect from ASE to RTC.
JSON Web Tokens (JWTs) are a popular option in the authentication space, but there are some inherent risks. While you gain flexibility by using a JWT, you lose the ability to revoke a token once it’s issued. To minimize the time between an administrator locking a user account and the time at which a previously issued token expires, the JWT should be short lived. This time window, while designed to be brief is a common security concern. Traditional solutions to this problem defeat the benefits of using a portable identity. Inversoft has come up with a novel way to solve this issue in a complementary method. Brian Pontarelli will cover how to implement this JWT revoke strategy to reduce the vulnerability window.
Join Brian Pontarelli in this live coding event on Jul 27, 2017 2:00 PM, Eastern Time (US and Canada). Brian Pontarelli is the CEO of Inversoft, a Denver-based company that allows developers to offload their authentication, authorization and user management needs. Before Brian bootstrapped Inversoft, he studied computer engineering at the University of Colorado Boulder. After graduating, he worked at a variety of companies including Orbitz, US Freightways, XOR and Texturemedia.
IBM plans to acquire Fiberlink Communications, a mobile management and security company, with the goal of extending IBM MobileFirst's Management and Security solutions, adding new cloud-based mobile device management, mobile application management, mobile content management, and an enterprise application container. In the area of BYOD, BYOID, and trusted transactions, this move will create a more full spectrum of capabilities to address mobile user needs; IBM recently joined forces with Trusteer to strengthen the ability to secure individual transactions.
You can listen to this blogtalkradio podcast, moments after the announcement, as Fiberlink and IBM executives Wing To, Caleb Barlow, Phil Buckellew, and Chris Clark discuss the Fiberlink solution and how IBM will extend its bring-your-own-device capabilities to deliver a complete mobile management and security solution through IBM MobileFirst.
IBM strategist Vijay Dheap also comments on what the acquisition means for IBM BYOD security capabilities [read blog], including a roundup of four indispensible goals IT security professionals need to address in order to secure the growing world of mobile:
Manage devices the way you want to.
Build hardened Android and iOS apps.
Better understand contextual intelligence in order to better enable access.
Increase the ability to do business securely via trusted transactions.
Finally, in this 11-minute video, Phil Buckellew and Caleb Barlow take you deeper into what the acquisition means to IBM MobileFirst.
Leyla Aravopoulos, Kenneth Cheung, and William Frontiero have just published a new how-to guide that shows how to use the application import feature of AppScan Source to import a deployed application's binaries into AppScan Source for static analysis. This approach avoids the typical pitfalls of static web application scanning associated with compilation features, missing libraries, etc., while improving application coverage. This how to guide will be of interest to anyone anyone who has faced challenges with traditional configuration of Static Analysis tools.
This blog entry discusses the corresponding updates to nearly all zSecure products for all releases in standard support, and also explains how related updates can be found for other products and components, such as IMS, CICS and JES3.
Links are provided to technotes made available by the RACF and zSecure teams containing more extensive documentation.
Peter Hagelund's article "Don't let your cloud application data get breached" deserves to be read by anyone who is storing potentially sensitive data in a cloud environment. In this tutorial he does a great job showing how Bluemix and Optim provide the necessary tools and technologies to help you build effective data privacy into your applications. This isn't something that you can think about after your data has been stolen or compromised. It needs to be an integrated part of your cloud application design and architecture. Fortunately, the tools to do just that are available on the Bluemix platform.
One of the cutting edge technologies that are included with the XGS appliances is IP REPUTATION feature. This addresses the following issues,
How to identify that the outside hosts, communicating to most critical assets inside a network through the Internet are safe?
How to evaluate all these incoming requests?
How to ensure that outbound connections from a network are connecting to a trusted “good” websites and IP addresses?
IBM’s XForce team categorizes 800K+ suspect IP addresses in different categories, such as Malware hosts, Spam sources, Anonymous proxies and Dynamic IP addresses along with their geographical location.
Tanmay Shah has just published a new white paper on the security on dW community that describes the IP reputation feature in IBM Security Network Protection appliances and some of the common use cases it addresses.
The National Institute of Standards and Technology has revised the digital signature standard (DSS), designed to secure the identity of an electronic document signer (document is FIPS 186-4). According to NIST spokesperson Elaine Barker, this isn't a major revision to the technology; this update ensures that the standard remains consistent with other NIST cryptographic guidelines (for example, NIST Special Publication 131A, "Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths").
FIPS 186-4 specifies a suite of algorithms that can be used to generate a digital signature that is then used to detect unauthorized modifications to data and to authenticate the identity of a signatory. Also, a recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was generated by the claimed signatory (known as non-repudiation).
The standard defines three methods for digital signature generation:
The Digital Signature Algorithm specification (specified in FIPS 186-4) includes criteria for the generation of domain parameters, for the generation of public and private key pairs, and for the generation and verification of digital signatures.
The RSA digital signature algorithm (specified in ANS X9.31 and PKCS #1).
The Elliptic Curve Digital Signature Algorithm (specified in ANS X9.62), a variant of #1 that uses elliptic curve cryptography.
The goal with this release, according to Barker, is to align the standard so that all NIST documents offer consistent guidance regarding the use of random number generators. The changes will also allow users to save random initial values for searching for prime numbers for purposes such as regenerating the values; the previous version of the standard only allowed saving these values for use as evidence.
We recently published "Static and dynamic testing in the software development life cycle" on the developerWorks security zone. This article has a pretty good survey of a bunch of different IBM and open source security testing tools. The article lays them out against the software development lifecycle so you can see which phase of the SDLC each one is appropriate for. Stop by and let us know your thoughts? Which tools do you rely on the most. Which ones should we add?
In this tech note, the authors' purpose is to provide best practices on the topic of enabling DB2 native encryption in an HADR environment. Additionally, the note provides a simplified set of working steps, with examples. These steps are designed to minimize the downtime at the database service.
Ori Pomerantz has just published a new tutorial on developerWorks describing how to incorporate Google's reCAPTCHA tool into your node.js application running on Bluemix. He shows you step by step how to integrate with the Google service and provides sample code that you can download and use as a starting point for your own projects.