On February 16, 2016 IBM announced authentication enhancements for z Systems, including a new product IBM Multi-Factor Authentication for z/OS (5655-162), with a planned availability date of March 25, 2016.
IBM z/OS Security Server Resource Access Control Facility (RACF) provided enabling infrastructure updates for z/OS V2R1 and V2R2.
IBM Security zSecure suite provided supporting updates for zSecure 2.1, 2.1.1, and 2.2.
Multi-Factor Authentication raises the level of assurance of mission-critical systems by requiring authentication with multiple factors during the logon process.
Each authentication factor must be from a separate category of credential types:
1) Something you know (e.g. a password or PIN code),
2) Something you have (e.g. an ID badge or a cryptographic key),
3)Something you are (e.g. a fingerprint or other biometric data).
More details can be located through this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
IBM provides advance notification of End Of Support (EOS) dates allowing customers reasonable time to complete software upgrades or to refresh appliance products. To view upcoming EOS dates by product segment, click a link in the list below.
Q: What are the major Support Lifecycle milestones?
A: The major Support Lifecycle milestones are:
General availability (GA) - Refers to the date that a new version or release of the product is available to all users. A product version/release is not published to the Support Lifecycle web site until the GA date.
End of Marketing (EOM) - Refers to the effective date on which a version/release (and associated part number) ceases to be available and can no longer be ordered via standard price lists.
End of Support (EOS) - Refers to the last date on which IBM will deliver standard technical support for a given version/release of a product.
End of Life (EOL) - Refers to the effective date on which a Software product, an Appliance or a Hardware platform reaches the end of its useful life.
Q: How do you determine if your installed software is still supported?
A: Often, there is a newer version of the software available for download. In most cases, you’ll have sufficient time to plan for and install the latest version. For more information on the lifecycle stages, including EOS, view this short YouTube video on the IBM Product Lifecycle and EOS.
Q: What is the standard version format for IBM Software products?
A: The full product version is expressed by a four-digit code known as the IBM Version, Release, Modification and Fix Level structure, or VRMF. View this Technote for additional information and description of each element. You may also find this Glossary of product support and maintenance terms helpful.
Q: Where can you view additional details on product updates or replacement information?
A: Using the Support Lifecycle Search, search for your product, select View for details and click the EOS announcement link to view Replacement program information.
Q: What are your options if you are unable to upgrade or refresh your current products before EOS?
A: You can request a Support Extension. Support Extensions are available for Customers who are unable to migrate to a supported version, release or appliance platform prior to EOS. For more information, visit the IBM Security - Extended Support page.
Q: How do you stay connected for future product announcements?
A: There are several ways to receive product announcements:
The IBM Support Lifecycle Policy sets forth the minimum length of time IBM will provide security content and technical support for a product version and release. Click the applicable product segment link below to view the Support Lifecycle Policy.
IBM Security Network Protection - under revision - stayed tuned
We've just posted an new article on developerWorks, "IBM Security XGS and network access control," to provide a functional overview of the new IBM XGS 5100 appliance and describe its capabilities for implementing network access control policies. This is a great way to get the facts and figures about IBM's next generation intrusion prevention appliance.
How much does a data breach cost your company? That's one of the toughest questions an IT security professional can be asked. The effects of a data breach are potentially catastrophic for a company, but it's a difficult task to quantify the risk.
That's why IBM has sponsored the Ponemon Institute's 2014 Study on the Cost of Data Breaches. This far reaching study is based on 1690 interviews across 10 countries and 16 sectors and is based on actual experiences of companies instead of could-have-happened theoretical discussions.
The Ponemon Institute has released both a global report and 10 country specific reports:
One of the most eye-popping charts in the report analyzes the reported data to show the clear relationship between the size of the breach and its cost: Keep in mind that this is not some hypothetical computer model. This is a regression based on the actual interviews and their reported data.
The 2014 Ponemon Cost Of Data Breach study is must reading for anyone needing to build a business case for protecting against data breaches.
I'm proud to announce we've just published "Fight against SQL Injection Attacks" on developerWorks. The first part of this article walks you through a tutorial of how an attacker approaches an SQL injection attack so you can truly understand the nature of the attack. The second part of the article talks about how to download and set up the trial version of AppScan standard so you can scan for SQL injection attacks and other types of vulnerabilities.
Craig Knapik has just published a handy guide to XGS and QRadar Intergration on the security on dW community. Craig lays out a detailed, down to the packet level, description of the four integration points between XGS and QRadar. This is a must read for anyone who wants to get the most out of IBM's network protection technologies.
Securing applications – whether on the Web, on mobile, or on desktop – is more important than ever. But many developers aren’t experts in security, and most existing security testing tools aren’t made for non-experts to use. IBM Security is lowering the barriers to application security testing with its new cloud-based security analysis services.
One of those services, IBM Static Analyzer, provides a simple way to scan your application code for security vulnerabilities and is now available as a free beta on IBM Bluemix.
Static Application Security Testing
Static Application Security Testing, or SAST, refers to security testing that is performed without actually executing the target application. Instead, the application’s source code or binaries are analyzed to look for potential vulnerabilities, such as the use of unsafe APIs or failure to properly validate untrusted data. Static analysis is a powerful testing technique because it directly identifies the underlying causes of vulnerabilities, without actually having to exploit them in the running application. IBM recommends combining SAST with Dynamic Application Security Testing (DAST) or Interactive Application Security Testing (IAST), to maximize the effectiveness of your testing. This blog focuses solely on SAST.
Making SAST simple
Traditionally, SAST has largely been the domain of security experts, and static analysis tools have reflected that reality. Static Analyzer marks a new approach to SAST, with a focus on making things easy.
Because Static Analyzer runs on the cloud, there’s no need for dedicated hardware and no complicated installation or configuration. Static Analyzer also simplifies the entire application testing process, from preparing the application for analysis to understanding and evaluating your results. Static Analyzer is designed to get out of the way, fitting in with the development tools you already use, and to present you with only the most relevant, actionable results.
One significant challenge with traditional SAST tools is the volume of results they produce. Many of the “issues” they find don’t actually represent exploitable vulnerabilities when the application is running in the real world. It takes time, security expertise, and knowledge of the application to figure out which of those issues need fixing, and which simply represent false positives. Static Analyzer includes a new technology called Intelligent Finding Analytics, or IFA, which combs through the results and applies machine learning to identify the findings that are most likely to represent real, actionable security issues, delivering only these most valuable results directly to developers.
Prepare, test, fix
Using Static Analyzer to secure an application involves three simple steps: Prepare, test, and fix.
To prepare your application for analysis, you need to create an intermediate representation of it, which we call an IRX file. This representation is neither the full source nor binary form of the application, but contains the information about method calls and data flow that’s required by the analysis engine to perform SAST in the cloud. It is also strongly encrypted to protect your application.
To create an IRX file, you’ll use the Static Analyzer Client Utility, which you can download the first time you use the Static Analyzer service. This lightweight utility integrates into your Maven build, Eclipse workspace, or other environments (via a command-line tool) to prepare Java applications for analysis. It automatically discovers built artifacts and creates the IRX with minimal configuration – often none at all.
Testing is as simple as dragging and dropping the IRX file into the Static Analyzer Web interface to begin the analysis. When the analysis is complete, a report is generated, listing all of the actionable issues that are discovered.
For each issue, the report includes a trace showing the vulnerable path through the application and describes the nature of the vulnerability and how to fix it. It even groups together related issues with a common fix, and suggests where that fix should go.
All of this information makes it easier for developers to understand and fix the issues identified in their applications.
Try Static Analyzer beta today
Static Analyzer is available now as a free beta on Bluemix. Currently, it supports scanning Java applications, and the Client Utility runs on Windows and Linux, with additional language and platform support to come. You can see Static Analyzer in action, and try scanning your applications for free at ibm.biz/staticanalyzer.
zSecure 2.1.1 has been announced on July 15, 2014, with a planned availability date of September 5, 2014.
This announcement includes a new product IBM Security zSecure Adapters for QRadar SIEM (5655-AD8), which provides a new option of integrating System z security events (z/OS, RACF, DB2, CICS, ACF2, Top Secret) into IBM Security QRadar SIEM.
More details about the various integrations between zSecure and QRadar SIEM can be found in this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
Using ISAM security appliances to implement context-based strong authentication for website security
Learn how to secure a website with context-based two-factor authentication by integrating and configuring IBM Security Access Manager (ISAM) for Web and IBM Security Access Manager for Mobile. The authors will demonstrate how to use ISAM for Mobile's context-based authorization and one-time password (OTP) interface to enable security architects to apply intelligent stronger authentication access decisions across an organization's website.
If you already have an internal IT infrastructure, it quite likely contains an LDAP server to serve user identities. In many cases, it is best to continue to use that directory, even when your application sits on Bluemix®. In this tutorial , Ori Pmerantz shows you how to do that while describing the basics of the LDAP protocol itself.
Leo Farrell has just published a new article on developerWorks called "Configure an ISAM reverse proxy as a PEP to an OpenID connect provider."
IBM Security Access Manager (ISAM) added OpenID Connect (OIDC) as a federation protocol in Version 9.0. OIDC includes the ability to configure an OpenID Provider (OP), which can issue user identities (id_tokens), as well as access tokens used for authentication in the same way that OAuth Version 2.0 does. This article explains how to configure a reverse proxy as a policy enforcement point that is compatible with the OpenID Connect–issued access tokens.
This article will be of interest to anyone who wants to use this open standard with IBM Security Access Manager.
Nilesh Patel has just published a new how-to guide on the security on developerWorks community titled "Auto-Assigning QRadar Offenses." This people will be of interest to security admins that have large volumes of QRadar offenses to manage.
Here's the abstract:
In today's dynamic infrastructure world, every organization runs with multiple Line-Of-Business(LOB) such as Network, Application, Platform and so on. The Security Intelligence is the layer which actually seats on the top of all LOB; and the product like IBM Security QRadar, vastly expands the capabilities of traditional SIEM’s by incorporating new analytics techniques and broader intelligence. Unlike any other SIEM in the market today, IBM Security QRadar captures all activity on the network for assets, users and attackers before, during, and after an exploit and analyse all suspected incidents in this context. The IBM Security QRadar notifies a user about 'Offenses', which are a correlated set of incidents with all associated network, asset, vulnerability and identity context. This article explains a solution to automatically assign offenses to QRadar user, who could belong to Security Operation Center(SOC) team or LOB.
Arxan Technologies has posted to their blog about the recent OWASP fnding that lack of binary protection is a "Mobile Top 10 Risk for 2014." Mobile environments are especially susceptible to binary integrity attacks and mobile specific countermeasures are necessary for this growing problem. In their blog post, Arxan shines more light on this problem and the types of strategies a company can put in place to address them.
You might also be interested in....
Defending against malware: A holistic approach to one of today’s biggest IT risks
This white paper will examine the changing strategies that malware has employed in recent years, explain the typical sequence of events that occurs during an attack, and describe how an integrated defense can help keep the enterprise safe from these advanced persistent threats.
If you want see a concise history of the past three years of IT Security incidents, you need to download the IBM X-Force Threat Intelligence Quarterly for 1Q 2014 as soon as possible. The team at X-Force has done a fantastic job of distilling the mountains of incident data they analyze into an amazing graphic that captures the trends over time. Here is the headline graphic:
As you can tell by the change in colors as you scan the graphic from left to right, the industry is starting to get a handle on DDoS atacks and SQL injection attacks, while attack types based on physical access to machines and distribution of malware are becoming more common. As noted in the report:
"The declines in vulnerabilities demonstrated at the end of 2013 in both XSS and SQL injection could indicate that developers are doing a better job at writing secure web applications, or possibly that traditional targets like content management systems (CMSs) and plug-ins are maturing as older vulnerabilities have been patched. As noted, XSS and SQL injection exploitation continue to be observed in high numbers, indicating there are still legacy systems or other unpatched web applications that remain vulnerable. This is expected, considering there are many thousands of blogs and other websites run by individuals who may not have the skills or awareness to update to later versions of their platform or framework."
The other thing to note in the graphic is that the overall number of incidents overall impact of IT security incidents aren't exactly going down, so it seems there is still plenty of job security in the IT security arena in 2013.
BIO-key International's finger biometric authentication solution has been validated for IBM® Security Access Manager (ISAM) for Web; the technology has been integrated into ISAM for Web and now provides ISAM users with a strong component for two-factor authentication (BIO-key adds an inheritance authentication factor to the knowledge and posession factors). ISAM for Web delivers access control management to centralize network and application security policy for e-business applications.
IBM Security Guardium® leads the way in providing a monitoring and auditing solution for NoSQL database systems. In this article by Kathryn Zeidenstein and Sundari Voruganti, the authors provide an overview of one popular NoSQL database, Apache Cassandra, and explain how and why Guardium can help organizations protect Cassandra data and automate compliance reporting and sign-offs. This article includes detailed instructions and a sample security policy to help you configure Guardium and extract value immediately.
Shahnawaz Backer has published a how-to guide on how to configure NIC bonding for your QRadar appliance. This will be of interest to anyone who wants to ensure the high availability of the QRadar Appliance and it is a detailed step-by-step guide that anyone can follow.
From the abstract:
"This article highlights the configuration necessary for bonding―or teaming―the Network Interface Card (NIC) for the QRadar Security Information and Event Management (SIEM) appliance. It addresses topics related to high availability of the QRadar SIEM appliances and is intended for administrators in charge of maintaining those appliances."
You might also be interested in...
Discover the latest about IBM's security intelligence solutions.
Protect your critical assets with an integrated, cost-effective approach to vulnerability assessments and risk management.
Read this white paper to learn:
The value of an integrated security intelligence platform.
How to improve security with QRadar Vulnerability Manager.
How QRadar Risk Manager provides a complete network topology.
It's a cliche' to say that IT security professionals need to get "proactive" about managing the security risks to their company or organization. If you spend every hour of every day reacting to the latest alerts from your monitoring infrastructure, you're never going to get there.
How do you stay ahead of the emerging threats? Where do you hear about trends in security attacks? What tools do you need? What are your sources of information?
This new information source from the IBM X-Force team will help you and your enterprise research threats, integrate actionable intelligence and collaborate with peers using its global threat intelligence. It's just the sort of clearinghouse you need to plan for tomorrow's security threats instead of reacting to yesterday's.
The IBM X-Force Exchange Team is hosting a live webinar on Wed, Apr 29, 2015 11:00 AM - 12:00 PM EDT.
I know everyone's scrambling to figure out what has to be patched to fix the Heartbleed bug. Please keep in mind that Heartbleed is a bug in the OpenSSL implementation of SSL, not a flaw in SSL itself. I know that many IBM products don't use OpenSSL and aren't affected by the Heartbleed bug. Having said that, there are probably some IBM products that DO need to be patched. And I wouldn't dare try to enumerate them.
Because IBM has a team of people whose job is specifically to monitor security vulnerability announcements and make sure the affected IBM products are made aware and to make sure patches get rolled out. They are the IBM Product Security Incident Response Program. These folks work day in and day out to get authoritative information out to people so they know which products need to be patched and where to get them. If there is a silver lining to the Heartbleed story, it's that it gives me a chance to brag on and give thanks for the good work that team does every day.
Jon Tate has published a post on the System Storage Redbooks blog with more details on how to get plugged into the PSIRT team's announcements about Heartbleed and other security alerts. So go check that post out and get plugged in.
Rolling out large enterprise software across any organization requires a smart infrastructure plan and an eye towards future scalability if the deployment is going to be a success. With IBM BigFix Software, there are some specific challenges that need to be met when designing a deployment from a performance perspective. Here is how one team within IBM faced a performance challenge and solved it using a smart infrastructure plan.
Read the full paper by authors Shaun T. Kelley and Mark Leitch:
This release of zSecure for z/VM includes the zSecure Compliance Testing Framework that was first made available for z/OS in release 1.13.1. It also has many small applicable enhancements parallel to the 1.13.1, 2.1, and 2.1.1 releases. A summary is available on the Service Management Connect blog.
Shadow IT refers to the information technology solutions used inside an organization without the explicit approval of the organization. In recent years, the advent of cloud computing has made it easier for employees to circumvent IT department and use a variety of cloud applications without the knowledge or approval of the organization. Despite the high visibility of recent data breaches, most employees still choose to use cloud services to be able to do their job more efficiently. In a study conducted by IBM Security, it was found that 1 in every 3 Fortune 1000 employees regularly saves and shares company data to third- party cloud-based platforms that are not explicitly approved by their organization . This figure is expected to increase as the workplace demographic starts to change and millennials who are greater users of cloud applications  make up more and more of the workforce.
Ravi Krishnan Muthukrishnan and Sreekanth Iyer have just published a new how-to guide for monitoring Salesforce applications using QRadar. In this security community white paper, outlines how to monitor for suspicious/failed logins and other activities that would raise red flags. Their white paper also has an associated demo video you can follow along with.
If you already have an internal IT infrastructure, it quite likely contains an LDAP server to serve user identities. In many cases, it is best to continue to use that directory, even when your application sits on Bluemix®. In this new tutorial, Ori Pomerantz shows you how to do that while describing the basics of the LDAP protocol itself.
In this new how-to guide from Ricardo Gutierrez Cabanillas, you will learn to configure the IBM Security Access Manager for Web 8.0 appliance as a front-end load balancer and cluster of reverse proxy servers to build a highly available, fault-tolerant, secure web environment.
The front-end load balancing function automatically assigns client requests to the appropriate reverse proxy server based on the specified scheduling algorithm. Moreover, the front-end load balancer provides stickiness or persistence for existing sessions, allowing incoming requests from the same client to be forwarded to the same server. A typical setup is two front-end load balancer servers and multiple reverse proxy servers.
You might also be interested in.....
Tolly evaluated the IBM Security Access Manager Web Gateway Appliance (AMP 5100) for its web protection effectiveness, performance, and ease of use. Read this report to see the details of the AMP 5100's ability to block 100% of the inline-preventable OWASP Top 10 Web threats from 2010-2013.
Shahnawaz Backer has just published a new security community paper in the security on dW community resource library that discusses how to use IBM Security Access Manager to help prevent several of the most common session hijacking attacks. Some of the common session hijacking attacks he covers are:
Predictable Session Key/Session Fixation: This kind of attack in possible in a system where an attacker can guess the session key (for ex by monitoring a series of session key given out by the system). The attacker can trick the user to logon to system with the session id fixed
Session Sniffing: An attacker can eavesdrop on the network listening to all unencrypted traffic. Any sire not using SSL will fall vulnerable to this, revealing the session key to the attacker.
Cross Site Scripting(XSS): A website with XSS vulnerability can be tricked into running scripts, providing the attackers the valuable session key available to the browser
Man in browser attacks: Malicious apps sitting in the browser trying to steal confidential information.
This new security community paper will be of interest to anyone who wants to make their web applications more secure against session hijacking attacks.
IBM Security Network Intrusion Prevention System Virtual Appliance, a part of the IBM 'Adaptive Threat Protection' platform, offers all the advanced preemptive protection of our NIPS in a virtual security appliance. Powered by IBM X-Force® research, it operates on virtual platforms to protect both your physical and virtual networks with the same high level of security. As a virtual appliance, it is an ideal security solution for cloud services, with the ability to secure traffic between virtual machines and enabling flexible deployments in multitenant virtual environments.
IBM Security Network Intrusion Prevention System Virtual Appliance trial download is a virtual image of IBM's NIPS product. This download will help you get an overview of our adaptive threat protection approach to address evolving and mutating threats in your IT environment.
Regardless of whether IBM Security Access Manager (ISAM) has been rolled out in a large or small scale environment, it can be complex to deploy and manage in terms of both technology and processes. Requirements can alter and expand over time, skilled security personnel can move to other projects and capacity and/or performance targets may change, potentially leading to the ISAM Manager deployment being unable to meet current business objectives. To avoid this scenario, periodic health checks are recommended for all customers of IBM Security Access Manager. Regular health checks can help achieve the following:
Increase your productivity with improved operations
Ensure compatibility, reliability and connectivity
Maintain a highly optimised and top performing environment
Identify configuration changes to improve performance or address operational challenges
Plan for future growth
Every deployment is unique therefore the priorities of such a health assessment may vary. Whether the target is improved performance, ensuring high availability, capacity planning, resolving pervasive issues or verifying if best practices are being used, this document should provide you with effective guidelines for reviewing the health of your ISAM v6.x or v7.x deployment.
On October 1, 2015 IBM issued a Statement of Direction about providing 64-bit addressing support in IBM Security zSecure. This support has now become available as a Service Stream Enhancement (SSE) to zSecure 2.2.0.
64-bit addressing allows the use of memory above the 2GB "bar" implied by addresses consisting of only 31 bits. Besides allowing the program to store and retrieve larger amounts of data, this also frees up memory "below the bar" that can be used by (other) 31-bit addressing programs.
Typical functions in zSecure that benefit from having a lot of memory available include
- processing very large numbers of events from the SMF event log, e.g. as sent on to IBM Security QRadar SIEM;
- analyzing data for many security databases and LPARs at the same time;
- rule-based compliance analysis based on many underlying technical reports;
- analyzing large intervals (possibly a year or more) of access use data, e.g. to identify obsolete permissions.
The SSE also includes enhancements to 31-bit addressing support. Details can be found in this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
The changes apply to all components of zSecure for z/OS except for zSecure CICS Toolkit and zSecure Command Verifier. For the full benefits a z196 or newer hardware is required.
Generally, iOS is claimed to be secure. Each app requires passing Apple’s vetting process before being published to the App Store. Additionally, the iOS framework is strict, for instance not allowing to install unauthorized apps on the device, or perform any modification on the app files. This prevents malicious apps from reaching the iOS environment. However, this doesn’t prevent security vulnerabilities that stem from a valid app’s code. The iOS Analyzer covers this gap, by detecting these issues and supplying the information required to fix them.
Our solution relies on IBM’s innovative Glass Box technology, leveraging it to mobile space. The Mobile Analyzer for iOS (part of the IBM Application Security on Cloud ) installs the application and then performs automatic crawling to simulate the user’s interaction with the app. While the application is active, the Glass Box monitors and logs specific system method calls, which are used to detect security vulnerabilities. Using Glass Box technology brings accurate and detailed results (such as the location of the security issue in the user code).
Running the iOS Analyzer
The first step to using the iOS Analyzer it to generate the IPAX file. The IPAX file contains the user application after it was linked with the proprietary iOS Analyzer library, which allows the iOS Analyzer to monitor the application code during runtime.
To generate the IPAX file, download the IPAX Generator utility from the iOS Analyzer . You can then run the IPAX Generator through the command line, supplying the path to your Xcode project or workspace. The IPAX Generator automatically downloads the latest version of the iOS Analyzer library and will build and package the application with the library linked to it. The resulting IPAX file will contain the built application. It is also strongly encrypted to protect your privacy.
In order to test your application, simply upload the IPAX file to the iOS Analyzer. You may supply some additional information, such as user credentials, if the application requires it.
The iOS Analyzer will then automatically crawl your app, detecting any possible security vulnerabilities. Once the scan is done, a comprehensive report will be generated, which will include details for each vulnerability, such as the description of the security issue, how and where it was found in the app code, and how to fix it.
This post submitted by:
AppScan Mobile Analyzer Team Lead
IBM Security Systems
Guardium is known for its ability to integrate with a wide variety of other technologies and products. In thisupcoming tech talk John Haldeman, from Information Insights, describes some recent integration work he’s been doing to support some interesting use cases. Perhaps you’ll learn something new you can try in your environment. The following integration use cases will be described:
Sending events to SYSLOG receivers and SIEMs for consolidation. Use case: QRadar as the receiving SIEM
Data exports to external databases using CSV files and the external feed mechanisms. Use case: Import entitlement and audit data into IBM Security Privileged Identity Manager (ISPIM).
Export-less querying using REST API translation services. Use case: Cognos and R
Automate updates of privileged user groups: Use case: Import lists of ISPIM shared credentials.
The universal feed and bringing real time data into Guardium. Use case: Record ISPIM shared credential checkouts in Guardium.
Real-time detection of risks means that you can manage security vulnerabilities and protect data. IBM® Security QRadar® Vulnerability Manager scans, detects, and mitigates InfoSec risks. This new security article by Tim Landers shows an overview of the QRadar security intelligence platform and then dives deep into the capabilities of IBM Security QRadar Vulnerability Manager.
Increasing demand from today’s employees for a flexible experience that affords them the option to use the mobile technology of their choosing has disrupted traditional approaches to IT management and security.As a first response, it’s not uncommon for companies to launch bring-your-own-device (BYOD) initiatives. However, these programs become more difficult to scale the more they include a larger percentage of the workforce, more corporate apps, and increased access to enterprise data and resources. It’s clear that BYOD is here to stay, and the expansion of use cases for mobile are continuing to bolster business growth. However, the role of enterprise IT must advance alongside these new trends to enable a more secure mobile workforce that is well equipped to respond to customer needs on their own terms.
Join guest speaker, Forrester Senior Analyst Chris Sherman, and IBM MaaS360 portfolio marketing leader, Jonathan Dale as they share best practices for securing and empowering your mobile workforce.
You will learn:
How location, access to sensitive data, and job function affect BYOD eligibility and policy
The risk levels associated with employee segments and device posture
How to support employee flexibility by decoupling security from the device
On the System z Management blog, Jeroen Tiggleman has published a summary of the new Information Management releases for DB2 11 for z/OS and IMS 13. he also discusses the corresponding updates to zSecure 21. to provide currency support for these releases. Check out his post to learn abut the benefits to security in these releases and learn how to plan your migration to the latest levels of these products.
zSecure is an excellent platform to help you secure your System z platform and can be used to detect both external and insider threats to your system. To find out more about how you can help detect insider threats in your IT environment, you can download and read "Stay ahead of insider threats with predictive,intelligent security."
Many IBM products use the IBM Global Security Kit component for SSL and other encryption tasks. Oktawian Powązka has just published a new white paper at the security on developerWorks community that goes into detail about what you can and can't do with GSKit for FIPS and Suie B compliance. This white paper is a must read for anyone who has to worry about compliance to these standards.http://ow.ly/vR7uT
You might also be interested in:
Encrypting Data With Confidence:
IBM published a new white paper on encrypting data at enterprise scale. Learn about encrypting mission critical data with confidence and reduce security risks across the enterprise and beyond. Download "Encrypting Data With Confidence."
Reddit AMA with IBM's Application Security Team May 13, 2015 11am ET
We're from IBM's Application Security team, and we'll be here at your disposal, to answer questions that you might have. Discussion topics in this session will include cloud-based security and mobile security in the application development space, but we'll be standing ready to answer additional questions that you might have. Join us on May 13th, and help us drive the discussion!
Wei Wei Zhang, Cheng-Yu Yu and Jia Li Chen have just published a new security community white paper on how to make sure issues found with AppScan Enterprise are correctly logged and processed in Rational Team Concert. Putting these two platforms together can help ensure you have a rock-solid development process and that no issue gets left behind.
IBM Security AppScan Enterprise(ASE) can integrate with the IBM Rational Team Concert(RTC) for defect tracking. This article will introduce how to configure ASE with RTC, how to solve the connection problem with RTC and the problem occurred during reporting the defect from ASE to RTC.
IBM plans to acquire Fiberlink Communications, a mobile management and security company, with the goal of extending IBM MobileFirst's Management and Security solutions, adding new cloud-based mobile device management, mobile application management, mobile content management, and an enterprise application container. In the area of BYOD, BYOID, and trusted transactions, this move will create a more full spectrum of capabilities to address mobile user needs; IBM recently joined forces with Trusteer to strengthen the ability to secure individual transactions.
You can listen to this blogtalkradio podcast, moments after the announcement, as Fiberlink and IBM executives Wing To, Caleb Barlow, Phil Buckellew, and Chris Clark discuss the Fiberlink solution and how IBM will extend its bring-your-own-device capabilities to deliver a complete mobile management and security solution through IBM MobileFirst.
IBM strategist Vijay Dheap also comments on what the acquisition means for IBM BYOD security capabilities [read blog], including a roundup of four indispensible goals IT security professionals need to address in order to secure the growing world of mobile:
Manage devices the way you want to.
Build hardened Android and iOS apps.
Better understand contextual intelligence in order to better enable access.
Increase the ability to do business securely via trusted transactions.
Finally, in this 11-minute video, Phil Buckellew and Caleb Barlow take you deeper into what the acquisition means to IBM MobileFirst.
Leyla Aravopoulos, Kenneth Cheung, and William Frontiero have just published a new how-to guide that shows how to use the application import feature of AppScan Source to import a deployed application's binaries into AppScan Source for static analysis. This approach avoids the typical pitfalls of static web application scanning associated with compilation features, missing libraries, etc., while improving application coverage. This how to guide will be of interest to anyone anyone who has faced challenges with traditional configuration of Static Analysis tools.