Independent expert M. Tim Jones takes you on a tour of testing your applications for security capabilities during the development and verification phase, focusing on code that you can touch, test, and inspect manually, as well as code that is perfect for automated review and inspection while under execution. In other words, static and dynamic analyses (plus another type of dynamic testing that goes by several names: vulnerability scanning, network reconnaissance, and penetration testing). In the following image, Jones outlines the different approaches and tools (as a function of the phase in the software life cycle) you can use to secure applications:
In this excellent and quick read, Jones then outlines open source and proprietary tools you can use to take some of the sting out of setup and testing applications during development.
Arxan Technologies, a company providing security solutions for mobile apps, is highlighting its April 2013 announcement from IBM Impact 2013 with a webcast, "Mobile App Security: Integrated Protection with IBM Worklight and Arxan," on September 5, 2013. The original announcement introduced Arxan Mobile Application Integrity Protection for IBM Worklight Apps, an integrated solution that enables IBM Worklight customers to protect their mobile apps against hacking attacks and malware exploits. The proactive application integrity protection is delivered by Arxan's Guarding technology; it enables IBM MobileFirst customers to increase security during the app development and deployment processes.
Arxan Guarding uses injection technology to embed self-defending and tamper-resistant protection mechanisms (a network of Guards) directly into the code; these Guards don't require source code modification, they can be integrated into the IBM Worklight build workflow without disruption to the software development process, they go wherever the app goes, and they can be leveraged in two tiers of protection:
A minimal level for all apps developed with Worklight.
A maximum level, suggested for Worklight apps that have custom native code (hybrid mixed and native app types) or a custom shell.
IBM Security QRadar Vulnerability Manager helps redefine how IT security teams collect and use vulnerability assessment data by identifying your organization's largest exposures and building a smarter remediation and mitigation action plan. It adds enhanced scanning and analysis capabilities to QRadar SIEM, letting users correlate scan results with the security intelligence data of QRadar SIEM. The most security-conscious benefits QVM adds to a protection portfolio is a high level of automation that makes it easy for the security officer to quickly prioritize the vulnerabilities that present the greatest potential dangers and avoid false positives or those already classified as non-threatening -- scans are automatically triggered, launched as the result of network behavior or programmed to run at regularly scheduled intervals against either all components or just a specified subsegment of assets.
Understanding the shifting nature of malicious attacks on and vulnerabilities of your enterprise mainframe or hybrid system, especially as your organization implements new technologies -- cloud computing, response-based workload resource balancing, mobile access, big data handling, social collaboration -- is just the beginning of establishing a comprehensive security policy for your mainframe-oriented environment. In "Creating the ultimate security platform," IBM explains how System z can deliver proactive protection for data, web, cloud, mobile, and enterprise environments on mainframe systems.
This whitepaper starts by detailing how mainframe security requirements have changed in the Internet era. Originally, mainframes were isolated from outside influences, but now many are just as connected to the web as a typical smartphone; the difference is that it is relatively easy to secure the simple environment of a phone, but not so easy with the complex architecture of a mainframe.
The paper describes how security intelligence, consistent, normalized analysis of disparate data to recognize and block attacks, takes an "umbrella" approach to security (from network intrusion prevention all the way to endpoint management) in order to create a complete picture of the infrastructure and the attacks and vulnerabilities that threaten it. The security intelligence approach, optimized for the way a contemporary computer system is used, replaces the traditional "security only at the obvious vulnerable points" way of protecting your mainframe.
The National Institute of Standards and Technology has revised the digital signature standard (DSS), designed to secure the identity of an electronic document signer (document is FIPS 186-4). According to NIST spokesperson Elaine Barker, this isn't a major revision to the technology; this update ensures that the standard remains consistent with other NIST cryptographic guidelines (for example, NIST Special Publication 131A, "Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths").
FIPS 186-4 specifies a suite of algorithms that can be used to generate a digital signature that is then used to detect unauthorized modifications to data and to authenticate the identity of a signatory. Also, a recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was generated by the claimed signatory (known as non-repudiation).
The standard defines three methods for digital signature generation:
The Digital Signature Algorithm specification (specified in FIPS 186-4) includes criteria for the generation of domain parameters, for the generation of public and private key pairs, and for the generation and verification of digital signatures.
The RSA digital signature algorithm (specified in ANS X9.31 and PKCS #1).
The Elliptic Curve Digital Signature Algorithm (specified in ANS X9.62), a variant of #1 that uses elliptic curve cryptography.
The goal with this release, according to Barker, is to align the standard so that all NIST documents offer consistent guidance regarding the use of random number generators. The changes will also allow users to save random initial values for searching for prime numbers for purposes such as regenerating the values; the previous version of the standard only allowed saving these values for use as evidence.
This new developerWorks quick guide explains the basics of how IBM Security Privileged Identity Manager [product info] centralizes the management of privileged and shared accounts and helps you track and audit the activities of privileged users so you can provide effective security and authentication governance. The guide focuses on the growing problem of insider IT threats by demonstrating five major functions to counter potential abuses by insiders:
Managing privileged user identities centrally.
Defining privileged roles and entitlements.
Reducing risk by consolidating privileged accounts.
Controlling access and tracking usage of shared identities.
Linux on System z employs some unique technologies that can potentially make delivering overall network security easier by providing centralized management capabilities and reducing the number of control checks -- device coupling controls, auditing and troubleshooting functions, and predefined network configurations (such as the HiperSockets adapters, technology that enables high-speed communications between partitions on a server with a hypervisor).
The IBM Redbooks tech note "Security for Linux on System z: Securing Your Network" offers a rather detailed abstract that explains these tools and how they work in order to set up a secure network, focusing on the task of configuring virtual switches to automatically manage which users can couple with them. An excellent read of a few minutes that can bring you a wealth of knowledge on secure networking.
To expand your Linux on System z security experience even further, you can tackle the complete Redbook publication this note was abstracted from: Security for Linux on System z. If you need more basic hands-on experience using Linux on System z (and cloud), take a look at the video IBM Linux on System z Cloud Test Drive to better understand virtualization, deployment, and image management from both a user and an administrator point of view.
IPsec -- the Internet Protocol Security technology protocol suite that authenticates and/or encrypts each IP packet of a communication session in order to secure IP communications -- is a foundation tool that can be complex to implement, especially in an enterprise comprised of many systems. There are two modes in which IPsec can be implemented:
host-to-host transport mode where only the payload of the IP packet is usually encrypted and/or authenticated; routing remains intact since the IP header is neither modified nor encrypted.
network tunnel mode encrypts and/or authenticates the entire IP packet, then encapsulates it into a new IP packet with a new IP header; this mode is used to create virtual private networks.
Tunnel mode is an important concept but it can be quite a numbers nightmare. To use IPsec tunnels, each system under an enterprise's control must be configured individually using an XML configuration file or command line. Each IPsec tunnel between two systems has to be configured for more than 20 different parameters; only a few of these are machine dependent.
To reduce the propensity for error from so many configuration variables, IBM introduced a feature in AIX IPsec that simplifies the process. In Simplify and centralize IPSec management on AIX, IBM Software Engineer Jyoti Tenginakai shows you how to use the centralized IPSec management feature in AIX that creates tunnels for each pair of IP addresses that are part of the IPsec configuration policy. Tenginakai also explains how to simplify and centralize management of a configuration using LDAP as a central repository.
The biometric authentication software is already integrated with ISAM for ESSO, so you can deploy and use it quickly. (BIO-key International's finger biometric authentication solution was recently validated for IBM® Security Access Manager for Web version.)
Learn more about ISAM and BIO-key products and technologies:
In the IBM Redbooks Redguide Realizing Efficient Enterprise Security Intelligence by Using IBM Security Intelligence Solutions, authors Nilesh Patel, Arun Madan, Sridhar Muppidi, and Axel Buecker explain why the classic, vertical defense-in-depth model for enterprise security is no longer adequate; as the technology corporations have adopted has gotten more distributed, the need to "place" security touchpoints has expanded in a horizontal direction. The quartet explains the four key areas of modern information security technology -- analytics, cloud, mobile, and compliance -- and focuses on using analytics not just to tease out decision-support data for marketing and financial planning, but also to use the technique for security strategy. In other words, to craft and implement a security intelligence program. A wonderful read, it includes a typical deployment scenario.
Watch a video demonstration to learn how to configure IBM Security AppScan for a dynamic scan of a new application.
Watch a video demonstration to learn how to analyze the results of a scan using a five-step process.
Watch a video case study of how an organization uses a combination of AppScan Standard and Source editions to provide the embedded security and analysis necessary to help developers eradicate source code vulnerabilities.
Follow along in an article case study that demonstrates using AppScan Standard to scan and test two web applications.
You can even expand your AppScan knowledge by diving into a resource that shows you how to configure AppScan to test mobile devices.
The first sentence in the summary says it all: "Wouldn't it be great to validate password strength prior to synchronization." IBM Software Engineers Nagesh Bhagwat, Abhijit C. Dusane, and Raghavendra T.A. show you how to integrate the IBM Tivoli Directory Integrator Password Synchronizer Plug-in with IBM Tivoli Identity Manger (now known as IBM Security Identity Manager) in order to validate password strength using Tivoli Identity Manager's password policies prior to synchronization.
Password synchronization with Directory Integrator allows you to intercept password changes on several systems. Identity Manager provides the ability to deploy policy-based provisioning solutions. When you put the two together, intercepted passwords can be verified by a password management policy before synchronization, broadening your security reach concerning password control.
Cisco and IBM have extended their security technology relationship with the introduction of a new context information-sharing framework called Platform Exchange Grid (pxGrid); at the heart of pxGrid is the Cisco Identity Services Engine (ISE), an enterprise policy control platform that provides policy-based, context-aware security for Cisco networks. ISE forms the pxGrid controller component which orchestrates connections between platforms and authorizes what contextual information is shared. IBM Security QRadar SIEM is now integrated with Cisco ISE. QRadar SIEM:
Consolidates log source event data from thousands of devices endpoints and applications distributed throughout a network.
Performs immediate normalization and correlation activities on raw data to distinguish real threats from false positives.
Correlates system vulnerabilities with event and network data, helping to prioritize security incidents.
In other words, the integration brings a broader range of contextual information -- about users, identities, privilege levels, device types, network conditions and events -- to QRadar SIEM's security intelligence capabilities. The Investigating with QRadar forum is an active discussion about using QRadar in day-to-day operations, investigations, and analysis of network activity.
You can learn more about QRadar Security Intelligence: The platform applies real-time correlation and anomaly detection across a distributed and scalable repository of security information. Big data analytics enable more accurate security monitoring and better visibility. Solutions within the package offer SIEM (security information and event management), log management, configuration and vulnerability management, and behavioral analysis and anomaly detection capabilities.
From IBM Redbooks, Using the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security can help organizations effectively visualize security issues by creating a bridge to address the communication gap between the business and technical perspectives of security. By using the IBM Security Framework to characterize the business viewpoint and the IBM Security Blueprint to describe the technology landscape, your organization connects with a lingua franca that puts both sets of concerns on the same page. Please visit the site for multiple download and discussion options
In the video, IBM Security Strategy Director Ravi Srinivasan explains why IBM combined these two topics in this Redbook. 3:59
BIO-key International's finger biometric authentication solution has been validated for IBM® Security Access Manager (ISAM) for Web; the technology has been integrated into ISAM for Web and now provides ISAM users with a strong component for two-factor authentication (BIO-key adds an inheritance authentication factor to the knowledge and posession factors). ISAM for Web delivers access control management to centralize network and application security policy for e-business applications.