Four tips for securing your IBM Rational products
Recently, the Internet was abuzz with talk about the latest high-profile security vulnerability: the Heartbleed bug in OpenSSL. This bug is proof that we need to constantly be vigilant in protecting our online presence. If you are in charge of deploying software, this means keeping your applications updated with the latest security patches. IBM describes its general security processes, procedures and recommendations at IBM
1. Know there is a problem
Sign up to receive secu
2. Prepare for rapid deployment of fixes
Update your deployment with corrective software updates as soon as possible. After a bulletin is published, attackers will know that there is a vulnerability to exploit. This increases the possibility that an attacker might target your deployment. Depending on who found the vulnerability, the security bulletin may vaguely describe the vulnerability, or it may give explicit information that explains how the exploit is accomplished. Either way, your deployment is at risk because attackers can be quite creative and persistent in their efforts to break into a vulnerable system.
Updating your deployment rapidly may require exceptions to your usual deployment processes. Put policies and procedures in place to allow patch updates without lengthy qualification processes. You may need to accept more deployment risk in order to reduce your security risk.
3. Examine the CVSS score of the vulnerability
Security bulletins contain a Common Vulnerability Scoring System (CVSS) score, which indicates the severity of the risk according to generally-accepted industry standards. A common classification of the severity values for risk is 0 - 3 (Low), 3 - 7 (Medium) and 7 - 10 (High). You might choose to decide how promptly to perform your upgrade based on the security risk. However, different types of professionals may have different amounts of tolerance for security risk. Lawyers typically want to treat all vulnerability as equally risky and want to mitigate the risk as quickly as possible. Engineers are often more comfortable making engineering judgments and are more willing to compromise. Consult with your business owner about how much risk they are willing to accept on behalf of themselves and your customers for each individual bulletin.
One thing to note is that the security bulletin will just rank and give the data. It will not tell you how important it is to your business and users to mitigate the security vulnerability. Of course, when I put on my own security hat, I want to update my deployments as quickly as possible, no matter the CVSS score.
4. Read the “Security considerations” section and take action
Examine your product documentation for guidelines on how to properly configure your deployment with high levels of security. Many IBM software products have a section called “Security considerations.” Some general guidelines are to always use SSL connections because this encrypts login information and data passing between the browser and the server. If the product allows you to set password policies, configure for strong passwords with a minimum of eight or ten characters, and set password expiration dates. Don't use easy-to-guess user account names since that gives attackers half of the information they need to break into the system. Consider naming your administrator accounts something other than “admin” or “administrator,” because those are the first accounts an attacker will attempt to break.
It's a new age
Start to work on changing your deployment culture as it relates to security.
Gone are the days of thinking that your application is safe if it is behind a firewall. It isn't. Attackers can tunnel through firewalls. Once an attacker gets on a vulnerable machine, they are on the local net. Insider attacks are becoming more prevalent.
Gone are the days of thinking that your application is working well and that it is better not to upgrade it because something might go wrong. Upgrading only has the potential to disrupt your application, but not upgrading is a definite security risk.
New security vulnerabilities are being discovered all the time. Your Rational application has many software components and are deployed on complex OS and middleware platforms. You must keep the entire deployment and platform up-to-date in order to protect your users and your company information.
Is there hope?
It is a scary security world out there and, potentially, in there behind the firewall. No one can claim that there are no security holes in a deployment. However, by following security recommendations and upgrading your deployment to remove any known vulnerability, you can improve your company's security profile.
What are the obstacles that you see in providing secure applications to your users?