dmmckinn 1200006SCS Visits (7044)
Security in systems design and development tends to be an afterthought, but it should be considered throughout the product lifecycle. One area where the number of exploits is exploding is in the quickly growing market of the Internet of Things (IoT). This article explores the spectrum of security in the context of IoT, including access security (authentication), data security (encryption), and security analytics (policy-based controls). [Read more…]
dmmckinn 1200006SCS Visits (6221)
The Internet of Things (IoT) introduces huge opportunities for businesses and consumers, especially in the areas of healthcare, warehousing, transportation, and logistics. Along with this widespread adoption, developers face new challenges to make sure that IoT applications are sufficiently secure because these applications handle a lot of sensitive data. Many security breaches have already been reported for IoT solutions, so developers must focus on building security into their IoT applications when they design and implement such solutions.
This series of articles focuses on the architectural tiers of an IoT application that is based on IBM cloud platforms. The articles in this series describe a solution-based approach to minimizing security risks in IoT applications by using services that are readily available in IBM cloud platforms. The articles provide tested techniques for securing IoT applications.
AcdntlPoet 2700019V2G Visits (8327)
Do you follow the IBM PSIRT Blog? No? You should. The IBM Product Security Incident Response team consistently publishes information about: IBM Security Bulletins, IBM Security Vulnerability Management (PSIRT), Reporting a Security Issue, and IBM Secure Engineering.
The IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. IBM PSIRT is a focal point for security researchers, industry groups, government organizations, and vendors to report potential IBM product security vulnerabilities. This team will coordinate with IBM product and solutions teams to investigate, and if needed, identify the appropriate response plan. Customers of IBM offerings should continue to report all product related issues, including potential security vulnerabilities, to IBM Technical Support. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.
Most Security Bulletins are accessible via the IBM Support Portal. Subscribe to My Notifications to be alerted of the release or update of a Security Bulletin. In addition to My Notifications, you can also subscribe to the RSS/ATOM feed for the IBM Product Security Incident Response (PSIRT) Blog
IBM Security Bulletins follow a standard format and include elements that identify the type of vulnerability and its potential impact. Given their sensitive nature, Security Bulletins do not include detailed vulnerability exploitation information.
doboski 310000SJR4 Visits (9614)
In this day in age, security is a very hot topic and as soon as one vulnerability pops up, it is addressed and mitigated, another one is found. It is a vicious circle of identifying and addressing that does not seem to let up. In our fixpack release notes, information regarding mitigation of vulnerabilities that were addressed without an APAR is listed. And sometimes, a vulnerability could be addressed as an APAR.
The reason I am mentioning security vulnerabilities is that sometimes, when they are resolved, there is an effect that impacts existing functionality and it may not always be clear. Sometimes, the result of fixing these vulnerabilities can “change” functionality.
As an example, in the 3.5.2 release, there is mention of an APAR related to external URL navigation items will now open in a new window to avoid cross origin scripting vulnerabilities. Prior to the 3.5.2 release, if you used an external URL in the navigation, it just opened in the same window. We have seen some issues where clients wanted the original design, but that is no longer possible since the change was made as a result of fixing a security vulnerability. The current behavior is correct and cannot revert to the old design. So in this case, there was an APAR referenced. But in others, there may not be. You can look at the 18.104.22.168 release notes (found here http
As the product develops and security vulnerabilities are found and addressed, it could mean a change in how something works. Reading the release notes can be a source of information but it may not always be clear why something changed. We all know change is hard, especially when we are so used to it working a certain way. I don’t know about you, but if the change was made to address a security vulnerability, I can live with that and accept the change.
doboski 310000SJR4 Visits (9320)
If you are an administrator for TRIRIGA, chances are you have access to Security Manager, which is responsible for granting access to the TRIRIGA applications through the security groups. Prior to 3.5.2, the only way to view security access was to go to the Access tab and then select the Access Configuration sub-tab. That is where you would grant (or remove) access. However, it is not very user friendly in terms of finding something and looking what the overall picture of the access of the selected security group. So in 3.5.2, a new sub-tab was access to the Access tab called Access Summary.
The Access Summary tab will show you in a column format, the permissions of the module/business object, form, tab and section. You are able to filter by each of those fields. But only the module/business object and form filters will have a drop down list. The rest of the filters are free form text so be careful when entering data into them.
It is worth noting that when you go to the Access Summary, it will take a little bit for the data to come up. This is because of the query used to extract all that data. Once you have the data up, you can start using the filters to look at the access. what modules/business objects it has. Or if there is a specific form you want to look at. The permissions field will show the specific permission, if it's Read, No Access or the name of the action, like Asse
This tab should now make it much easier to identify what a security group has access to. If you find yourself limited with what you want to do within the tab, there is an Export button, that will export the data into a tab delimited .txt file. When you click on the Export button, you will get a message letting you know that it will run in the background and you will receive a notification when it is complete. You will want to monitor your Notification notices. It should also be noted that the file is exported to the application server, not your local server. The path of where the file can be found will be in your notification. If you don't have access to the servers, you will need to reach out to your system administrators to get the file for you. Here is what the file will look like when it is imported into Excel.
So there you have it - an easier way to view the access of a security group.
New interim fixes (iFix) are available for Rational DOORS.
Note that all of these fixes include updates to address issues reported in the following security bulletin:
Refer to Fix list for Rational DOORS and DOORS Web Access for additional details about the fixes that are included in each of these releases.
Chris K 270004Y3TR Visits (10192)
Configuring secured SAML with WebSphere requires web pages to be protected. The design of the TRIRIGA application does not currently allow you to set up the EAR or WAR (depending on TRIRIGA platform release) to include web page protection. The ability to protect the web pages in this manner would require a major change in the TRIRIGA platform, so this would not be viewed as a defect but as an enhancement.
So, what can I do to get this level of security? Your best option is to check the Request For Enhancement (RFE) site to see if someone has already requested that this be required in a future release. If an RFE exists, vote for it. The more votes an RFE has, the more likely it is to be included in a future release. If an RFE does NOT exist, create one and be sure to go to the Service Management Connect (SMC) forum and solicit votes for your enhancement request. Below is information about the RFE process that I provide to customers when a PMR leads to this sort of issue.
You might consider submitting an enhancement request via the Tivo
On the RFE page, there are 2 pick lists under the title Filter the page content by brand and product that will help you start the search process for existing RFEs regarding the TRIRIGA application. Set the left hand pick list to Internet of Things and set the right hand pick list to IBM TRIRIGA Platform. Next to this right hand pick list is an arrow pointing right. Click on it and the list will automatically filter based on the selections in the pick lists. Underneath these pick lists is a search text field. You can enter text there to further refine your search. For this issue, I typed SAML in that field and clicked the Enter key. There are 2 RFE entries listed as a result. If, after reviewing the entries, you determine they do not fit your requirements, create a new RFE. If the existing entries DO fit your requirements, vote for them.
Inside each RFE record is an ID field. This field is immediately below the title of the RFE. In order to solicit votes for your RFE, navigate to the SMC forum for IBM TRIRIGA Platform and create a new forum entry with the title of your RFE. In that forum post, be sure to include the merits of your RFE and provide the ID. This will make it easier for people who want to vote for your RFE to find it via the RFE home page. Remember, the more votes for a particular RFE, the more likely it is to be considered for a future release of the IBM TRIRIGA Platform.
doboski 310000SJR4 Visits (10012)
Managing your security groups in TRIRIGA
There are some things to know about managing your security groups in TRIRIGA. Out of the box, TRIRIGA comes with pre-defined groups based on various roles. You might be able to map one of your roles to an existing security group. But if you have a need to make additions to an existing group, then it would be best to copy the group that it closely resembles. Then you can modify it for your needs. It is best to know what out of the box groups offer and what your needs will be. Then you can determine if you can use an existing one or create a new one. It is a best practice to copy an existing group and make changes to the copy if you need to remove or add access. This way if something is not being granted correctly, you can refer to the out of the box role to see if the problem still occurs.
It should also be noted that you do not have to define one giant security group if you have a user who might have multiple roles. For instance you might have a user who is a Lease Manager but might also have a role with Facilities Maintenance. You would associate the user to 2 different security groups – one for Lease Manager and the other for Facilities Maintenance. This way, if you end up with security issues, the best way to troubleshoot them is to remove groups until there is 1 associated to the user. Test. Then remove that group and add another one.
The exception to coming security groups is the Administrative group. This is a group that should not be copied. This is because it is a special group with special privileges. Copying this group would not copy all the privileges. You can certainly add users to this group. But as mentioned, this is a special group. You might not want to have all users in this group. Instead, you would want to consider putting your Administrative users in the TRIRIGA Application Administration group. This group has most, if not all Administrative privileges that would be needed by an Administrator.
If you do have a need to create your own security group, then it is best to first map out the access that you want it to have. See if there is an existing group that resembles what you are looking for. Then copy it and modify to what you need. Copying an existing group and then modifying is certainly easier than creating a new group scratch.
Another important note regarding managing your security groups is defining if they are specific to a specific organization or geography. Depending on how widespread you use TRIRIGA, you could have your data defined across multiple organizations and geographies. You could have Lease Managers in different organizations and geographies but they would not want to see each other’s data so you would have a Lease Manager role for each organization. But there might be some people in a role who would want to see the data across multiple organizations so then the group would have the same access but the organization and geography level would be one level higher to incorporate children in the hierarchy. Once you have defined System Organization and System Geography, then only records that have those fields defined can be accessed. So you need to be careful with the data and access. It is important to note that your group structure can be difficult to manage if your groups combine System Organization, System Geography and application security in the same group. The best practice is to use multiple groups and layer groups for each user.
For example, Group 1 defines System Organization security as \Org
For more information regarding System Organization and System Geography please check out the wiki
After creating or modify your security groups, it is a good practice to go into the Admin Console -> Cache Manager and clear the Security Scope cache.
AcdntlPoet 2700019V2G Visits (11688)
In this two-part blog series, Bruce Powel Douglass, Ph.D.(Chief Evangelist, IBM Analytics) discusses security in the Internet of Things world, both in terms of the connection and well as the devices themselves.
Securing the Internet of Things. Part 1 – Security in a world of connected devices: Time was when smart embedded devices needed little or no security. They were, for the vast majority, disconnected devices that performed simple dedicated functions. Now, as we hear ever more about the Internet of Things (IoT), it seems everything is connected over the web. Washing machines are connected over the web. This allows unprecedented capabilities for both consumers to connect and manage their lives and for vendors to improve services, monitor usage patterns, deliver updates, and address emerging markets. It is not, however, without risk. [Read more]
Securing the Internet of Things. Part 2 - Securing the ‘Things’ of the IoT: In my last post I discussed the overall challenges of securing the Internet of Things. In this post I focus primarily on the "Things" of the Internet of Things. Certainly securing the cloud end is important as well, but there has always been far more emphasis on cloud security than on device security. I think there are a number of essential aspects of a development environment for designing secure systems [Read more]