One of the key messages that IBM talks to our customers about as it relates to security is the concept of "Secure by Design".
This means that we want to help our customers build security in from
the beginning. There's been a lot of discussion in the security
community about some comments made at a recent security summit about developers and that they don't know <bleep> about security. I agree with this post by John Wilander that the appsec community needs to do a better job teaming with developers instead of just telling them that they don't know what they're doing. John Wilander says in that in his interviews of 200+ developers this is what they care
" Software Priorities According to Developers
Functions and features as specified or envisioned
security practitioners we need to ensure
that we can talk to developers in terms that make us partners and not
adversaries. We need to facilitate education and training that makes security not an afterthought or a burden but something that just becomes part of what they do day to day....kind of like how they follow Java Coding Standards. This situation reminds me a lot about what I saw when I first started working with Rational 14 years ago and we worked with customers implementing our Java IDE (Rational Application Developer/Rational Software Architect/ or even just base Eclipse). I worked with a lot of new Java programmers and we would talk to them about the important of using standard Java coding standards like file organization, comments, naming conventions, etc. Did they like having us impose these standards? Not really...they just wanted to write code. But their management saw the importance for such reasons as ensuring readability and improving the ease of maintenance and over time code reviews and the adherence to these standards just became part of the process. Readability and maintenance as benefits is nothing compared with the negative impact that management should be worried about with security flaws - financial, loss of reputation, loss of intellectual capital. So why isn't development management more open to the importance of security. well IMHO
who can blame the development teams for being resistant when many appsec folks show up with a list of everything that's wrong with their code when they've been working long hours and weekends to meet tight deadlines imposed on them by the business
If you're a developer do you agree with the above list? Have you had "run-ins" with the appsec folks?
If you're an appsec person what do you think can be done to improve the relationship and help move security up that priority list?
From Part 1 of a 3 part white paper series on Secure by Design..
and governments need a smarter approach to IT security.The costs (both
financially and otherwise) of trying to apply security as an
afterthought are simply too great. For a more efficient, protected and
streamlined IT environment, security needs to be an integral part of
system design. That is why IBM Security Solutions are built on the
philosophy of Secure by Design, a philosophy which states that IT
infrastructure should be designed, created and operated with security
constantly in mind. IBM cites three primary components to creating,and
maintaining, a secure infrastructure:
●Knowledge of threats and vulnerabilities ●Structural elements ●Ongoing validation
first of a three-part series, this executive summary whitepaper reveals
how IBM helps clients understand threats and vulnerabilities so that
they can more effectively apply the Secure by Design philosophy to
their IT environments."
The 8.0 versions of AppScan Standard, AppScan Enterprise and Policy Tester was released (eGA) on October 26,2010. This release delivers a number of new and exciting features. The AppScan Offerings provide:
Correlation of static and dynamic analysis results for enhanced accuracy of results
Enhanced scanning of Web 2.0 and Complex applications
Enhanced service-oriented architecture(SOA) support (web services security)
WebSphere® Commerce Server and WebSphere Portal support
Reporting and usability enhancements
The Policy Tester offering provides:
Enhanced scanning support for WebSphere Portal and AJAX applications Accessibility Edition enhancements to the Web Content Accessibility Guidelines (WCAG) 2.0 rule set, developed in conjunction with experts at the IBM Accessibility Center
Newly released research reveals that while C-level executives feel good data protection efforts support organizational goals such as compliance, reputation, management or customer trust, there is a lack of confidence in the ability to safeguard sensitive information. The Business Case for Data Protection was conducted by Ponemon Institute and sponsored by Ounce Labs, an IBM Company. It is the first study to determine what senior executives think about the value proposition of corporate data protection efforts within their organizations.
Please plan on joining Jack Danahy - Security Executive IBM and Larry Ponemon, Chairman & Founder of The Ponemon Institute as they present the Rational Talks to You Chat: New Ponemon Study Reveals Disconnects in Building the Business Case for Data Protection
This presentation will begin on March 31, 2010 at 10:00 AM Eastern Daylight Time.
Rational Quality Manager 2.01 was just released on www.jazz.net and I'm pretty excited about some of the new features they've included. Many of them will improve your productivity and improve the ease of adoption of RQM in your organization. Brian Massey, Product Manager for RQM, explained the driving force behaind this new release at his blog A Quality Trek
"The feedback we heard from you is
that Rational Quality Manager needs to be more consumable to minimize
deployment time for your projects, to allow your organizations to accelerate
adoption. Rational Quality Manager needs to scale better to handle a
large set of data and needs to be able to easily find records. Rational Quality
Manager needs the ability to provide the concept of a test strategy or master
test plans from which more detailed test plans can be defined. We need better
reuse by duplicating artifacts as well as steps of manual tests. We heard you
loud and clear."
Summary of New Features
PDF Printing - The print to pdf button was a great feature that existed
before but wasn’t available on all artifacts.In 2.0.1 the Print to PDF button has
been added to snapshots, remote test scripts, artifact history and
execution results.In addition to
the Normal View there is also a history view.
Compliance Requirements - There are two new features that help some of my
customers with their compliance requirements.RQM 2.0.1 has enhanced the snapshot
capability to now create a snapshot of an execution result record.In addition, there is now an audit
history for remote execution scripts, execution result group and execution
schedule.And as mentioned earlier
there is now an artifact history report using the PDF print capabilities.
Test Plan – This new feature allows you to create a master test plan and
then create child test plans for that master test plan.The child test plans will inherit data
from the master test plan including: quality objectives, exit criteria,
of Manual Test Steps – The ability to copy step(s) from a manual test to
the clipboard to use in another manual test will help testers build tests
faster and reduce potential of manually retyping the information across
of Test Artifacts – There is now a duplicate button on all test artifacts
which allow you duplicate that artifact within a specific project area or
between project areas.
Full text search – the scope of the search utility has been improved and
also now includes support for keyword, execution result, execution record
and C/ALM link artifacts.
Test Artifact Filtering – The view builder has been replaced with a more
comprehensive and easier to use interface.You can now filter on any column in a table.
for Test Suites – The test suite summary page now allows you to specify
Supported Platforms - Solaris 10 on 64 bit SPARC platforms and Windows
Server 2008 R2 Standard and Enterprise editions x86-64
My developerWorks is a community of developers and IT professionals.. I participate not because I'm paid to do so but because I want to be part of a community of like-minded individuals in the IT community and share my knowledge and learn from others.
By now I'm sure many of you have donated money, clothes or food to help the people in Haiti
but continue to watch the news reports coming out of Haiti with disbelief and want to do more. I wanted to share a community driven initiative to leverage
technology skills to solve a humanitarian crisis. They're not asking
for money they're asking for our technical and project management
skills and time. Please visit their site and see the numerous
technical projects they're already started. One of note is that they've already built an Andriod and iPhone translation app to help translate English to Creole (and all within a few days). iPhone App I will be going to the meeting in Miami on Saturday. I hope my fellow community members on myDeveloperworks join me in contributing their expertise for a great cause.
"CrisisCommons is Community Technology + Humanitarian Relief
CrisisCommons brings together domain experts, developers, and first
responders around improving technology and practice for humanitarian
crisis management and disaster relief -- for projects like these."
are hosting meetings in many cities starting this weekend and in upcoming weeks.
Since my last top 10 list seemed to be popular... here's my next top 10 list (watch out David Letterman).
RQM 2.0 is now in Open Beta 2. If you think 1.0 was great wait until
you see 2.0 which is jam-packed with new features. Here’s my list of
10 features that jumped out at me. I will have subsequent posts that
describe each new feature in detail.
10 Reasons you should be excited about Rational Quality Manager (RQM) 2.0 (in no particular order since I love them all!!)
Manual Testing Enhancements
Duplicate Defect Detection
Risk Based Testing
Dynamic Test Plan Hierarchy
Integrations to Improve Team Collaboration
Jump Start of Manual Test from Test Design
Test Plan Quality Objectives and Entrance and Exit Criteria
During the quality management keynote at the recent 2009 Rational User's Conference, the speakers talked about the top 10 challenges to software quality. They included:
§Pressure to reduce cost
§Competitive demand to deliver faster
§More unpredictable use of application
§Creation of more complex software ecosystems
§The rise of government standards
§Lack of domain knowledge/content
§Inability to find and reuse test assets
§Lost knowledge from previous experience
§Business view of the test
§Lack of goal driven tests
Are these the right top 10? Two others I might also include:
Test data creation and management
Ability to improve communication between the quality team and the rest of the team - hallway conversation, phone calls, meeting and email discussions all have their place but is there a better, more efficient way to have those discussions?
What other challenges that aren't on my list are you facing in your organization?
I’ve had a lot of people ask me does Rational eat it’s own
dogfood (meaning do we use our own tools to develop our tools)I don’t like that analogy…. I always respond “
Yes Rational drinks our own champagne!” After checking out Jazz.net I’m hope you’ll
agree that Rational not only drinks our champagne but we also share our
champagne with our customers.
I’ve been with rational for over 12 years and I believe we’ve
always been an innovator and leader in software development tools and best
practices.12 years ago the norm was for
customers to base their decisions on what was the best of breed product, Rational introduced the concept of Suites
which advocated the integration of various tools to improve collaboration.Rational is again leading the industry with
the next generation of our software
development tools that are based on the Jazz platform.The Jazz Platform provides improved
collaboration through the use of modern Web 2.0 technology
Do you want to know?
Do you want to see a view of the Dashboard that our internal
development team is using?
Do you want to know if a particular feature made it into the
Do you want to report a defect or enhancement request and
easily track the status of the request?
Do you want to easily participate in forums of like minded individuals?
Then Check out these How To’s:
(you'll need to have registered as a user on Jazz.Net to access these links)
Click on Review Release
Click on Explore Detailed Iteration Plans link
Review the current RQM defect dashboard on Jazz.Net? you can even drill down and see the
workitems and search on themclick here for dashboard
So as I thought about what to post for my first entry and the beginning of my blogging adventure on MydeveloperWorks I thought it appropriate to talk about 2 topics that are close to my heart these days: Rational Quality Manager (RQM) and Twitter.
As the practice lead for Quality Management, RQM is an obvious topic but Twitter is a new interest of mine and I have to say I am now on the Twitter bandwagon. I don't know about you but I had signed up for a twitter account a while ago.. but I didn't really get it at first.... I've just been lurking for a while. I was actually a little intimated at first by the terminology ... what's a @ sign what's a # hastag what's the Twitter etiquette and what's up with all those new Twitter words - I needed a Twictionary. While I'm by no means an twitter expert yet I'll be sharing some of my Twlessons(new word I just made up :-) ) in upcoming posts. So if you're a newbie interested in learning more stay tuned.
But for all of you Twitter experts and even you newbies I thought I'd talk about how you can easily add twitter feeds right into RQM.
So you might be asking yourself how does the ability to add a Twitter feed into RQM help me do my job better?
Improve team collaboration - One of the challenges faced by the test team is how do we improve collaboration with others in the organization. Why not add a dashboard tab and add in the twitter feeds from your teammates? Now you have all the feeds in the tool you spend most of your time using.
Improve your expertise in a subject - Follow other experts talking about topics you want to learn more about such as Automtaed Testing, Software Development, Cloud Testing, Social Media, Agile Development , etc.
Share your knowledge and experience and build your community presence and professional network - My desire to build a larger and stronger Rational's Quality Management community is what inspired me to start blogging and posting to Twitter. I've already developed some new contacts and I look forward to connecting with all of you who may be reading this blog.