I'm very happy to announce a three part series by Ori Pomerantz which shows you how to navigate Facebook's permission model and build an application that can post to a Facebook wall or make other sorts of interactions with Facebook on behalf of a user.
Ori has made his source code available on IBM DevOps Services so you can use his code as a starting point for your own Facebook application.
If you have ever had the need to automate Facebook posts, this article series is for you!
IBM Security Systems has just released a new how-to guide that show how SIEM events generated by QRadar can be used to "automagically" create new rules in Guardium policies and push them out where they need to go.
The solution is called QRGuardium and you can read all abut how to set up this solution guide in this new how-to guide. This guide will be of interest to anyone who wants a more responsive, dynamic data protection policy.
It's a cliche' to say that IT security professionals need to get "proactive" about managing the security risks to their company or organization. If you spend every hour of every day reacting to the latest alerts from your monitoring infrastructure, you're never going to get there.
How do you stay ahead of the emerging threats? Where do you hear about trends in security attacks? What tools do you need? What are your sources of information?
This new information source from the IBM X-Force team will help you and your enterprise research threats, integrate actionable intelligence and collaborate with peers using its global threat intelligence. It's just the sort of clearinghouse you need to plan for tomorrow's security threats instead of reacting to yesterday's.
The IBM X-Force Exchange Team is hosting a live webinar on Wed, Apr 29, 2015 11:00 AM - 12:00 PM EDT.
You can regi
Here's an introductory video:
Comment (1) Visits (961)
Leyla Aravopoulos, Kenneth Cheung, and William Frontiero have just published a new how-to guide that shows how to use the application import feature of AppScan Source to import a deployed application's binaries into AppScan Source for static analysis. This approach avoids the typical pitfalls of static web application scanning associated with compilation features, missing libraries, etc., while improving application coverage. This how to guide will be of interest to anyone anyone who has faced challenges with traditional configuration of Static Analysis tools.
I want to make sure everyone is aware of the latest X-Fo
As you might expect, there's a lot of post-heartbleed research and discussion in the report. In the video below, Michael Hamelin discusses some of the key findings in the report:
Many second factor authentication systems can be integrated with ISAM for Mobile. In ISAM for Mobile, the second factor authentication can be considered as an obligation. The obligation handler extension point provides integration with external second factor authentication systems. In this
You might also be interested in....
This whitepaper discusses how with an IBM suite of Intelligence Solutions, Cloud computing can be both attractive and secure.
Download this white paper to learn about:
You know you need to get a better handle on managing the security of your public facing web apps. But what does that mean exactly, how do you elevate your day to day activities that to something that doesn't resemble a chicken running around with it's head cut off? IBM Security Systems has a demo video that will help you think about what web app security management _should_ look like.
This demonstration video follows Steve, IT security manager for an online retailer, as he utilizes IBM Security AppScan® Enterprise to manage application security risk. The video demonstrates how Steve uses IBM Security AppScan Enterprise to review applications' security risk ratings, address PCI DSS compliance requirements, and gain a comprehensive view of application security risk in his organization.
You might also be interested in.....
IBM® Security AppScan® is a leading application security testing suite designed to help manage vulnerability testing throughout the software development life cycle. IBM Security AppScan automates vulnerability assessments and scans and tests for all common Web application vulnerabilities including SQL-injection, cross-site scripting, buffer overflow, and new flash/flex application and Web 2.0 exposure scans.
Appscan provides full coverage of the OWASP Top 10 for 2013. Our solution also includes support for industry-standard Transport Layer Security (TLS) protocol 1.2, and is compliant with Federal Information Publication Standard (FIPS) 140-2 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.
Download a trial version of AppScan Standard.
I know everyone's scrambling to figure out what has to be patched to fix the Heartbleed bug. Please keep in mind that Heartbleed is a bug in the OpenSSL implementation of SSL, not a flaw in SSL itself. I know that many IBM products don't use OpenSSL and aren't affected by the Heartbleed bug. Having said that, there are probably some IBM products that DO need to be patched. And I wouldn't dare try to enumerate them.
Because IBM has a team of people whose job is specifically to monitor security vulnerability announcements and make sure the affected IBM products are made aware and to make sure patches get rolled out. They are the IBM
Jon Tate has published a post on the System Storage Redbooks blog with more details on how to get plugged into the PSIRT team's announcements about Heartbleed and other security alerts. So go check that post out and get plugged in.
You might also be interested in.....
Encrypting Data With Confidence
IBM has published a new white paper on encrypting data at enterprise scale. Learn about encrypting mission critical data with confidence and reduce security risks across the enterprise and beyond.
In this video, Jose Bravo leads a chalk talk on the QRadar integration story at IBM in this developerWorks video. Jose discusses the QRadar integration with:
IBM recently released its 2013
What strikes me about this list is how much it applies just as much to the boots-on-the-ground security practitioner as it does to the CISO. It's food for thought for IT security people at any level. The points that strike me the most are:
Establish A Strategy: Too many practitioners get caught up in the day-to-day grind, tactical issues and daily fire-drills. But to the maximum extent possible, practitioners need to thing about the overall strategy, help define it, and _let the strategy define them_. In other words, prioritize your work choices to the strategy. Of course, if a manager says, "go do this," you go do it. But you should always use the organization strategy to shape your work when you can. Strategies are NOT just for the people at the top.
Build Trust: I think it was Dave Ramsey that said anyone who doesn't think they're in the trust business isn't in business very long. Practitioners would do well to remember that. I'm not suggesting that security practitioners start wearing the dreaded suit and tie to work every day. But realize when you are making commitments whether explicit or (and especially!) implied on behalf of your organization and people remember failed commitments for a long time.
Focus On Overall Risk: This one is similar to Establish A Strategy, but it's more operational. Practitioners have to make tough choices every day about how to spend their time and how to spend their budget. Asking yourself which course of action is going to be best for reducing overall risk is a pretty good sorting mechanism. If you can break it down to the classic "probability times potential loss," great. If not, trust your gut.
As a long time WordPress user and advocate, I'm always interested to see what the X-Force have to say about the security of content management systems in their reports. The X-Force team recently released their IBM
First the good news, the percentage of reported vulnerabilities that are related to web applications has come down, at least so far, from 2012. From the report:
"The majority of vulnerabilities that the X-Force team documents are those in web application programs, such as Content Management Systems (CMS). In the first half of 2013, 31 percent of vulnerabilities that were publicly reported are what we categorize as applications used on the World Wide Web. This number is down significantly from 2012 where we saw levels at 42 percent."
And there seems to be some progress on thwarting the tried and true types of attacks. As the Figure 6 in the report shows, the number of SQL injection attacks reported decreased although cross-site scripting attacks remained about the same:
That some cause for optimism and I'd like to think that the industry is turning the corner on making these types of attacks a thing of the past. But what about CMS-type applications? The report strikes another cautious note of optimism. It seems that CMS vendors are improving their security incident response processes. From the report:
"Major CMS vendors have embraced security and do a good job of patching their core software when security vulnerabilities are reported to them. Seventy-eight percent of all vulnerabilities reported in CMS were patched in the first half of 2013, while in 2012 we saw that only 71 percent of vulnerabilities were patched. Year over year we see that these vendors are doing a better job of keeping their products up to date with the most recent security coverage."
Of course the vendor only has part of the responsibility, to issue the patches. Getting CMS application administrators to actually apply the security patches is another matter entirely. One of the reasons I'm such a WordPress fan is they a) make it easy to upgrade to the latest version and b) they have a great track record of not breaking backward compatibility when they release bug-fix releases so people will be willing to actually take a risk on installing the upgrade.
The dark-side of the CMS picture, especially WordPress, is that their architecture makes it extremely easy for third party vendors to produce extensions to the core CMS. This is probably key to their popularity and I'm sure it's key to WordPress' popularity. But these third party vendors don't have as good a track record:
Barely half of the know security vulnerabilities for CMS extensions have a patch issued by their vendor. That's inexcusable. But the practical lesson for people who deploy and run CMS systems is that every extension you add to your CMS is probably increasing the risk that your overall CMS environment has exploitable vulnerabilities for which there is no known patch. Yes, it's super easy to install the plugins, and you have to have the self-discipline to check for CVE reports and check with the vendor about vulnerability reports before you make your organization dependent on that cool plug-in you just heard about.
Now that IBM Guardium data protection software has been moved into IBM Security, we have even more opportunities to deepen the integration between the deep database insights from Guardium with the big picture point of view from the QRadar Security Intelligence Platform. Guardium has been sending events, audit data, and CVE test results to QRadar for a long time. In this talk you’ll learn more about how insights from QRadar can be sent the other way, to Guardium, to dynamically enhance and speed Guardium’s data security capabilities.
This September 8th talk will cover the following:
37% of all security risk begin at the application layer. Software applications support the most sensitive and strategically important business processes of most enterprises. Yet Application Security is one of the most neglected fields of security. That puts pressure on every team in the organization—from developers, IT, and up to the CISO. Security is no longer an IT issue, it's a business issue and developers are at the forefront.
Learn what you can do to find application vulnerabilities
David Marshak, Jason Todd, and Kris Duer from IBM Security's AppScan team, Lead Analytics Developer AppScan, IBM Security will be leading a webinar of ,moving your Static Application Security Testing to the cloud and using advanced analytics to help find risks in your applications. Here's how they describe the webinar:
"In this session we will introduce IBM Static Analyzer (now in beta) and show how it greatly simplifies static analysis (or white box) security scanning. We will discuss and demonstrate how it can easily integrate into the development lifecycle, as well as how it uses advanced analytics to produce targeted/actionable results to enable you to remediate security vulnerabilities."
This webinar will be held on Thu, Aug 13, 2015 from 12:00 PM - 1:00 PM EDT