A Service Stream Enhancement to zSecure 2.3.0 has been released.
This provides enhanced ACF2 support:
* analysis of protection of CICS transactions
* mapping of z/OS UNIX UIDs and GIDs to ACF2 logonids and groups
* user interface extensions (divisions; installation defined LID fields)
And enhanced compliance features:
* easy checking of individual DB2 object permissions
* automatically tagging data sets with multiple sensitivities
* reporting improvements
And more zERT connection encryption data is sent to IBM QRadar SIEM
You can find technical details on the Service Management Connect - System z blog, in this entry.
It's been a whirlwind this past year for me as I managed the developerWorks Security hub. As we close out 2017, I thought I'd post here on all the stuff you might have missed out on:
If you are interested in writing for developerWorks Security for 2018, please email me at email@example.com.
It provides currency support for z/OS 2.3 and RACF:
* policies for pervasive encryption of data with key labels
* connection protection with z Encryption Readiness Technology (zERT)
* extended reporting for Integrated Cryptographic Services Facility
* extended multi-factor authentication (MFA) options
It extends security intelligence and analytics capabilities:
* a zSecure Alert feed to HPE Security ArcSight
* a zSecure Admin Access Monitor feed to IBM Operations Analytics for z Systems
It provides currency support for:
* Db2 12
* Security Technical Implementation Guide (STIG) 6.31
Details can be found on the Service Management Connect - System z blog
in this blog entry by Jeroen Tiggelman.
JSON Web Tokens (JWTs) are a popular option in the authentication space, but there are some inherent risks. While you gain flexibility by using a JWT, you lose the ability to revoke a token once it’s issued. To minimize the time between an administrator locking a user account and the time at which a previously issued token expires, the JWT should be short lived. This time window, while designed to be brief is a common security concern. Traditional solutions to this problem defeat the benefits of using a portable identity. Inversoft has come up with a novel way to solve this issue in a complementary method. Brian Pontarelli will cover how to implement this JWT revoke strategy to reduce the vulnerability window.
Missed the live coding event? See the replay here: http
Here's a snippet from the article:
In addition, the authors provide you with the resources you need to recreate the steps with the popular social media sites, LinkedIn and Instagram. Comment if you recreated the steps!
The different options within Bluemix bear diverse requirements to the authentication of users. This new article explains the various possibilities on how Bluemix users are managed and authenticated. The authentication covered in this article focuses on users of the Bluemix platform, i.e., developers, administrators, or operators. Applications running on top of Bluemix can use any authentication method that is appropriate for the application’s purpose.
Jeroen Tiggelman posted a sum
The new checks are centered around CA-ACF2 data set related controls.
An overview of all available compliance controls can be found in an updated technote.
You might also be interested in rece
Latest in dW Security: Play in the brand new sandbox and create a machine-learning, security front end
If you haven't checked it out yet, make sure to read the two newest articles on developerWorks Security:
Another tutorial we recently published, Crea
This provides service for new DB2 region security settings, new SMF log event records, and a new DB2 object privilege.
You can find technical details on the Service Management Connect - System z blog, in this entry.
The IBM Security zSecure team published a service stream enhancement (SSE) providing this Access Monitor data feed on March 30, 2017.
The IBM Operations Analytics for z Systems team published Insight Pack 3 providing the capability to interpret the data feed on March 29, 2017.
Technical details can be found in this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
In this new tutorial, the Guardium team describes how you can audit and keep track of privileged users and how they might be compromised. This tutorial combines the power of Guardium with IBM Security Privileged Identity Manager so that you can start building a secure immune system.
You'll learn the benefits of fusing Guardium with PIM, the solution architecture, and how you can enhance reports with data configured from PIM.
I'm happy to announce that we have just published a new article regarding the new function AppScan Standard integrated with Application Security on Cloud.AppScan Standard 22.214.171.124 can integrate with Application Security on Cloud (ASoC). It is now possible to upload scans and templates (SCAN or SCANT files) to Application Security on Cloud to run scans.This article will introduce how to configure and run a scan in AppScan Standard to Application Security on Cloud.
Increasing demand from today’s employees for a flexible experience that affords them the option to use the mobile technology of their choosing has disrupted traditional approaches to IT management and security.As a first response, it’s not uncommon for companies to launch brin
Join guest speaker, Forrester Senior Analyst Chris Sherman, and IBM MaaS360 portfolio marketing leader, Jonathan Dale as they share best practices for securing and empowering your mobile workforce.
You will learn:
Rolling out large enterprise software across any organization requires a smart infrastructure plan and an eye towards future scalability if the deployment is going to be a success. With IBM BigFix Software, there are some specific challenges that need to be met when designing a deployment from a performance perspective. Here is how one team within IBM faced a performance challenge and solved it using a smart infrastructure plan.
Read the full paper by authors Shaun T. Kelley and Mark Leitch:
Shadow IT refers to the information technology solutions used inside an organization without the explicit approval of the organization. In recent years, the advent of cloud computing has made it easier for employees to circumvent IT department and use a variety of cloud applications without the knowledge or approval of the organization. Despite the high visibility of recent data breaches, most employees still choose to use cloud services to be able to do their job more efficiently. In a study conducted by IBM Security, it was found that 1 in every 3 Fortune 1000 employees regularly saves and shares company data to third- party cloud-based platforms that are not explicitly approved by their organization . This figure is expected to increase as the workplace demographic starts to change and millennials who are greater users of cloud applications  make up more and more of the workforce.
It provides security intelligence and analytics improvements:
* a near real-time SMF event feed to IBM Security QRadar SIEM
* a zSecure Admin Access Monitor feed to zSecure Alert
* performance and scalability improvements
It extends support for these security standards:
* Security Technical Implementation Guide (STIG) 6.29
* Payment Card Industry Data Security Standard (PCI-DSS) 3.2
It provides currency support for:
* CA-ACF2 16 and CA-Top Secret 16
* MQ 9
* Service stream security enhancements for z/OS and RACF
Details can be found on Service Management Connect - System z in this blog entry by Jeroen Tiggelman.
In this tech note, the authors' purpose is to provide best practices on the topic of enabling DB2 native encryption in an HADR environment. Additionally, the note provides a simplified set of working steps, with examples. These steps are designed to minimize the downtime at the database service.
z/VM V6R4 was announced on October 25, 2016 with a planned availability date of November 11, 2016.
A summary of the toleration fixes that have been made available for zSecure can be found on the Service Management Connect - System z blog.
They apply to zSecure Manager for RACF z/VM 1.11.1 and 1.11.2, and to zSecure for z/OS 2.1.0, 2.1.1, and 2.2.0.
In an exci
Be sure to check out presentations from Dave Stewart and Eitan Worcel on Tuesday, November 15th at 11:00am ET.
In this live webinar, you will learn how you can:
For more information, visit:
In his new article, Yang Qi demonstrates how you can apply the Node.js application ot the new enhancements of the Auto-Scaling for Bluemix® service.
So what does this mean for security enthusiasts? It means that you can actually improve the elasticity of your applications with the features on the Auto-Scaling service. It means that you can customize your policy and automatically increase or decrease the CPU threshold, thus maintaining a healthy condition without wasting resources.
This tutorial also shows you just how easy it is to utilize the new metric types, heap and throughput.
Check out the article today!
The TRS Q3 cash payment recipients have just been announced. A huge congratulations to these Security contributors who have been recognized:
by Nandkishor V Gitte and Joseph Fitterer
(NOTE: The PDF file has been updated with clickable hyperlinks.)
This workbook contains a series of lab exercises to introduce you to JK Enterprises, which uses the features of IBM Security Identity Manager virtual appliance 126.96.36.199.
The objective of the lab exercises is to provide you with hands-on experience with the configuration and operation of IBM Security Identity Manager 188.8.131.52.
The workbook is designed to complement the presentations that cover each of the features. More detailed information on IBM Security Identity Manager 184.108.40.206 features and functions are found in these presentations. More information is also available in the product documentation on IBM Knowledge Center.
To find more cookbooks, visit IdentityDev at:
We've all been hearing more and more about BigFix®. If you're an IBM BigFix administrator, you'll want to read on. (Even if you're not, you'll find this interesting!). Here, we have an article from Marco Mattia where he outlines Virtual Relays and the instructions on how to use the this feature. You'll learn the benefits and advantages as well to using a BigFix Virtual Relay.
Check out the PDF links below. Happy reading!
Ever experienced a situation like this image of numerous tests and heavy server load? Minimize time wasted on "noise."
Common false positives waste developers' time and energy--with this new tutorial by by Akash Shetty and others, you can root out those common problems.
IBM Security AppScan® is an automated web application security assessment tool that identifies prominent security vulnerabilities, including OWASP Top Ten and SANS 25 vulnerabilities. The tool also provides detailed reports on security issues along with advisory and fix recommendations. With the help of this tutorial, AppScan users can significantly reduce the number of false positives reported.
We have a new tutorial up on the Security hub: "Ass
In this tutorial, author Madhusudhan Rajappa shows you an effective way of conducting a vulnerability assessment of the web applications and network of any organization. This tutorial also shows how to proactively defend the organization from cyber attacks by using a combination of enterprise-grade and trustworthy vulnerability scanners. The scanners that will be discussed in this tutorial are the Tenable™ Nessus® Scanner and the IBM AppScan® Enterprise. Read
Have you visited the Tech
"I’d like to share some information about a TRS dW Content challenge option that we don’t see many of you taking: developerWorks Recipes.
Creating a dW Recipe is one of the fastest and easiest choices in the TRS program to both contribute technical content AND possibly earn a cash payment.
dW Recipes help developers solve specific problems using IBM products and services. Your Recipe should help developers create something useful, walking them through each part of the process."
Try it today, in three simple steps!
Need inspiration before you begin? Check out this selection of popular Recipes:
In this blog post, Mark Leitch demonstrates the BigFix® Query capability and the topology "power" of the infrastructure.
IBM BigFix is a powerful security product able to manage hundreds of thousands of endpoints. BigFix has recently delivered the BigFix Query capability, offering more insight and control over your business. We will give an introduction to BigFix Query, and then demonstrate how it leverages the time tested and field proven BigFix infrastructure to provide impressive results at scale! To read more about this topic, read the blog post in full here:
Subject matter experts will be available to answer your questions, which you can ask through web chat during the presentation. You can also submit them in advance at this URL.
You might also be interested in this
This integration also applies to the zSecure Adapters for QRadar SIEM. The complementary integration with zSecure Alert will be briefly mentioned.
This SSE for zSecure 2.2 provides the following benefits:
- filter commands to quickly zoom in to records of interest
- fast navigation to jump to RACF user and group details
- quick admin capability for TSO and UNIX properties
- enhanced e-mail configuration
- ability to configure large buffers 'above the bar' (64-bit exploitation)
These changes apply to one or more of the following components: zSecure Admin, zSecure Audit, and zSecure Alert.
Details can be found in this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
In this lab configuration guide, authors Smita Kale, Bosko (Boli) Popovic and Vladimir Jeremic walk you through how to set up the lab environment when demonstrating an integration use case.
The IBM Security products that are used to manage user activity on the network video focuses on using IBM XGS, Identity Manager, and Directory Integrator to control user access. The video is available at: http
The Lab Configuration Guide describes the configuration settings necessary for each of the IBM products used in the scenario that is demonstrated in the video. The video assumes that the initial setup was performed for the XGS, Identity Manager, and Directory Integrator products. This guide describes the configuration sets needed to enable the product integration for delivering the end user experience described in the video.
The configuration files needed for Identity Manager are also included, as well as the custom XGS adapter in a .jar package. All assembly lines are included.
To view the full Lab Configuration Guide, click here:
Check out this article from authors Jia Li Chen, Wei Wei Zhang, and Cheng-Yu Yu on how to retrieve deleted templates in AppScan.
In AppScan Enterprise, there are 14 default scan templates installed within the product. However, users may delete default templates in the console by mistake. Learn two methods to retrieve default templates in AppScan Enterprise.
An expert panel will host a Q&A session on all things Cognitive Security and Watson for Cyber Security.
The hangout starts today at 1:30-2:30 pm ET.
BigFix® customers are medium- and large- sized companies that use the product to manage mostly software and security of a certain amount of computers (that amount may vary from dozens to tens of thousands). Many of these customers requested a way to quickly collect information from their environments because BigFix has not been natively built to provide high response times, but rather, persistence and effectiveness. In the first quarter of 2016, the BigFix Rome development team worked on a solution that was able to fulfill these requests; this solution is BigFix Query. Read the tutorial here.
On October 1, 2015 IBM issued a Statement of Direction about providing 64-bit addressing support in IBM Security zSecure. This support has now become available as a Service Stream Enhancement (SSE) to zSecure 2.2.0.
64-bit addressing allows the use of memory above the 2GB "bar" implied by addresses consisting of only 31 bits. Besides allowing the program to store and retrieve larger amounts of data, this also frees up memory "below the bar" that can be used by (other) 31-bit addressing programs.
Typical functions in zSecure that benefit from having a lot of memory available include
- processing very large numbers of events from the SMF event log, e.g. as sent on to IBM Security QRadar SIEM;
- analyzing data for many security databases and LPARs at the same time;
- rule-based compliance analysis based on many underlying technical reports;
- analyzing large intervals (possibly a year or more) of access use data, e.g. to identify obsolete permissions.
The SSE also includes enhancements to 31-bit addressing support. Details can be found in this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
The changes apply to all components of zSecure for z/OS except for zSecure CICS Toolkit and zSecure Command Verifier. For the full benefits a z196 or newer hardware is required.
If you haven't already, watch videos from the IBM Security Summit. Highlights include a presentation by Ginny Rometty on the future of cognitive security.
What if you could build your own authorization proxy that could receive requests and check if they are authorized? It would mean that you could be in greater control of authorization. Read the tutorial on this fairly easy method of creating your own fine-grained authorization if you are not satisfied with your SaaS's authorization checks.
IBM Security Guardium® now has several enhancements that became available on June 3, 2016.
Among the enhancements for V10.1 are:
Read the tutorial for full details.
The figure below is just one of the new enhancements for this release, where administrators are able to see at a glance if there are issues in their managed environment and address them before they get worse.
Watch the tech talk here, which outlines the updates and enhancements.
You can also receive updates to IBM Guardium by signing up for the IBM
So many of us use mobile devices in our day-to-day lives; from business to personal, mobile security is an important topic to ensure that we can safely use our phones, tablets, and more. The ease and convenience of mobile devices comes a great cost:
"...mobility comes with a greater number of security risks and concerns than expected...and more IT resources are required to support the increased number of devices and applications."
This report is an anonymous survey and the findings show how mobile devices have changed security, how businesses are changing the ways that they work, and how they're trying to protect their data.
On February 16, 2016 IBM announced authentication enhancements for z Systems, including a new product IBM Multi-Factor Authentication for z/OS (5655-162), with a planned availability date of March 25, 2016.
IBM z/OS Security Server Resource Access Control Facility (RACF) provided enabling infrastructure updates for z/OS V2R1 and V2R2.
IBM Security zSecure suite provided supporting updates for zSecure 2.1, 2.1.1, and 2.2.
Multi-Factor Authentication raises the level of assurance of mission-critical systems by requiring authentication with multiple factors during the logon process.
Each authentication factor must be from a separate category of credential types:
1) Something you know (e.g. a password or PIN code),
2) Something you have (e.g. an ID badge or a cryptographic key),
3) Something you are (e.g. a fingerprint or other biometric data).
More details can be located through this blog entry by Jeroen Tiggelman on the Service Management Connect - System z blog.
You might also be interested in the zSec
Comment (1) Visits (2896)
Exciting news out of the #IBMSecuritySummit that signifies our journey into the era of #CognitiveSecurity – Watson for Cyber Security is a new version of Watson trained in the language of security and delivered via the IBM Cloud. http
Read the blog post over at IBM Security at http
You can read more about Cognitive Security here.
An assessment of recent data from IBM Managed Security Services (IBM MSS) reveals some interesting findings about attack vectors that don’t make headlines anymore: "Footprinting and Password Brute Force Attack Patterning."
IBM Security Guardium® leads the way in providing a monitoring and auditing solution for NoSQL database systems. In this article by Kathryn Zeidenstein and Sundari Voruganti, the authors provide an overview of one popular NoSQL database, Apache Cassandra, and explain how and why Guardium can help organizations protect Cassandra data and automate compliance reporting and sign-offs. This article includes detailed instructions and a sample security policy to help you configure Guardium and extract value immediately.
Too often, we hear of huge corporations being attacked and losing valuable client information. What can be done if this happens to you? What can be learned from others' mistakes?
Ori Pomerantz's new tutorial discusses how to write an application in the Bluemix Time Series Database. This application allows you to view information quickly from a dashboard and generate time-stamped statistics. By creating reports on events by time, components, and hosts, you can determine if there are any patterns by looking at current and past malicious activity. With this in mind, use analytics from these reports to determine future malicious behavior. Then you'll know how to better prepare yourself and your organization from future attacks, safeguarding your most precious data.
Short URL for this post: http
IBM provides advance notification of End Of Support (EOS) dates allowing customers reasonable time to complete software upgrades or to refresh appliance products. To view upcoming EOS dates by product segment, click a link in the list below.
View all IBM Software EOS announcements for 2017 and 2018.
Q: What are the major Support Lifecycle milestones?
A: The major Support Lifecycle milestones are:
Q: How do you determine if your installed software is still supported?
Q: What happens when EOS is announced?
A: Often, there is a newer version of the software available for download. In most cases, you’ll have sufficient time to plan for and install the latest version. For more information on the lifecycle stages, including EOS, view this short YouTube video on the IBM
Q: What is the standard version format for IBM Software products?
A: The full product version is expressed by a four-digit code known as the IBM Version, Release, Modification and Fix Level structure, or VRMF. View this Technote for additional information and description of each element. You may also find this Glossary of product support and maintenance terms helpful.
Q: Where can you view additional details on product updates or replacement information?
A: Using the Support Lifecycle Search, search for your product, select View for details and click the EOS announcement link to view Repl
Q: What are your options if you are unable to upgrade or refresh your current products before EOS?
A: You can request a Support Extension. Support Extensions are available for Customers who are unable to migrate to a supported version, release or appliance platform prior to EOS. For more information, visit the IBM
Q: How do you stay connected for future product announcements?
A: There are several ways to receive product announcements:
Q: How can you connect with IBM Security on social media?
Q: Where can you find more information on IBM Support policies?
A: You can view and download the IBM
The IBM Support Lifecycle Policy sets forth the minimum length of time IBM will provide security content and technical support for a product version and release. Click the applicable product segment link below to view the Support Lifecycle Policy.
Ori Pomerantz has just published a new tutorial on developerWorks describing how to incorporate Google's reCAPTCHA tool into your node.js application running on Bluemix. He shows you step by step how to integrate with the Google service and provides sample code that you can download and use as a starting point for your own projects.
Rahul Relan, Nnaemeka Emejulu, and Parag Gokhale have just published a ne
Ori Pomerantz has written a new tutorial on multi-factor authentication in the context of a node.js application running on Bluemix. If you need a step by step guide that wlks you through a simple example of implementing multifacotr auth, this is a good tutorial for you to check out. One of the added bonuses in this tutorial is that it also introduces you to the concept of risk analysis for deciding when an additional authentication factor is needed. It's a very simple example, but sometimes it's the simple examples that help clarify your thinking the most and give you a starting point for your own code.
Sulakshan Vajipayajula and Ravi Muthukrishnan have just released a ve
Carsten Hagen has updated one of the longest-running and most popular tutorials on the dW security zone:
Using ISAM security appliances to implement context-based strong authentication for website security
Learn how to secure a website with context-based two-factor authentication by integrating and configuring IBM Security Access Manager (ISAM) for Web and IBM Security Access Manager for Mobile. The authors will demonstrate how to use ISAM for Mobile's context-based authorization and one-time password (OTP) interface to enable security architects to apply intelligent stronger authentication access decisions across an organization's website.