ORLANDO – IBM Corp. on Tuesday launched a slew ofnew security offerings that it said would help software and Web developers bakesecurity right into the application design process.
The most significant news might be the company’s AppScanproduct line update, which has been helped along by IBM’s recent acquisition ofsecurity firm Ounce Labs. The newly released AppScan Source Edition is gearedtoward stopping security vulnerabilities in applications before they go live.
All the announcements were unveiled as part of IBM’s“Security By Design” strategy at this week’s Innovate 2010 conference inOrlando.
David Grant, a marketing executive for security andcompliance at IBM, said half of all the vulnerabilities IBM tracked during 2009were related to Web applications. He added that 67 per cent of those vulnerabilitieshave yet to be patched.
“What we’re doing today is not working,” he said. “We’rewaiting until the applications are built, testing it before they go live andthen retrofitting the apps. This is very costly and not very effective.”
With theupdates to AppScan, developers will be able to test their code line by line tolook for security vulnerabilities.
“It automatically simulates what a hacker would do to hackinto an application,” Grant said. The software is built on a constantly updatedrepository of hacking techniques, which have been complied by IBM’s securityteams.
Everyday you log into your AppScan, you get a new set ofinformation which keeps you up-to-date on the latest hacking techniques, headded.
The newly updated AppScan product also gives users expandedsupport for several development languages.
For organizations that either lack or don’t care about in-houseapplication security expertise, IBM launched a new service called ApplicationSource Code Security Assessment. While IBM’s AppScan update puts the tool inthe hands of security administrators, this service skips that step andbasically allows companies to outsource the code scanning to IBM.
Grant said injecting security scanning right into the designstage —either through AppScan or the outsourcing option — should not only beconducted on in-house apps, but also outsourced or purchased apps.
“You need to make sure vendors provide the proper duediligence of security before you take ownership of their apps,” he said.
Among the other announcements, IBM decided to update itsTivoli Access Manager family to help protect data for companies engaging inSOA, portals or Web-based projects. The updates will bring centralizedauthentication, policy management, and access control features to the Tivolisoftware and give IT administrators centralized security controls over privateor public cloud apps.
Marc Van Zedelhoff, director of security and compliance atIBM, said this update will means security administrators can use one tool tomanage their apps.
“It’s all about enabling security easily acrossenvironments,” he said, citing ease of app integration and improved admindeployment as key updates to the Tivoli product.
Rounding out its security focused day, IBM announced thepublication of a security engineering framework that will provide bestpractices for software developers.