Securing To Days Application

8/7/2019 Securing To Days Application

1/12

SWG Rational Marketing Software Delivery Program

Securing todaysapplicationsDesign, deliver and secure smarter software and services


2/12

2 Securing todays applications

The What, Where and How of Application

SecurityWhy is application security such a hot issue moving into

2010 and beyond?

Applications are becoming more pervasive, organizations are

growing and implementing smarter software to support

business process, product development and daily operations.

The way businesses are dealing with their customers, their

partners and their own internal businesses is changing andbecoming more complex. New SOA-oriented architectures and

the extension of things like the electrical grid are becoming an

essential part of an organizations everyday.

So it is natural that the security ramications of deploying all

of these applications are a very important concern for

customers. Theyve generally done a very good job over the

last 10 or 15 years in understanding the established security

technologies for tasks like networking and operations, and

managing security procedures like access control or

authentication. But now, as these new applications roll out,

theyre really changing the game.

In many ways, these applications can exist in a couple of

worlds. Sometimes they can have portions of their behavior

inside a rewall, while sometimes it will be external to the

rewall, such as the web-facing front end to a legacy back-end

application. The possible security problems are not just the

threat surface that gets exposed with new applications, but are

also the composite of behaviors that goes on outside the

rewall at the front end of the application, and all of the

possible unintended consequences of the new exposure to the

internal application.

All of these things are conspiring together: the inux of new

applications, the increased importance of applications for core

business goals and the difculty in terms of understanding the

way in which all these components will play together. These

forces are driving applications into a place of prominence in

the current environment.

Four strategic best practices for protecting webapplications

To address security-related issues as they pertain to web

applications, organizations can employ four broad, strategic

best practices.

1. Increase security awareness

This includes training, communication and monitoring

activities, preferably in cooperation with a consultant.

Training

Provide annual security training for all application team

members: developers, quality assurance professionals, analysts

and managers. Describe current attacks and a recommended

remediation process. Discuss the organizations currentsecurity practices. Require developers to attend training to

master the frameworks prebuilt security functions. Use

vendor-supplied material to train users on commercial off-the-

shelf (COTS) security tools, and include security training in

the project plan.


3/12


Communication

Collect security best practices from across all teams and lines

of business in your organization. Distribute them in a brief

document and make them easily accessible on an intranet. Get

your IT security experts involved early and develop processes

that include peer mentoring. Assign a liaison from the security

team to every application team to help with application

requirements and design.

Monitoring

Ensure that managers stay aware of the security status of every

application in production. Track security errors through your

normal defect tracking and reporting infrastructures to give all

parties visibility.

2. Categorize application risk and liability

Every organization has limited resources and must manage

priorities. To help set security priorities, you can:

Dene risk thresholds and specify when the security team will

terminate application services. Categorize applications by risk factors (e.g., Internet or

intranet vs. extranet).

Generate periodic risk reports based on security scans that

match issues to dened risk thresholds.

Maintain a database that can analyze and rank applications by

risk, so you can inform teams of how their applications stack

up against deployed systems.

3. Set a zero-tolerance enorcement policy

An essential part of governing the development and delivery

process, a well-dened security policy can reduce your risk of

deploying vulnerable or noncompliant applications. Duringinception, determine which tests the application must pass

before deployment, and inform all team members. Formally

review requirements and design specications for security

issues during inception and elaborationbefore coding begins.

Allow security exceptions only during design and only with

appropriate executive-level approval.

4. Integrate security testing throughout the development

and delivery process

By integrating security testing throughout the delivery

lifecycle, you can have signicant positive effects on the design,

development and testing of applications. You should base

functional requirements on security tests your application must

pass, making sure that your test framework.

Application security planning and security strategy should bebased on systematic process and practices and not symptomatic

issues that arise during a testing cycle.

The Business Case for Data Protection was the rst study

to determine what senior executives think about the value

proposition of corporate data protection efforts within their

organizations

Poneman Business case for Data Protection (US)

Poneman Business case for Data Protection (UK
https://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptushttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-rtl-ponemonrptukhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptus


4/12


Secure by DesignInnovation depends upon the safe and reliable operation of the

systems that will gather, transmit and analyze data,

communicate and act upon the results and advance the

capabilities of highly distributed organizations to unify and

focus on critical shared goals. This type of security, this type of

safety, is not something that can simply be bolted onto the

solutions as an afterthought. It must be considered from the

rst requirements to the nal implementation, and it must beinherent in the capabilities that are brought to bear as these

complex problems are solved. The reliability of these solutions

cannot be jeopardized by delay. They must be Secure by Design.

Secure by Design demonstrates that cost-effective security

begins with the creation of secure systems from the start.

Time-to-market, maintenance and the devastating costs of

public breaches are reduced through the benets of integrating

secure practices early in the development lifecycle. It is a

long-standing axiom that functional defects identied during

system development are orders of magnitude less costly to

repair than those found in production systems, and the benets

and savings are even higher when it comes to security. Current

models show us that the average data breach costs an

organization roughly $6.6M, and that the average cost per lost

customer data record is over $200. These numbers are

staggering. Vulnerability within some Smarter Planet systems

is even more destructive, as some systems manage critical

infrastructure, and failure can disable entire regions or worse,

jeopardize lives.

A critical enabler of trust in this process is the ongoing

validation of the security of critical applications. System

development history has shown us that there is a natural

tendency for implementations to veer from their original

designs, and that constant reinforcement of design objectives

through testing and assessment are the most practical means of

arriving at a deliverable with the proper attributes. Security is

no different, but can be more difcult to assess. Security,

particularly at the coding and implementation level, is not a

widely understood discipline, and its inclusion in the set of

critical deliverables will only be possible as organizations

simplify and automate security checking in ways similar to

those employed for functional and performance testing. The

IBMRational AppScan suite of products has been created

to integrate within this environment, whether through

application scanning on the developer desktop, at the nightly

or weekly build server, or through targeted penetration testing

of the nal application.

In practice, not every application can be protected from every

threat, and the continuous appearance of new attacks means

that todays results will never be sufcient to guarantee

tomorrows safety. As a result, the path to maximizing the

security of an application begins by rigorously testing that

application today, and planning for its continuing testing as the

application, and the threats it encounters, evolve.

Automated source code analysis is widely recognized as the

most effective method of this type of testing early in the life

cycle, because it allows for a consistent and repeatableassessment of source code without requiring the additional

assets that would be needed to eld a completed system to test.

The best of these technologies provide the most valuable

results by pinpointing the vulnerability at the precise line of

code and detailing information about the type of aw, degree of

criticality and how to x it. Ethnical hacking is also an

important element of software security, but its value comes later

in the life cycle, when it can be used on a completed application

with a functional interface. Together, these approaches can

paint a picture which is both comprehensive in its scope and

useful in the level and amount of detail that it provides.


5/12


Securing components and systems from their inception

produces a exibility and sense of assurance that fuels the

growth and adaptability of the Smarter Planet. Early

implementations of smarter projects are only the beginning of

the potential for integrating information and technology to

solve fundamental infrastructural problems. Systems which are

gathering information to optimize a Smarter City today may

well be repurposed in the future to bring smarter healthcare or

smarter communications to the same area. By designing thecore components with security in mind, adapting them to a

new area of use becomes much more straightforward,

eliminating the need to re-engineer the component for the

next role it may fulll.

Roadblocks to building in security

Among the most common impediments to the adoption of

security testing in the software development life cycle, the

most difcult to overcome is typically the gap between

development group functions and the security teams priorities.

The skill sets themselves are rarely present in the same

individual or even group, and organizationally there is verylittle inherent synergy. While development goals focus on

product functionality and on-schedule delivery, security

analysts are often tasked with eliminating vulnerabilities and

implementing security controls only after the applications are

completed and deployed. Development is rewarded for

on-time delivery, while security is rewarded for preventing the

deployment of an insecure application. To effectively decrease

vulnerabilities created during the development process,

development and security teams must cooperate, and in all

cases, higher-level management support for improving security

during development is essential.

There also exists a general reluctance to alter an existing

software development life-cycle process which can delay

implementation of security testing. In these cases, an

understanding of the business-level benets to be gained is

usually enough incentive to move things forward. There are

some common misconceptions about the potential and

difculties of improving security within the development

process.

Fiction: The development schedule cannot delay any other

activities, not even to address security issues.

Fact:There might be initial delays to the development cycle as

individuals learn the new system, but this is indisputably the

most time-efcient method for reducing software risk. The

process eventually reduces development time by instilling

good, secure coding practices among developers, and these

practices reduce time spent elsewhere in the cycle, such as

during security and acceptance testing of the nal application.

Fiction: We are already doing peer review; therefore, we donot need additional security code reviews.

Fact:A peer review is not a substitute for a security review.

Peer reviews are typically used to nd functional bugs. Unless

reviewers have a deep understanding of application security,

many of the more critical security vulnerabilities and design

aws are missed. In many cases, the best-intentioned user

requirement implemented without functional error can lead to

the greatest security risk. Common security errors will traverse

thousands of lines of code and many les, leading to a very

challenging, if not impossible, task of manual identication.

Assigning core responsibilities

Many enterprises still nd it challenging to identify the most

appropriate method and resources to implement source code

analysis in their development life cycle. Utilizing a series of

workow models to help guide the implementation of

automated source code scanning into an existing development

process is the most effective way to achieve a favorable

approach. Although it is clear that development organizations


6/12


and processes each have their own distinct characteristics, the

functions below are primary to source code testing and must

be served by existing staff or experts brought in during

implementation.

Set security requirements: A manager or central source of

business requirements meets with groups with security

expertise to dene the security requirements of the application,

the vulnerabilities that would most jeopardize its function, and

assign criticality based on business needs.

Confgure analysis: Internal denitions are used to customize

the source code analysis tool to match policies, ensuring

sufcient and consistent review of applications.

Scan source code:The source code analysis tool is run againstthe target application or parts of the application to pinpoint

vulnerabilities. These scans are commonly automated, but can

also be executed on demand.

Prioritize results: Staff members with knowledge of security

and the application study results to prioritize remediation and

resources workow appropriately.

Remediate aws: Vulnerabilities are eliminated by rewriting

code, removing awed components, or adding security-related

functions.

Veriy fxes:The code is rescanned and studied to ensure the

code changes have eliminated the vulnerability while

maintaining application functionality.

Organizations which have already adopted this methodology

have seen very positive results. One major telecommunications

rm has gone so far as to apply the knowledge of their relevant

threats and the operational implementation goals of their

software components to devise an automated testing regimenthat is kicked off regularly with the software build. The

information generated has already been tailored by the security

team, and the results are regularly reviewed to ensure relevance

and continuing accuracy. In the interim, each build

automatically assesses the security of the software, and forwards

any newly found vulnerabilities to the appropriate development

groups for remediation. This integrated process has led to

much faster cycle times, decreased rework, and a far better

performance during rigorous pre-deployment certication.

Secure by Design as a goal has two different meanings. The

rst, as described here, relates to assembling the knowledge,tools and processes to generate components and systems that

will perform reliably and securely, through efforts at all phases

of the construction lifecycle. The second meaning, though, is

equally important: As we enter this instrumented age, and we

come to expect technology to improve our day-to-day

existence in new ways, we must acknowledge our responsibility

to make our organizations Secure by Design. We must

educate ourselves and our teams on the importance of security,

on the cost savings and benets of secure development, and on

the balance that must be reached between that concern and

concerns of functionality, performance, and time-to-market.

If we do this, then soon secure will be as natural a

characteristic of the Smarter Planet as fast, stable, or

easy-to-use.

For detailed information on three development models,

including workows and best practices, please see the

whitepaper Secure at the Source in the Web Application

Security e-Kit.
http://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsp


7/12


Hackers and Malware

The proliferation of malware designed to inltrate computer

systems without the owners informed consent has become one

of the most challenging security issues facing users today.

Hackers are engineering ever more sophisticated viruses,

worms and Trojan horses that can outsmart traditional defense

mechanisms.

Malicious software can be distributed in a variety of ways,and

attackers generally do not limit themselves to a single channel.

For a long time, email was the primary delivery mechanism,

and it is still signicant today. Network vulnerabilities and

instant messaging have also been used for pushing worms from

one machine to another.

Today, web applications are the primary delivery mechanisms

for malware via drive-by downloads or social engineering.

A drive-by download happens when a users machine becomes

compromised simply by browsing an infected web page. The

browser executes components that are maliciously crafted toexploit vulnerabilities in the browser, operating system or other

plug-ins as the page renders images, in-line scripts and videos,

for example.

Social engineering is a term used to describe tricking a user

into performing some action, such as downloading a le or

accepting a prompt. Scareware, such as an alarming pop-up

that prompts users to perform an action, is a good example of

this. A pop-up designed to look like an antivirus alert may read

A virus has been detected on your system and prompt a user

to download a cleanup utility, which is actually malware (often

a Trojan horse). In the fall of 2009, a major national newspaper

in the United States faced a version of this tactic in the form of

a scam that was designed to scare users into buying useless

antivirus software.

In recent years, occurrences of legitimate websites servingmalware have become more widespread. Previously, cautious

web surfers who avoided questionable sites, such as adult-

oriented or illegal download sites, could reasonably expect to

avoid attacks. This is not so today. Moreover, site owners rarely

even know that the compromise has occurred. Consider the

consequences. Users are no longer able to avoid exposure

through good judgment alone. The malware is delivered

through the sites they use and trust on a regular basisfor

personal and business needs. Web gateways can no longer rely

on blacklists of malicious sites without blocking legitimate sites

as well. So how are users expected to protect themselves, and

how can website owners avoid putting their users in harmsway? That question cant be addressed without understanding

how legitimate sites are compromised.

A look at how legitimate websites are compromised

In most cases, reputable websites are attacked using one or a

combination of four primary methods.

Vulnerability exploitation

Vulnerabilities on a site are a favorite target of criminals. These

could be 0-day vulnerabilities in the software running the

website or vulnerabilities in the application-specic code. Such

vulnerabilities can allow attackers to deface the site, making itlink or serve malicious content. Exploiting 0-day or very recent

vulnerabilities in web infrastructure (for example, web servers,

application servers and operating systems) is the primary

method of compromising websites today.

Uploaded malware on user-driven sites

User-driven Web 2.0 community sitesincluding blogs, wikis

and social media sitesthat let users create and post data likely

provides another popular malware delivery source. Worse,

technical vulnerabilities arent even necessary. If users are


8/12


allowed to add content and links to the site, they may be

uploading malicious items. For example, PDF document les

holding malicious content or images that exploit a security

hole in a graphics library can cause a legitimate website to

serve malware.

Internal attacksWebsite defenses are often not as robust when accessed from

within an internal network. As a result, internal resources, such

as disgruntled employees or an employee who has been

blackmailed, can modify a web application from within and

make it serve or link to malware.

Third-party content

Including third-party content such as ads or mashup

applications can multiply the risk of malware on your website.

Third-party sources may be malicious or may have been

compromised by yet another party, resulting in malware being

served through your applications pages. Consider anadvertising service serving Flashbased advertising banners.

Flash applications are powerful and dynamic and have potent

scripting engines. If an advertising company is not properly

vetting and analyzing each banner it posts, it may be serving

malicious banners that deliver malware.

Existing solutions

How can users be expected to protect themselves from

malware on legitimate websites? Certainly, users need to take

precautions by installing appropriate endpoint security

solutions, such as antivirus software, rewalls and other

security tools. But this will only get them so far. As a result,

website owners have signicant responsibilities in the matter,

as their users should expect a reasonable level of protection

against malicious code.

There are several ways companies and organizations can

protect the server side: an intrusion prevention system (IPS) or

similar network protection device that monitors outgoing

trafc, and server-side antivirus solutions. An IPS can examineall trafc returned from the site and block anything deemed

malicious. The problem with this approach is the depth of the

analysisthe IPS needs to work at a very high velocity to

support huge volumes of data, and thus can only afford a

fraction of a second to analyze passing content. As a result, its

analysis is mostly limited to matching known malicious

patterns against the content.

A server-side antivirus solution can be used to examine les on

the server and identify whether they are malicious. The

problem with this approach is visibility. Antivirus solutions are

designed to look for viruses in les, but are limited in theirability to examine content residing in the databases where most

applications store their dynamic content. Similarly, antivirus

solutions dont see or understand web pages, making them

blind to content that is linked from the website but not hosted

on them.

Currently, the most common way for criminals to make

legitimate websites serve malware is by injecting an iframe that

leads to a malicious site. The existing solutions discussed above

cannot nd this very common manifestation of the problem.

An alternative approach: HTTP-based malware scanning uses

a new approach, combining the HTTP view with antivirus-like

capabilities. Scanning and detection capabilities can help you

overcome the inherent problems of existing security

technologies.

Please see the demo of Rational AppScan std edition for a

full view of the the AppScan Standard Edition and Express

products.
http://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.html


9/12


Security and Cloud Computing

Cloud computing is a exible, cost-effective and proven

delivery platform for providing business or consumer IT

services over the Internet. Cloud resources can be rapidly

deployed and easily scaled, with all processes, applications and

services provided on demand, regardless of user location or

device. As a result, cloud computing gives organizations the

opportunity to increase their service delivery efciencies,

streamline IT management and better align IT services with

dynamic business requirements.

Both public and private cloud models are now in use. Available

to anyone with Internet access, public models include Software

as a Service (SaaS) clouds like IBM LotusLive, Platform as a

Service (PaaS) clouds such as IBM Computing on Demand,

and Security and Data Protection as a Service (SDPaaS) clouds

like the IBM Vulnerability Management Service.

Private clouds are owned and used by a single organization.

They offer many of the same benets as public clouds, andthey give the owner organization greater exibility and control.

Many organizations embrace both public and private cloud

computing by integrating the two models into hybrid clouds.

These hybrids are designed to meet specic business and

technology requirements, helping optimize security and

privacy with a minimum investment in xed IT costs. Although

the benets of cloud computing are clear, so is the need to

develop proper security for cloud implementations.

In addition to the usual challenges of developing secure IT

systems, cloud computing presents an added level of risk

because essential services are often outsourced to a third party.The externalized aspect of outsourcing makes it harder to

maintain data integrity and privacy, support data and service

availability and demonstrate compliance. As a result, clients

must establish trust relationships with their providers and

understand risk in terms of how these providers implement,

deploy and manage security on their behalf. This trust but

verify relationship between cloud service providers and clients

is critical because the clients are still ultimately responsible for

compliance and protection of their critical data, even if that

workload has moved to the cloud.

Infrastructure sharing calls for a high degree of standardized

and process automation, which can help improve security by

eliminating the risk of operator error and oversight. However,

the risks inherent with a massively-shared infrastructure mean

that cloud computing models must still place a strong emphasis

on isolation, identity and compliance. In other words, the

framework of governance, risk management and compliance

can be broken into ve security focus areas:

People and Identity: Address the risks associated with user

access to corporate resources

Data and Information: Understand, deploy and properly test

controls for access to and usage of sensitive business data

Application and Process: Help keep applications secure,

protected from malicious or fraudulent use, and hardened

against failure

Network, Server and End Point: Optimize service availability

by mitigating risks to network components

Physical Infrastructure: Provide actionable intelligence on the

desired state of physical infrastructure security and make

improvementsEach focus area has its own value proposition and

corresponding nancial payback that must be balanced.

While cloud computing is often seen as increasing security

risks and introducing new threat vectors, it also presents an

exciting opportunity to improve security. Characteristics of

clouds such as standardization, automation and increased

visibility into the infrastructure can dramatically boost security

levels. For example, the use of a dened set of cloud interfaces,

along with centralized identity and access control policies, will

reduce the risk of user access to unrelated resources. Running

computing services in isolated domains, providing default

encryption of data in motion and at rest, and controlling data

through virtual storage have all become activities that can

improve accountability and reduce the loss of data. In addition,

automated provisioning and reclamation of hardened run-time

images can reduce the attack surface and improve forensics.

For more information on how the Rise of Cloud is creating

new requirements for Security please see our podcast.
http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618


10/12


Security in IndustryIndustry specic software assets that allow you to deploy

business solution with lower costs and risk:

Financial Services: Banking and Insurance companies need to

manage risk more efciently, at a lower cost through online

channels including web-based applications and cloud-

implemented solutions. With the ever changing environment

facing nancial institutions, maintaining system integrity andautomating all security and compliance initiatives is imperative

to keeping up with the integration of mergers and acquisitions.

Please review this case study of how a Financial Services

and Banking company managed a response to security

mandates.

Government: Growing concerns over government data

security driven by increasing vulnerabilities and cyber securitythreats have agencies looking for cost-effective and efcient

solutions to manage their data systems, including fullling

various changing requirements for compliance (accessibility,

etc.) and security to governing bodies.

As Government agencies are opening citizen access to new

Internet-based services and establishing efcient methods for

creating trusted identities, the need for stronger authentication

and portal security is increasing. Greater accountability &

transparency means more exposure of data vulnerabilities.

Please review the case study of how a branch of the armed

forces secured the needs of the military.

Healthcare: Securing sensitive patient information and

adhering to compliance mandates is an overwhelming

requirement for all healthcare professionals at every level of

the industry. With funding for use of Electronic Health

Records (EHR), the access and security of health records is

becoming a pressing issue. A more reliable infrastructure

management, reducing the possibility and impact of security

vulnerabilities while adhering to industry regulations, is

needed.

Please see the demo of Rational AppScan std edition for a

full view of the the AppScan Standard Edition and Express

products.

Energy and Utilities: The Smart Grid raises privacy and

safety concerns, and standards like the North American

Electric Reliability Corporation (NERC) and the Federal

Energy Regulatory Commission (FERC) are driving

heightened protection from cyber attack. These efforts to

strengthen access and data loss are critical to the success of not

only the project, but also the customers that utilize the system.

Please review the case study of an International

Telecommunications Company.
http://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14117USEN&attachment=RAC14117USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14117USEN&attachment=RAC14117USEN.PDFhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14123USEN&attachment=RAC14123USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14123USEN&attachment=RAC14123USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14123USEN&attachment=RAC14123USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14123USEN&attachment=RAC14123USEN.PDFhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14117USEN&attachment=RAC14117USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14117USEN&attachment=RAC14117USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDF


11/12


ResourcesWeb Application Security e-Kit

IBM Rational AppScan can help you effectively design security

into your products and services early in the lifecycle, in a way

which is resilient to change. Download your complimentary

e-Kit now. Youll receive white papers, demos, podcasts and

additional information on helping you design, deliver, and

manage smarter software and services faster, in a more secure

and cost-efcient manner.

Rational AppScan ROI Calculator

Automated application security analysis enables you to detect

exploitable vulnerabilities to protect against the threat of

cyber-attack and also signicantly reduces costs associated with

manual vulnerability testing. This Rational AppScan ROI

calculator will help provide estimates on your ROI from

implementing a web application security testing solution

Podcasts:

What, Why and How o Application Security

In this podcast you can learn how application security strategyand policy can mitigate risk and thus safeguard not only your

companys informational assets but also your bottom line and

brand.

Rise o Cloud is creating new requirements or Security

In this BizTech Reports podcast, David Grant discusses the

new and elevated role application security must play to protect

vital corporate interests in as efcient a manner possible.

According to IBM X-Forces most recent research from the

end of 2008, over 50% of all vulnerabilities disclosed last year

were related to the application layer.

Securing sotware at the source is good or Quality

Hear from Ryan Berg, Security Architect, IBM on how to

promote secure software delivery starting in QA. Learn how to

you ensure that security standards are met as part of your

quality measures.

Whitepapers:

Poneman Business case for Data Protection (US)

Poneman Business case for Data Protection (UK)

The Business Case for Data Protection was conducted by

Ponemon Institute and sponsored by Ounce Labs, an IBM

Company. It is the rst study to determine what senior

executives think about the value proposition of corporate data

protection efforts within their organizations

The Right Tool for the Right Job

A range of application security tools was developed to support

the efforts to secure the enterprise from the threat posed by

insecure applications. This white paper examines the most

common tools found in the enterprise application security

environment.

Trust, but Verify

This white paper will discuss the need for addressing security

concerns in outsourced applications. Will outline a framework

for addressing these concerns with outsourcing partners and

explore the role of source code review and related technologiesto assess and certify outsourced applications.

Knowledge is Power

Your software has a lot to say about data privacy. Your software

is the engine for your data, where it gets processed,

transformed, and transmitted. Understanding what your

software can tell you puts power in your hands.

Maintaining trust: protecting your website users from

malware

This paper explores the problem of malware and how it is

increasingly being delivered through legitimate websites.
http://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttp://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/danahy_app_security_120809.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/danahy_app_security_120809.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/danahy_app_security_120809.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/danahy_app_security_120809.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/danahy_app_security_120809.mp3http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/Ryan_Berg_Securing_Software-12182009.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/Ryan_Berg_Securing_Software-12182009.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/Ryan_Berg_Securing_Software-12182009.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/Ryan_Berg_Securing_Software-12182009.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/Ryan_Berg_Securing_Software-12182009.mp3https://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptushttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14202USEN&attachment=RAW14202USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14202USEN&attachment=RAW14202USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14202USEN&attachment=RAW14202USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14202USEN&attachment=RAW14202USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14202USEN&attachment=RAW14202USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_RA_USEN&htmlfid=RAW14158USEN&attachment=RAW14158USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_RA_USEN&htmlfid=RAW14158USEN&attachment=RAW14158USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_RA_USEN&htmlfid=RAW14158USEN&attachment=RAW14158USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_RA_USEN&htmlfid=RAW14158USEN&attachment=RAW14158USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_RA_USEN&htmlfid=RAW14158USEN&attachment=RAW14158USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_RA_USEN&htmlfid=RAW14158USEN&attachment=RAW14158USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_RA_USEN&htmlfid=RAW14158USEN&attachment=RAW14158USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_RA_USEN&htmlfid=RAW14158USEN&attachment=RAW14158USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14202USEN&attachment=RAW14202USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14202USEN&attachment=RAW14202USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14202USEN&attachment=RAW14202USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14202USEN&attachment=RAW14202USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14202USEN&attachment=RAW14202USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14200USEN&attachment=RAW14200USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=SWGE_RA_ZT_USEN&htmlfid=RAW14201USEN&attachment=RAW14201USEN.PDFhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptukhttps://www.ibm.com/services/forms/signup.do?source=swg-rtl-ponemonrptushttp://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/Ryan_Berg_Securing_Software-12182009.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/Ryan_Berg_Securing_Software-12182009.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/Ryan_Berg_Securing_Software-12182009.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/Ryan_Berg_Securing_Software-12182009.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/Ryan_Berg_Securing_Software-12182009.mp3http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=68627&ssid=66&hid=11348&sid=11356&cp=2618http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/danahy_app_security_120809.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/danahy_app_security_120809.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/danahy_app_security_120809.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/danahy_app_security_120809.mp3http://download.boulder.ibm.com/ibmdl/pub/software/info/television/swtv/Rational_Software/podcasts/rttu/danahy_app_security_120809.mp3https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=appscanhttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsphttp://www-01.ibm.com/software/info/sdp/appscan/index.jsp


12/12

Please Recycle

ESW03001-USEN-01

Demos:

IBMs Development and Test Enterprise Cloud Solution

IBM Smart Business Development & Test on the IBM Cloud

is your gateway to the cloud. With an ever-growing list of

images and functionality, you can provision, manage, and

customize your instances in minutes.

Rational AppScan Standard Edition

This demo takes you through the process of scanning a webapplication for security vulnerabilities using Rational AppScan

Standard Edition.

Case Studies:

A branch of the armed forces secured the needs of the military

A nancial services and banking company managed a response

to security mandates.

A nancial services and banking company managed a

response to security mandates.

An International Telecommunication Company Buildingsecurity into the software development life cycle with low cost

and high value.

Copyright IBM Corporation 2010

IBM Software GroupRoute 100Somers, NY 10589U.S.A.

Produced in the United States of AmericaAugust 2010

All Rights ReservedIBM, the IBM logo, ibm.com, Smarter Planet, the Smarter Planet logo,AppScan, LotusLive and Rational are trademarks or registered trademarksof International Business Machines Corporation in the United States, othercountries, or both. If these and other IBM trademarked terms are markedon their rst occurrence in this information with a trademark symbol ( or), these symbols indicate U.S. registered or common law trademarksowned by IBM at the time this information was published. Such trademarksmay also be registered or common law trademarks in other countries. Acurrent list of IBM trademarks is available on the Web at Copyright andtrademark information at ibm.com/legal/copytrade.shtml
http://www.youtube.com/watch?v=jnx_Erfn_K4http://www.youtube.com/watch?v=jnx_Erfn_K4http://www.youtube.com/watch?v=jnx_Erfn_K4http://www.youtube.com/watch?v=jnx_Erfn_K4http://www.youtube.com/watch?v=jnx_Erfn_K4http://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14117USEN&attachment=RAC14117USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14117USEN&attachment=RAC14117USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14117USEN&attachment=RAC14117USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14123USEN&attachment=RAC14123USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14123USEN&attachment=RAC14123USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14123USEN&attachment=RAC14123USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14123USEN&attachment=RAC14123USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14123USEN&attachment=RAC14123USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14123USEN&attachment=RAC14123USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14122USEN&attachment=RAC14122USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14117USEN&attachment=RAC14117USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14117USEN&attachment=RAC14117USEN.PDFhttp://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=PM&subtype=AB&appname=SWGE_RA_ZT_USEN&htmlfid=RAC14117USEN&attachment=RAC14117USEN.PDFhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.ibm.com/developerworks/offers/lp/demos/summary/appscanintro.htmlhttp://www.youtube.com/watch?v=jnx_Erfn_K4http://www.youtube.com/watch?v=jnx_Erfn_K4http://www.youtube.com/watch?v=jnx_Erfn_K4http://www.youtube.com/watch?v=jnx_Erfn_K4http://www.youtube.com/watch?v=jnx_Erfn_K4

Documents

Securing To Days Application