IBM Boosts Secure Development Practices
Focus is on making security an integral part of software, Web services, cloud, and portal development practices.
IBM this week announced multiple initiatives and software updates to help organizations build security into their software development practices, applications, Web services, cloud projects, and portals.
"As customers drive new Web-based services and portal initiatives, they must balance the growing need for exposing data with the ability to provide secure access to these critical resources on a need-to-know basis," the company said in a statement.
More Infrastructure Insights
- Maximize the benefits of virtualization for greater ROI
- Flash Optimization for a Smarter Storage Infrastructure
White PapersMore >>
- Research: IT Pro Ranking: Data Center Networking
- Service-Oriented IT: Meld Process, Security and Tools
Accordingly, IBM updated Tivoli Access Manager to provide centralized authentication, policy management, and access control services for cloud, service-oriented architecture, portal, and Web application environments.
Similarly, IBM also announced a new "Secure By Design" initiative, which combines a new IBM-developed framework for secure software engineering, backed by source code security testing tools, source code scanning assessment services, and identity and access management capabilities.
From its acquisition of security vendor Ounce Labs, IBM also introduced a new Web application security tool, AppScan Source Edition, meant to help developers spot and remediate Web application vulnerabilities before code moves into beta or general release.
According to a study conducted last year by IBM researchers, Web applications accounted for 49% of all software vulnerabilities in the wild. For two-thirds of those vulnerabilities, however, no patch existed. Unfortunately, these vulnerabilities are often easily accessible to attackers, since the software runs online.
For years, software experts have known that the most cost-effective way to secure software is by specifying it at the start of a project, and making it an integral part of the software development lifecycle. Historically, however, many software development houses -- driven by time-to-market or cost-control concerns -- have skimped on security planning, and when they do attempt to secure their software, bolt it on after the fact, which costs more and is typically less effective.
But according to the Open Web Application Security Project, which tracks Web application vulnerabilities, many if not all of today's top vulnerabilities -- e.g., SQL injection, cross-site scripting attacks, broken session management, and failure to restrict URL access -- can be prevented simply by more rigorously designing and testing code, before the software ships.
Attend an InformationWeek virtual event on creating and leveraging the private cloud and how could affect your business' most critical systems and information. It happens June 23. Click here to find out more and register.