IBM: Design Security Into New Applications During Development


IBM Tuesday unveiled a number of new software products and services the company said would help businesses build security into the initial designs of their applications.

IBM executives, debuting the new offerings at the vendor’s IBM Rational Innovate 2010 conference in Orlando, said designing security into software systems from the start, rather than correcting them later or “bolting them on” afterwards through add-on product, helps cut costs and reduce security risks in an increasingly interconnected world.

Software development challenges posed by increasingly complex and interconnected software systems was a recurring theme at the Innovate conference. And that has ramifications for system security as well. “With complexity, you can introduce a lot more risk,” said Teresa Cook, director of security products, in a press conference.

IBM said 49 percent of all software vulnerabilities tracked by IBM in 2009 were in Web applications and 67 percent of those had no available patch.

The new products include AppScan Source Edition, an addition to the AppScan line of tools for identifying vulnerabilities in software applications. Based on technology from IBM’s 2009 acquisition of Ounce Labs, AppScan Source Edition finds and corrects vulnerabilities in software source code during the development process, said David Grant, Rational marketing executive for security and compliance.

“Software security has become a priority as hackers are increasingly targeting Web-based applications as their preferred route of attack,” said John Wyatt, president and CEO of Cigital Inc., a Dulles, Va.-based IBM security partner. “Embedding automated security scanning into software delivery is more important than ever to lower costs and increase protection. We are confident that the new version of AppScan Source Edition will provide considerable value to our customers."

AppScan Source Edition is available now in on-premise and on-demand versions, Grant said.

Other tools in the AppScan line for evaluating the security of applications already in production are based on technology IBM acquired when it bought Watchfire Corp. in 2007.

Also new is a source code assessment service to help organizations assess the source code of new and legacy applications. IBM will test applications for their clients, identify vulnerabilities and recommend steps for remediation.

IBM has published a framework of best practices around security and software development. The blueprint, “Security in Development: The IBM Secure Engineering Framework,” is designed to help businesses create a secure software delivery process.

IBM also introduced updated versions of its Tivoli Access security software, including Tivoli Access Manager, Tivoli Security Policy Manager and Tivoli Federated Identity Manager. The tools help manage security, particularly from internal threats, for applications already in production. The new products provide additional security capabilities for cloud computing and service-oriented architectures, for portals and Web applications, and for data.