• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Strengthening application security capabilities while improving time to value
 

Strengthening application security capabilities while improving time to value

on

  • 1,255 views

IBM Security AppScan software automates application security testing by scanning applications, identifying vulnerabilities and generating reports with intelligent fix recommendations to ease ...

IBM Security AppScan software automates application security testing by scanning applications, identifying vulnerabilities and generating reports with intelligent fix recommendations to ease remediation. Join this session to learn how to reduce your application security risk by integrating IBM Security AppScan into your software development lifecycle, focusing on a Secure by Design approach.

View the on-demand webcast: https://www2.gotomeeting.com/register/553267994

Statistics

Views

Total Views
1,255
Views on SlideShare
1,255
Embed Views
0

Actions

Likes
0
Downloads
37
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Advanced Security and Threat Research, which includes the X-Force team, is the foundation for many of the pillars in the security product portfolio.As the team tasked with staying on top of the latest threats and vulnerabilities, the information it provides is a critical aspect of providing protection to the other parts of the framework. The rest of this deck will talk to the specific capabilities of this team, as well as some specific integration points between the X-Force research and the products to which they add value.
  • The way we are able to provide such broad coverage is through our research organizatoinThis represents about 6,000 people worldwideA big component of the research used in the XGS is from X-Force - Established in 1997 - Top engineers doing applied security research into attack trends and techniques and coming up with counter-measures - Also involves technology such as our web crawler, which is a key component to our reputation capabilitiesAlso includes data from other parts of IBM, such as our managed services org - 13B events every day across 133 countries drives intelligence (rep, vulns, etc.) that ends up in the productIn addition, IBM research is also constantly working on new innovations with a security slant, resulting in over 1000 patents to dateSo when a customer buys the XGS, they are essentially getting all of this research in a box
  • 2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011.1 In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.This year kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies
  • No single automated analysis technique can find all possible vulnerabilities. Each technique has its own strengths and blind spots, which is why a single point tool can leave you exposed.To find the most vulnerabilities, you should employ all the analysis techniques available today. IBM has combined a leading Static Analysis solution (developed by Ounce Labs) with a leading Dynamic Analysis solution (developed by Watchfire). IBM has combined these two established technologies, and has since added Hybrid analysis to combine and correlate their results. In 2011, IBM added new techniques for client-side analysis (aka Javascript Analyzer) and most recently run-time analysis (aka Glassbox).Static Analysis examines the source code for potential vulnerabilities. Static analysis can be used earlier in the development cycle, because you don’t need a running application. Static analysis can also produce a large volume of results, which can overwhelm development teams. Also, developers may question whether an identified vulnerability can be exploited (i.e. the “issue” could be mitigated somewhere else in the code, so it may not manifest itself as a true vulnerability).Dynamic Analysis tests a running application, by probing it in similar ways to what a hacker would use. With Dynamic Analysis results, it is easier to connect the vulnerability and a potential exploit. Dynamic Analysis is reliant on an ability to automatically traverse an application and test possible inputs. With Dynamic Analysis, the auditor is always asking “did I get proper test coverage”. Because Dynamic Analysis requires a running application, it typically cannot be used until an application is ready for functional testing (i.e. later in the development cycle).Hybrid Analysis brings together Dynamic and Static to correlate and verify the results. Issues identified using dynamic analysis can be traced to the offending line of code. Issues identified in static analysis can be validated with an external test.Client-side Analysis (aka JSA) analyzes code which is downloaded to the client. As more functionality is performed client-side, the prospect of client-side vulnerabilities and exploits increases. This capability, new in 2011, is unique in the market.Run-time Analysis (aka Glassbox) places a run-time agent on the application machine, and analyzes the application as it is being tested. This combines the aspects of Dynamic and Static analysis at run-time, finding more vulnerabilities with greater accuracy. Glassbox analysis was introduced in the most recent release of AppScan, at the end of 2011.

Strengthening application security capabilities while improving time to value Strengthening application security capabilities while improving time to value Presentation Transcript

  • IBM Security Systems Strengthening application security capabilities while improving time to value with IBM Security AppScan 30th October 2013 © 2013 IBM Corporation
  • IBM Security Systems Agenda  IBM Security Framework  Why Application Security is Important  What’s New in AppScan 8.8  Why IBM?  Resources 2 © 2013 IBM Corporation
  • IBM Security Systems X-Force is the foundation for advanced security and threat research across the IBM Security Framework The mission of X-Force is to:  Monitor and evaluate the rapidly changing threat landscape  Research new attack techniques and develop protection for tomorrow’s security challenges  Educate our customers and the general public 3 © 2013 IBM Corporation
  • IBM Security Systems Security Incidents in the first half of 5 © 2013 IBM Corporation
  • IBM Security Systems Application Security Landscape Web application vulnerabilities dominate enterprise threat landscape. Applications in Development  In-house development  Outsourced development Production Applications  Developed in house 31% of new attacks targeted vulnerabilities in web applications (1H 2013)* Security vulnerabilities can impact a wide variety of applications:  6 Applications in Development: Inhouse and outsourced   Acquired More than 50% of all web application  Off-the-shelf categorized apps vulnerabilities are commercialas cross-site scripting. Production Applications: In-house, acquired and off-the-shelf commercial apps © 2013 IBM Corporation *IBM X-Force 2013 Mid-Year Trend and Risk Report
  • IBM Security Systems Mobile Security Landscape  Mobile vulnerabilities have grown rapidly since 2009, along with explosive growth in mobile applications.  Attack sophistication is increasing, particularly those targeted at Android devices.  Organizations must have a mobile application security strategy. 7 © 2013 IBM Corporation
  • IBM Security Systems Application Security: Core Component of Your Security Strategy 1. 2. Mobile application attacks are increasing rapidly. 3. Vulnerabilities are spread through a wide variety of applications (internal development apps and external production apps). 4. Common questions from IBM clients: Where are our vulnerabilities and how do we assess our risks? 5. 8 Web application vulnerabilities dominate enterprise threat landscape. Many organizations struggle with best practices for managing application security in their IT environments. © 2013 IBM Corporation
  • IBM Security Systems Cheaper to find and fix earlier in the lifecycle – When do you test? 80% of development costs are spent identifying and correcting defects!*** Average Cost of a Data Breach $7.2M** from law suits, loss of customer trust, damage to brand Find during Development Find during Build Find during QA/Test Find in Production $80 / defect $240 / defect $960 / defect $7,600 / defect *$8,000 / application *$24,000 / application *$96,000 / application *$760,000 / application *Based on X-Force analysis of 100 vulnerabilities per application 9 ** Source: Ponemon Institute 2009-10 *** Source: National Institute of Standards and Technology © 2013 IBM Corporation
  • IBM Security Systems Is there a disconnect? Perception vs. Reality Where are your “security risks,” compared to your “security spend”? Spend ≠ Risk Source: The State of Risk-Based Security Management, A Research Study by Ponemon Institute, 2013 Do you have defined Secure Architecture Standards? Exec ≠ Developers view Source: The State of Application Security A Research Study by Ponemon Institute, 2013 10 © 2013 IBM Corporation
  • IBM Security Systems Mobile Malware – 2013 Data Source: Juniper Networks Third Annual Mobile Threats Report: March 2012 through March 2013 11 © 2013 IBM Corporation
  • IBM Security Systems IBM X-Force 2013 Mid-Year Report  Android malware increasing  Sophistication of attacks increasing  New versions of Android helping to reduce risk  Android market is very fragmented http://securityintelligence.com/cyber-attacksresearch-reveals-top-tactics-xforce/ 2012 2010 12 © 2013 IBM Corporation
  • IBM Security Systems IBM’s Partnered Application Security Solution with Arxan Arxan technology:  Protects deployed mobile applications  Enhances tamperproofing  Protects against reverseengineering Source: Arxan State of Security in the App Economy – 2012  Protects against targeted malware  Goal: Develop secure applications and protect deployed mobile applications, by utilizing IBM/Arxan solution. 13 © 2013 IBM Corporation
  • IBM Security Systems Adopt a Secure by Design approach to enable you to design, deliver and manage smarter software and services  Build security into your application development process  Efficiently and effectively address security defects before deployment  Collaborate effectively between Security and Development Deliver New Services Faster Innovate Securely Reduce Costs  Provide Management visibility Proactively address vulnerabilities early in the development process 14 © 2013 IBM Corporation
  • Applications IBM Security Systems Finding more vulnerabilities using advanced techniques Total Potential Security Issues Static Analysis - Analyze Source Code - Use during development - Uses Taint Analysis / Pattern Matching Dynamic Analysis - Analyze Live Web Application - Use during testing - Uses HTTP tampering Hybrid Analysis - Correlate Dynamic and Static results - Assists remediation by identification of line of code Run-Time Analysis - Combines Dynamic Analysis with run-time agent - More results, better accuracy 15 15 Client-Side Analysis - Analyze downloaded Javascript code which runs in client - Unique in the industry © 2013 IBM Corporation
  • IBM Security Systems Application Security Testing Development teams Audience SDLC Security teams CODING BUILD Penetration Testers QA SECURITY Live Web Application Web crawling & Manual testing Hybrid Glass Box analysis Scanning Techniques Applications Integrated 16 Dynamic analysis (black box) Static analysis Source code vulnerabilities & code quality risks Data & Call Flow analysis tracks tainted data (white box) Programming Languages Governance & Collaboration PRODUCTION • • • • • • • • • Java/Android JSP C, C++ COBOL SAP ABAP • • • • • • C# ASP.NET VB.NET Classic ASP ColdFusion VB6, VBScript • • • • • • HTML PHP Perl PL/SQL, T-SQL Client-side JavaScript Server-side JavaScript Web Applications Web Services • • • • Web 2.0HTML5 AJAX Java Script Adobe Flash & Flex Mobile Applications • • Purchased Applications iPhone ObjectiveC Android Java Training – Applications Security & Product ( Instructor led , self paced – classroom & web based) Test policies, test templates and access control Dashboards, detailed reports & trending Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports) Build Systems improve scan efficiencies (Rational Build Forge, Rational Team Concert, Hudson, Maven) Defect Tracking Systems track remediation (Rational Team Concert, Rational ClearQuest, HP QC, MS Team Foundation Server) IDEs remediation assistance (RAD, Rational Team Concert, Eclipse, Visual Studio Security Intelligence raise threat level (SiteProtector, QRadar, Guardium) © 2013 IBM Corporation
  • IBM Security Systems AppScan Source Mobile Support Ensure mobile applications are not susceptible to malware!  Support for Android and Native Apple iOS apps  Security SDK research & risk assessment of over 20k Android APIs and 20k iOS APIs  Mac OS X platform support  Xcode interoperability & build automation support  Full call and data flow analysis of Objective-C  JavaScript  Java   Identify where sensitive data is being leaked 17 © 2013 IBM Corporation
  • IBM Security Systems AppScan integrations with other IBM Security Systems products • Application discovery and context • Risk-based vulnerability analysis • Security policies and alerts QRadar SiteProtector • Network activity monitoring • Web application protection 18 AppScan • Application vulnerability assessments Guardium • Database vulnerability assessments • Database activity monitoring • Data protection policies © 2013 IBM Corporation
  • IBM Security Systems AppScan - QRadar Vulnerability Manager integration Features:  QVM Scanner provides network asset scanning and uncredentialed web application and database scanning  AppScan provides comprehensive credentialed web application scanning  AppScan vulnerability database integrated into QVM  QVM reports, dashboards and vulnerability management features all utilise AppScan vulnerabilities  QVM enables network usage, security and threat context data to be applied to AppScan vulnerabilities • Application Vulnerability • Identified Risk Benefits:  Single view of vulnerability posture, improved incident response time  Prioritize web application vulnerability remediation and mitigation with rich context information 19 © 2013 IBM Corporation
  • What’s New in AppScan 8.8 © 2013 IBM Corporation
  • IBM Security Systems AppScan 8.8 - Strengthening application security capabilities while improving time to value 1 Improve time to value on static analysis Streamlined triage features to quickly identity security risk Faster and easier configuration of Java applications 2 Quickly identify confirmed vulnerabilities  Identify top security risks by leveraging latest industry standards from OWASP top 10 and Mobile top 10 for 2013  Out of the box filters and scan confirmations ensure security compliance and best practices 3 Enhanced encryption to protect your security assets  Support for industry standard Transport Layer Security (TLS) protocol 1.2 21  Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a Corporation © 2013 IBM
  • IBM Security Systems AppScan 8.8: U.S. Federal Compliance Update  Enhanced encryption (support for TLS 1.2)  Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.  DISA STIG V3.5 out-of-the-box report (Source only) 22 © 2013 IBM Corporation
  • IBM Security Systems AppScan Source 8.8: Consumability & Usability Features  New Vulnerability Matrix with extensive Tool Tips  More options to optimize viewing of important trace information Collapsible Trace view 23 © 2013 IBM Corporation
  • IBM Security Systems AppScan Source 8.8: Improved Time to Value  Scan Configurations Enhanced: Android, Large application, Normal, Quick, Web  New: Follow all virtual call targets, iOS, Maximize findings, Maximize traces, Show all errors and warnings in console, Medium-tolarge application, User input vulnerabilities, Service code   Filter Support Updated existing filters to improve accuracy  Added new filters: OWASP Top 10 2013, OWASP Top 10 Mobile Risks  Added filter information to assessment results and reports  Vulnerability types automatically set  New Out-of-the-box reports DISA STIG V3.5  OWASP Top 10 2013  OWASP Top 10 Mobile Risks, RC1  24 © 2013 IBM Corporation
  • IBM Security Systems AppScan Source 8.8: Platform Updates  Operating System Updates Windows Server 2012  Red Hat Enterprise Linux 6.4   Updated IDE Support Visual Studio 2012  Eclipse 4.2, 4.2.2, 4.3  Rational Application Developer 8.5.1, 9.0   Defect Tracking System Updates Rational ClearQuest 8.0.1  Rational Team Concert 4.0.2, 4.0.3, 4.0.4  Enhanced Framework Support Spring MVC 3  Additional feature support for Spring MVC 2.5  ASP.NET MVC  .NET 4.5  Java JAX-RS (V1.0 & 1.1)  Java JAX-WS (V2.2)  Enhanced Web Services support including WSDL    Other Updates Rational License Key Server 8.1.4  WebLogic 11, 12  WebSphere 8, 8.5  Tomcat 7  25  Support for .NET 4.5  Microsoft Window authentication via AppScan Enterprise © 2013 IBM Corporation
  • IBM Security Systems AppScan Enterprise 8.8: Summary  Importing a scan configuration from AppScan Standard desktop client  Leverage the scalability of AppScan Enterprise Dynamic Analysis Scanner by importing and scheduling scans configured with the AppScan Standard desktop client.  Windows-based authentication for both DAST and SAST clients  Set up Windows authentication (based on Active Directory) when deploying both DAST and SAST clients. Installing and setting up Jazz Team Server is NOT required!  Enhanced REST API for QA automation  Reuse quality assurance functional test scripts to implement Dynamic Analysis security testing automation via new REST API interfaces.  Finer custom user type settings  More flexibility for configuring decentralized AppScan Enterprise administration .  Compliance report update  OWASP Top 10 (2013) 26 © 2013 IBM Corporation
  • IBM Security Systems AppScan Enterprise 8.8: Importing a scan configuration from AppScan Standard client 27 © 2013 IBM Corporation
  • IBM Security Systems AppScan Enterprise 8.8: Windows based authentication for both DAST and SAST clients 28 © 2013 IBM Corporation
  • IBM Security Systems AppScan Enterprise 8.8: Enhanced REST API for QA automation The problem  The task of recording scripts (HTTP traffic) for the purposes of security testing is duplication of the same task being performed for the purpose of functional testing.  QA teams would like to leverage their functional test scripts (based on HTTP traffic) for the purposes of security testing. 29 © 2013 IBM Corporation
  • IBM Security Systems AppScan Enterprise 8.8: Enhanced REST API for QA automation The solution – new REST API interfaces to help:  Integrate AppScan with various QA automation tools to remove duplication of work  Automate the creation of AppScan security scan jobs based on captured HTTP traffic 30 © 2013 IBM Corporation
  • IBM Security Systems AppScan Standard 8.8: Summary  Session management improvements – Action Based Login (ABL)  Parameter and cookie tracking new options  User Experience related enhancements: Session detection pattern – In Session or Out of Session Manual Test dialog now has Search fields for both request and response content. Use External Browser option is exposed in the UI     TLS 1.1 and 1.2 are now supported in addition to TLS 1.0 and SSL 3.0   31 SSL 2.0 has been deprecated in this release, but can still be configured Generic Services Client update: Version 8.5 is now used for setting up web services scans © 2013 IBM Corporation
  • IBM Security Systems AppScan Standard 8.8: Action Based Login  Session handling is one the key factors for a successful scan.  In previous versions, when a login sequence was recorded, AppScan would use the recorded HTTP traffic to replay the same sequence of requests each time a login playback was needed.  With Action Based Login AppScan actually uses the browser and performs the same actions as recorded by the user.  Internal tests show dramatic improvement in AppScan’s ability to successfully record and replay the login sequence.  ABL combined with the ‘old’ traffic based login is used automatically by AppScan and there is no need for user intervention. 32 © 2013 IBM Corporation
  • IBM Security Systems Try AppScan 8.8 Now!  Free download available  http://www.ibm.com/developerworks/downloads/r/appscan/  The IBM Security AppScan download is a fully functional, unlimited version of the IBM Security AppScan Standard product.  The only restriction is that scanning is limited to one site, Altoro Mutual at http://demo.testfire.net. We provide this site to testers so that you can explore the testing process without fear of bringing down a production site. 33 © 2013 IBM Corporation
  • Why IBM? © 2013 IBM Corporation
  • IBM Security Systems Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST) Magic Quadrant for Application Security Testing Neil MacDonald, Joseph Feiman July 2, 2013 “The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.” This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The link to the Gartner report is available upon request from IBM. 35 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose © 2013 IBM Corporation
  • IBM Security Systems Why IBM Security AppScan? Complete and integrated Application Security Testing (AST) solution in the market Complete AST offering Integrated AST solution Best fit for enterprises 1.AppScan is a rich set of application testing management products that can scale. 1.AppScan is part of the larger IBM Security Systems vision that encompasses the enterprise security intelligence, mobile, Big Data and Cloud 1.AppScan meets enterprise needs with flexible deployment models and the most advanced testing. 2.AppScan also offers special editions for specific users. 3.IBM has the strongest ability to execute including X-Force. 2.AppScan can be integrated with enterprise risk management and intelligence via integrations 2.AppScan is available in both on-premise and managed services offerings 3.AppScan has the highest degree of accuracy 4.AppScan also has the best attack vector coverage 36 © 2013 IBM Corporation
  • IBM Security Systems Cisco Scaling application vulnerability management across a large enterprise The need: With a small security team and an application portfolio of nearly 2,500 applications, security staff worried they were becoming a “bottleneck” in application security testing. The solution: Using IBM® Security AppScan® Enterprise, Cisco empowered its developers and QA personnel to test applications and address security issues before deployment. The benefits:  Drove a 33 percent decrease in number of issues found  Reduced post-deployment remediation costs significantly “We’ve seen a 33 percent decrease in the number of issues found and a huge reduction in remediation costs post deployment.” —Sujata Ramamoorthy, Director, Information Security, Cisco Solution components:  IBM® Security AppScan® Standard  IBM Security AppScan Enterprise  Freed security experts to focus on deep application vulnerability assessments Download the Complete Case Study 37 WGP03056-USEN-00 © 2013 IBM Corporation
  • Resources © 2013 IBM Corporation
  • IBM Security Systems Related Webinar Available On Demand Mobile Application Security and Data Protection Challenges http://www-03.ibm.com/security/2013webinarseries/details/index.html Securing mobile applications requires an understanding of the unique characteristics of mobile computing. Addressing application security early in the software development life cycle is even more important for mobile applications. However securing mobile applications is different from securing mobile devices. In this presentation Tom will highlight the mobile security risks for end users and enterprises, show you some great examples of simple but effective mobile threats, and discuss application development steps every organization should take to protect their customers and their company. 39 © 2013 IBM Corporation
  • IBM Security Systems Additional Information  Documents  EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swgWW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W  AppScan Source Data Sheet http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF  AppScan Standard Data Sheet http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF  AppScan Enterprise Data Sheet ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF  Posts  2013 Gartner Application Security Testing MQ and the Evolution of Software Security http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/  Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST) http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/  Podcasts  2013 Gartner Magic Quadrant for Application Security Testing  http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing  Application + Threat + Security intelligence = Priceless  http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless  Taking Application Security from the Whiteboard to Reality  40 http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality © 2013 IBM Corporation
  • IBM Security Systems Videos Overview of IBM Security AppScan http://www.youtube.com/watch?v=9R4IjZpKt8I  How College Board is Building Security into Application Development http://www.youtube.com/watch?v=TtqhlcTnbg8  Building Better, More Secure Applications http://www.youtube.com/watch?v=UcN2uUolgKk  Using Application Security Testing to Increase Deployment Speed http://www.youtube.com/watch?v=VImy3ilYUSk  IBM Security AppScan 8.7 for iOS mobile application support http://www.youtube.com/watch?v=I73tbAmJIGw  IBM Security AppScan 8.7 for iOS Applications http://www.youtube.com/watch?v=egnEH-GGQEI  IBM Security AppScan: Analysis Perspective http://www.youtube.com/watch?v=UZD53ZgV848  41 © 2013 IBM Corporation
  • IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are © 2013 IBM Corporation 42 trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.