IBM Rational Vision and Roadmap for
                                 Application Security
                                ...
IBM Rational Software Conference 2009



Today’s Agenda

           Strategic Trends in Application Security
           Be...
IBM Rational Software Conference 2009


Changing security landscape creates complex
threats
Web-enabled Applications Drive...
IBM Rational Software Conference 2009



2009 Web Threats Take Center Stage

    Web application vulnerabilities
      Rep...
IBM Rational Software Conference 2009



Growth of Web Application Vulnerabilities



  SQL injection                     ...
IBM Rational Software Conference 2009


Webapp Exploitation is Cheaper and Easier than Alternatives




                  ...
IBM Rational Software Conference 2009



Exploitation of SQL injection skyrocketed in 2008



      Increased by 30x from ...
IBM Rational Software Conference 2009


Application Security Maturity Model

           UNAWARE     CORRECTIVE            ...
IBM Rational Software Conference 2009



Driver #1 – Cost Benefits of Early Detection




                         ASC01
IBM Rational Software Conference 2009


Driver #2 – Need to Scale

                       Phase 1               Phase 2   ...
IBM Rational Software Conference 2009




      IBM Rational Vision and Roadmap for
      Application Security




       ...
IBM Rational Software Conference 2009



Securing a smarter planet
                                                       ...
IBM Rational Software Conference 2009



Key Focus Areas

1. Build security into the development lifecycle
            Dev...
IBM Rational Software Conference 2009

IBM Rational AppScan End-to-End Web Application Security

REQUIREMENTS             ...
IBM Rational Software Conference 2009

 IBM Rational AppScan – Security in the Development Lifecycle
           CODE      ...
IBM Rational Software Conference 2009

Application Security in: Code/Build
REQUIREMENTS                  CODE             ...
IBM Rational Software Conference 2009




                                          Dev Team 1
                           ...
IBM Rational Software Conference 2009



IBM Rational AppScan Developer & Build Editions
     Web Application Security Sol...
IBM Rational Software Conference 2009


Security Issues Coverage


                                        Total Potential...
IBM Rational Software Conference 2009



Roadmap Highlights: Code/Build
   Add new language support
      Current product ...
IBM Rational Software Conference 2009

Application Security in: QA
REQUIREMENTS                  CODE                    B...
IBM Rational Software Conference 2009



Introducing AppScan Tester Edition for RQM
                                      ...
IBM Rational Software Conference 2009


Rational Quality Manager – Test Management Hub

                                  ...
IBM Rational Software Conference 2009

Application Security in: Security Team
REQUIREMENTS                  CODE          ...
IBM Rational Software Conference 2009



  Introducing Rational AppScan Version 7.8


    Securing next generation Web app...
IBM Rational Software Conference 2009

Advancing Web 2.0 Security: automatically auditing Adobe
Flash Applications
       ...
IBM Rational Software Conference 2009

Extending AppScan’s lead in Web Services security
testing
    Web Services momentum...
IBM Rational Software Conference 2009
                               CVSS support provides industry
                      ...
IBM Rational Software Conference 2009



The Problem: Legitimate Sites serving Malware
   Malware is served or linked prim...
IBM Rational Software Conference 2009



AppScan’s HTTP-Based Malware Scanning

1. Discover all content and
   links in a ...
IBM Rational Software Conference 2009

Application Security in: Production
REQUIREMENTS                  CODE             ...
IBM Rational Software Conference 2009



Expanded Options for Production Testing and Defense

1. Testing solutions:
      ...
IBM Rational Software Conference 2009



Introducing expanded Rational AppScan OnDemand

         AppScan OnDemand:
      ...
IBM Rational Software Conference 2009



Block attacks in real-time with Proventia Web application
security
 Intrusion pre...
IBM Rational Software Conference 2009


Rational/ISS Vision: Application & Network Security Ecosystem




                ...
IBM Rational Software Conference 2009


WebSphere DataPower SOA Appliances
                                             An...
IBM Rational Software Conference 2009



Virtual Application Security Patch
 1. Rational AppScan Scans Web Application,
  ...
IBM Rational Software Conference 2009



2009 Roadmap
Q1
   New AppScan Releases
      AppScan Standard, Express, Develope...
IBM Rational Software Conference 2009



Application Security at RSC

1. Application Security Track Sessions


2. Rational...
IBM Rational Software Conference 2009

                                             IBM Rational User Technologies


     ...
IBM Rational Software Conference 2009




                         ASC01          41
IBM Rational Software Conference 2009




© Copyright IBM Corporation 2009. All rights reserved. The information contained...
Upcoming SlideShare
Loading in …5
×

IBM Rational Software Conference 2009: Application Security & Compliance Track Keynote

2,212 views

Published on

Track Keynote for the Application Security & Compliance Track at the IBM Rational Software Conference 2009

More and more we rely on Web-based software and systems to run business processes, conduct transactions and deliver sophisticated services to customers. Unfortunately, in the race to stay ahead competitors, we often give little or no attention to ensuring that these applications don't compromise our security or compliance by introducing exploitable vulnerabilities that can used to compromise confidential company information or sensitive client data. The most efficient way to stay ahead of application security and compliance is to build software securely from the ground up. Unfortunately, application security is often an after-thought, "bolted on" at the end of the software development process, rather than "built in" across the entire development and delivery cycle, resulting in vulnerabilities that are found late -- if at all -- where they prose the greatest threats and are significantly more costly to repair.

In this track we will focus on the fundamentals of application security - common attack types, how to defend against these attacks, secure coding practices, identifying vulnerabilities through a combination of manual and automated approaches, what to do when vulnerabilities have been identified, and best practices for integrating security testing into application development. We will also delve into emerging threats in Web 2.0 environments, SOA security and the inherent risks of Web-enabling legacy applications.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,212
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

IBM Rational Software Conference 2009: Application Security & Compliance Track Keynote

  1. 1. IBM Rational Vision and Roadmap for Application Security Michael Weider Director, Rational ASC01 © 2009 IBM Corporation
  2. 2. IBM Rational Software Conference 2009 Today’s Agenda Strategic Trends in Application Security Best Practices and Strategies Vision and Roadmap for 2009 and Beyond ASC01
  3. 3. IBM Rational Software Conference 2009 Changing security landscape creates complex threats Web-enabled Applications Drive the Need for Security New Applications are increasing the attack surface Complex Web applications create complex security risks Making applications more available to “good” users, makes them more available to “bad” users Web attacks are evolving to blended attacks (i.e. planting of malware on legitimate web sites) Web Applications ASC01
  4. 4. IBM Rational Software Conference 2009 2009 Web Threats Take Center Stage Web application vulnerabilities Represent largest category in vuln disclosures (55% in 2008) 4 ASC01
  5. 5. IBM Rational Software Conference 2009 Growth of Web Application Vulnerabilities SQL injection The number of vulnerability active, disclosures automated more than attacks on web doubled in servers was comparison to unprecedented 2007 ASC01
  6. 6. IBM Rational Software Conference 2009 Webapp Exploitation is Cheaper and Easier than Alternatives ASC01
  7. 7. IBM Rational Software Conference 2009 Exploitation of SQL injection skyrocketed in 2008 Increased by 30x from the midyear to the end of 2008 ASC01
  8. 8. IBM Rational Software Conference 2009 Application Security Maturity Model UNAWARE CORRECTIVE BOLT ON BUILT IN PHASE PHASE PHASE 20 % 50 % Maturity 20 % 10 % Duration 2-3 Years Time ASC01
  9. 9. IBM Rational Software Conference 2009 Driver #1 – Cost Benefits of Early Detection ASC01
  10. 10. IBM Rational Software Conference 2009 Driver #2 – Need to Scale Phase 1 Phase 2 Phase 3 Development # of Team people involved Development Team QA Team QA Team Security Team Security Team Security Team Low High % Applications Tested ASC01
  11. 11. IBM Rational Software Conference 2009 IBM Rational Vision and Roadmap for Application Security ASC01
  12. 12. IBM Rational Software Conference 2009 Securing a smarter planet Globalization and Globally Available Resources Billions of mobile devices Access to streams of accessing the Web information in the Real Time New possibilities. New Forms of Collaboration New complexities. New risks. ASC01
  13. 13. IBM Rational Software Conference 2009 Key Focus Areas 1. Build security into the development lifecycle Development, QA, Security audit, Production monitoring and defense 2. Composite analysis technology for automation Integrated blackbox, whitebox and runtime analysis 3. Provide multiple delivery options Software, software as service, consulting, appliance/IPS ASC01
  14. 14. IBM Rational Software Conference 2009 IBM Rational AppScan End-to-End Web Application Security REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand (security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements Automate Security / Security / compliance Security & Outsourced testing defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits & & implementation testing into the IDE in the Build Process into testing & oversight, control, production site remediation workflows policy, audits monitoring Application Security Best Practices ASC01
  15. 15. IBM Rational Software Conference 2009 IBM Rational AppScan – Security in the Development Lifecycle CODE BUILD QA SECURITY AppScan Enterprise / Reporting Console AppScan Ent. (scanning agent) AppScan AppScan AppScan AppScan Build Ed Developer Ed QuickScan (QA clients) Enterprise user Standard Ed (web client) (scanning agent) AppScan Tester Ed (web client) (desktop) (desktop) AppScan Express Rational Rational (desktop) Application Software Rational Rational Rational Quality Developer Analyzer ClearCase BuildForge Manager Rational ClearQuest / Defect Management IBM Rational Web Based Training for AppScan Build security testing into Automate Security / Security / compliance testing Security & Compliance the IDE* Compliance testing in the incorporated into testing & Testing, oversight, Build Process remediation workflows control, policy, audits ASC01
  16. 16. IBM Rational Software Conference 2009 Application Security in: Code/Build REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand (security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements Automate Security / Security / compliance Security & Outsourced testing defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits & & implementation testing into the IDE in the Build Process into testing & oversight, control, production site remediation workflows policy, audits monitoring Application Security Best Practices ASC01
  17. 17. IBM Rational Software Conference 2009 Dev Team 1 Scan Scan Data and Data and Dev Team 2 Reports Dev Team 5 Reports Scan Data and Reports ASE Portal Scan Scan Data and Data and Scan Reports Reports Data and Reports Dev Team 4 Dev Team 3 Security Team ASC01
  18. 18. IBM Rational Software Conference 2009 IBM Rational AppScan Developer & Build Editions Web Application Security Solutions for Development The most efficient place in the SDLC to find and fix security issues Dev Ed Empowers Developers to do Security Testing Desktop IDE-Integrated Solution for Developers Also helps build a developer’s web appsec awareness Build Ed Ensures All Code is Scanned Many dev environments do automated regression tests in their regular build process Now can include Security tests in regression tests Automation-Friendly, Build time oriented solution Key Stakeholder/User – Build Engineer ASC01
  19. 19. IBM Rational Software Conference 2009 Security Issues Coverage Total Potential Security Issues Static Dynamic Runtime Analysis Analysis Analysis ASC01
  20. 20. IBM Rational Software Conference 2009 Roadmap Highlights: Code/Build Add new language support Current product only supports Java, In 2009 we will add .NET Support analysis of Web Applications built on .NET; using both black box and white box testing techniques Productizing String Analysis Provides automatic detection of user defined sanitizers – automating parts of the configuration to contain false positive issues from static analysis Included to-date as a Tech Preview; will improve accuracy and performance, modify detection methodology, and be turned on by default Enhanced Static Analysis engine Support for all Java frameworks (including Portal and services) Evolve performance, scalability and usability Responding to customer feedback to date Tighter integration with Code Quality tools (Software Analyzer and Logiscope) ASC01
  21. 21. IBM Rational Software Conference 2009 Application Security in: QA REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand (security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements Automate Security / Security / compliance Security & Outsourced testing defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits & & implementation testing into the IDE in the Build Process into testing & oversight, control, production site remediation workflows policy, audits monitoring Application Security Best Practices ASC01
  22. 22. IBM Rational Software Conference 2009 Introducing AppScan Tester Edition for RQM RQM - Rational Quality Manager Embedd Security Testing into the QA Process Ideal way to scale security testing Integrated into the QA environment to enable the adoption of security testing alongside functional and performance testing Delivering the building blocks to help customers build a process to address security & compliance Leverage existing compliance mechanisms in the QA process Provides collaboration tools for security testing between development, QA and security teams The Result: Seamless integration of security testing to provide Collaboration, Automation and Reporting ASC01
  23. 23. IBM Rational Software Conference 2009 Rational Quality Manager – Test Management Hub IBM Collaborative Application Lifecycle Management Rational Quality Manager Quality Dashboard Requirements Test Management and Execution Defect Management Management Create Build Manage Report Plan Tests Test Lab Results Open Platform Best Practice Processes JAZZ TEAM SERVER SAP System z, i Java Open Lifecycle Service Integrations .NET Functional Security and Testing Performance Code Compliance Web Service Testing Quality Quality homegrown ASC01
  24. 24. IBM Rational Software Conference 2009 Application Security in: Security Team REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand (security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements Automate Security / Security / compliance Security & Outsourced testing defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits & & implementation testing into the IDE in the Build Process into testing & oversight, control, production site remediation workflows policy, audits monitoring Application Security Best Practices ASC01
  25. 25. IBM Rational Software Conference 2009 Introducing Rational AppScan Version 7.8 Securing next generation Web applications and technologies Automated scanning and testing for Flash-based applications Support for increasingly sophisticated Web Services applications Built in expert security intelligence for analyzing results Addresses #1 problem inhibiting broader adoption of scanning tools “Results Expert” helps users understand and articulate issues to external audiences The Result: Improved Security and More Efficient Testing ASC01
  26. 26. IBM Rational Software Conference 2009 Advancing Web 2.0 Security: automatically auditing Adobe Flash Applications Evolution of Flash support First generation tools partially explored through Flash applications Second generation (emerging now) can fully explore and audit Flash applications Rational AppScan automatically scans Flash-based applications Is the first to introduce automatic Flash Execution (first “Second Generation” scanner) Similar to AJAX: 1st gen was parsing, 2nd gen was execution Automatically explores deep and complex Flash applications Identifies traditional, as well as Flash-specific security issues Cross-Site Flashing, Cross-Site Scripting through Flash, Phishing… Supports Flash & Flex applications Includes server-side testing of Flex applications (only scanner to support AMF protocol) Continued leadership in Flash application security Flash Execution is now a strategic & evolving component of AppScan ASC01
  27. 27. IBM Rational Software Conference 2009 Extending AppScan’s lead in Web Services security testing Web Services momentum continues Enterprise Modernization allows organizations to transition legacy applications to sophisticated Web 2.0 and SOA solutions, driven by user demand Legacy applications were not designed with Web security considerations SOA deployments present a complex and rich technology heavy scanning environments Leveraging IBM’s rich investment in SOA Using established Rational SOA Tester capabilities Powerful functional & performance testing for SOA AppScan to include GSC: General SOA Client Testing Custom Web Services code Identifies business logic vulnerabilities Support complex Web Services deployments XML Signatures XML Encryption Complex Types in WSDL … ASC01
  28. 28. IBM Rational Software Conference 2009 CVSS support provides industry standard severity rating Guides user through verifying that the issue is a legitimate vulnerability Integrated screenshots with explanations immediately demonstrate whether an issue truly exists, saving time and effort ASC01
  29. 29. IBM Rational Software Conference 2009 The Problem: Legitimate Sites serving Malware Malware is served or linked primarily from Legitimate Sites! “Federal Travel Booking Site “TrendMicro site Spreads Malware” infected users with -Washington Post Trojan” “A large web - CIO hosting firm (IPower) “BusinessWeek website attacked and inflicted by mass “Twitter hosts malware” malware installation” worm strikes” -Net-Security - Washington Post - New York Times Flagged as the “New Biggest Problem”: WebSense: "Legitimate Sites Carry Increasing Portion Of Malware“ (Jan, '09) ScanSafe: "Web-based malware up 400%, 68% hosted on legitimate websites“ (June, '08) Blog: "Online Trust: A Thing of the Past?" (Jan, '09) X-Force: "Are Legitimate Sites the Next Malware Threat?" (Feb, '09) Breach: “SQL Injection Attacks Planting Malware on Web Sites Ranks #1 in Breach Security’s 2008 Web Hacking Incidents Database Report” (Feb, '09) ASC01
  30. 30. IBM Rational Software Conference 2009 AppScan’s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages … 2. Analyze all content for malicious behavior indicators link1 link2 3. Compare all links to link3 comprehensive black-lists ASC01
  31. 31. IBM Rational Software Conference 2009 Application Security in: Production REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand (security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements Automate Security / Security / compliance Security & Outsourced testing defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits & & implementation testing into the IDE in the Build Process into testing & oversight, control, production site remediation workflows policy, audits monitoring Application Security Best Practices ASC01
  32. 32. IBM Rational Software Conference 2009 Expanded Options for Production Testing and Defense 1. Testing solutions: – AppScan Enterprise – AppScan OnDemand – ISS Managed Security Services 2. Defensive solutions: – ISS Proventia IPS with New Web Protection – DataPower SOA Appliance 3. Combined approach – Integrated scanning and defense ASC01
  33. 33. IBM Rational Software Conference 2009 Introducing expanded Rational AppScan OnDemand AppScan OnDemand: Comprehensive testing of pre-production applications Periodic assessment of applications in QA or Security Monthly scans Flexible offerings base on organization (Small/Medium/Large) AppScan OnDemand Production Site Monitoring: Continuous scanning of production Web sites for vulnerabilities that may have been introduced after the app went live Dynamic or interactive content and forms, online registrations Weekly scans The Result: Ability to address online risk without in-house resources with the faster route to actionable information Policy Testing OnDemand is also available to support website ASC01 compliance management for Privacy, Quality & Accessibility
  34. 34. IBM Rational Software Conference 2009 Block attacks in real-time with Proventia Web application security Intrusion prevention just got smarter with web application protection backed by the power of X-Force Virtual Patch Threat Detection & Content Analysis Web Protection Network Policy Prevention Enforcement What It Does: What It Does: What It Does: Shields vulnerabilities What It Does: Monitors and identifies Protects web applications What It Does: from exploitation Detects and prevents unencrypted personally against sophisticated Manages security policy independent of a software entire classes of threats as identifiable information (PII) application-level attacks and risks within defined patch, and enables a opposed to a specific and other confidential such as SQL Injection, segments of the network, responsible patch exploit or vulnerability. information for data awareness. XSS (Cross-site such as ActiveX management process that Also provides capability to scripting), PHP file- fingerprinting, Peer To can be adhered to without Why Important: explore data flow through the includes, CSRF (Cross- Peer, Instant Messaging, fear of a breach Eliminates need of network to help determine if any site request forgery). and tunneling. constant signature potential risks exist. Why Important: updates. Protection Why Important: Why Important: At the end of 2008, 53% includes the proprietary Why Important: Expands security Enforces network of all vulnerabilities Shellcode Heuristics (SCH) Flexible and scalable capabilities to meet both application and service disclosed during the year technology, which has an customized data search criteria; compliance requirements access based on had no vendor-supplied unbeatable track record of serves as a complement to data and threat evolution. corporate policy and patches available to protecting against zero day security strategy remedy the vulnerability governance. vulnerabilities. ASC01
  35. 35. IBM Rational Software Conference 2009 Rational/ISS Vision: Application & Network Security Ecosystem Proventia IDS/IPS Site Protector Enterprise Scanner Joint interface for Application & Network Security AppScan Agent Collaborative flow of product usage Mutual leveraging of technology ASC01
  36. 36. IBM Rational Software Conference 2009 WebSphere DataPower SOA Appliances An SOA Appliance… Creating customer value through extreme SOA connectivity, performance and security Simplifies SOA and accelerates time to value Helps secure SOA XML implementations Governs and enforces SOA/Web services policies WebSphere DataPower SOA Appliances redefine the boundaries of middleware extending the SOA Foundation with specialized, consumable, dedicated SOA appliances that combine superior performance and hardened security for SOA implementations. ASC01
  37. 37. IBM Rational Software Conference 2009 Virtual Application Security Patch 1. Rational AppScan Scans Web Application, Uncovers Security Issues 2. WebSphere DataPower Rules are Auto-Created, Based on Found Issues 3. Custom protection blocks exploits on vulnerable locations, blocking where required while avoiding False Positives 4. Vulnerabilities are remediated in the next release of Web Application 2 1 3 4 ASC01
  38. 38. IBM Rational Software Conference 2009 2009 Roadmap Q1 New AppScan Releases AppScan Standard, Express, Developer, Build Product Translations Available for all products Japanese, Korean, Traditional Chinese, Simplified Chinese, French, Italian, and German Expanded SaaS offering Production Site Monitoring Q2 Web-based Malware Detection & Scanning AppScan-ISS SiteProtector Integration Q4 Portfolio-wide release (AppScan DE, Standard and Enterprise) Joint ISS initiatives ASC01
  39. 39. IBM Rational Software Conference 2009 Application Security at RSC 1. Application Security Track Sessions 2. Rational Labs 3. User First Lounge ASC01
  40. 40. IBM Rational Software Conference 2009 IBM Rational User Technologies Try out Rational AppScan for yourself. You’re invited to the Users First Lounge, where you will get to speak one- on-one with the AppScan User Experience team on topics including: usage scenarios, user interface design, ease-of-use, user assistance, learning, and quality. This is a chance to share your reality with us and help shape the future of the AppScan family! Sign up at tinyurl.com/djoj9b or in person at Europe 5 ASC01 40
  41. 41. IBM Rational Software Conference 2009 ASC01 41
  42. 42. IBM Rational Software Conference 2009 © Copyright IBM Corporation 2009. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. ASC01 42

×