4
IBM Software IBM Security Solutions Solution Brief Web application security with IBM Security Solutions Enhance your IT security investment with robust web application protection Highlights Designed to deliver the full protection of a web application firewall through network and server intrusion prevention solutions Offers proactive web application, Web 2.0 and database protection to limit potential business interruptions and exposures Integrates with IBM Rational® AppScan® to automatically generate recommended security policies for your specific web application vulnerabilities identified by AppScan Helps meet regulatory compliance requirements and industry standards, including PCI DSS Fortifying your IT security solution with protection for web applications Web applications can help foster closer interactions with your cus- tomers and improve collaboration with your employees. During the past several years, however, the number of web-related threats to enterprises of nearly all sizes has risen sharply. About half of these attacks targeted web applications. Even more alarming, by year-end 2009, two-thirds of all disclosed web application vulnerabilities had no patch available. Two significant areas of vulnerability, Structured Query Language (SQL) injection attacks and Cross Site Scripting (XSS) attacks, dominated the attack landscape in 2009. 1 These growing areas of targeted attacks on sensitive information exploit websites by altering back-end code to manipulate data entered by users and exploits the trust relationship between users and the websites they visit. The increase in attacks is due in part to the sheer number of web appli- cations being developed—a number that is skyrocketing. In spite of their potential, the interactive nature of these new, collaborative tech- niques for sharing information makes them highly susceptible and vul- nerable to attacks. To help protect your business—and reputation—you need to find ways to enhance your company’s security solutions. With web application protection built into the core IBM intrusion prevention engine, IBM offers the same security as a web application firewall to address web-related vulnerabilities and strengthen your security posture. Integrated into the latest models of the IBM Security family of network and server security products, this feature can help you control attacks at the network, gateway and server levels.

IBM Web application security

Embed Size (px)

DESCRIPTION

IBM Web application security. Enhance your IT security investment with web application protection.

Citation preview

Page 1: IBM Web application security

IBM SoftwareIBM Security Solutions

Solution Brief

Web application securitywith IBM SecuritySolutionsEnhance your IT security investment with robustweb application protection

Highlights● Designed to deliver the full protection

of a web application firewall throughnetwork and server intrusion preventionsolutions

● Offers proactive web application, Web 2.0 and database protection tolimit potential business interruptionsand exposures

● Integrates with IBM Rational®AppScan® to automatically generaterecommended security policies for yourspecific web application vulnerabilitiesidentified by AppScan

● Helps meet regulatory compliancerequirements and industry standards,including PCI DSS

Fortifying your IT security solution withprotection for web applicationsWeb applications can help foster closer interactions with your cus-tomers and improve collaboration with your employees. During thepast several years, however, the number of web-related threats toenterprises of nearly all sizes has risen sharply. About half of theseattacks targeted web applications. Even more alarming, by year-end2009, two-thirds of all disclosed web application vulnerabilities had nopatch available. Two significant areas of vulnerability, Structured QueryLanguage (SQL) injection attacks and Cross Site Scripting (XSS)attacks, dominated the attack landscape in 2009.1 These growing areasof targeted attacks on sensitive information exploit websites by alteringback-end code to manipulate data entered by users and exploits thetrust relationship between users and the websites they visit.

The increase in attacks is due in part to the sheer number of web appli-cations being developed—a number that is skyrocketing. In spite oftheir potential, the interactive nature of these new, collaborative tech-niques for sharing information makes them highly susceptible and vul-nerable to attacks. To help protect your business—and reputation—youneed to find ways to enhance your company’s security solutions.

With web application protection built into the core IBM intrusion prevention engine, IBM offers the same security as a web applicationfirewall to address web-related vulnerabilities and strengthen yoursecurity posture. Integrated into the latest models of the IBM Securityfamily of network and server security products, this feature can helpyou control attacks at the network, gateway and server levels.

Page 2: IBM Web application security

IBM SoftwareIBM Security Solutions

Solution Brief

2

IBM Protocol Analysis Modular Technology

Client-sideApplication Protection

Virtual Patch Web ApplicationProtection

ApplicationControl

Threat Detectionand Prevention

Data Security

VIRUS

FEATURING

T E C H N O L O G Y

VIRTUALPATCH

APPLICATION CONTROL

®

DNS POISONING

The IBM protocol analysis module (PAM) drives security convergence todeliver network and server protection that goes beyond traditional IPS.With its modular architecture that allows for extensible protection, PAMnow includes web protection technologies.

Backed by the security expertise of the IBM X-Force®research and development team, we employ a unique proto-col analysis module (PAM) as the core technology of solu-tions to help provide deep-packet inspection. Coupled withthe sophisticated security capabilities of IBM WebSphere®DataPower® appliances, including policy enforcement, fine-grained authentication and authorization, advancedXML threat protection and accelerated Secure Sockets Layer(SSL) processing, this solution helps identify intrusions andassists in blocking malicious packets sent to web applicationsand back-end databases.

Rather than purchasing a stand-alone web application fire-wall, you can take advantage of web protection that is alreadyenabled in trusted IBM Security Solutions, such as:

● IBM Security Network Intrusion Prevention System2,which helps enable preemptive protection against a widevariety of Internet threats

● IBM Security Server Protection products, which help keepdata and applications reliable, available and confidential byproviding automated, near real-time intrusion protectionand detection by analyzing events, host logs and inboundand outbound network activity on critical enterprise servers

● IBM Security Virtual Server Protection, which limits accessto critical data, tracks user access, reports on the virtualinfrastructure and provides defense-in-depth, dynamic secu-rity with VM rootkit detection and virtual infrastructureauditing and monitors traffic with VMsafe integration.

In addition to enhancing web application protection, thePAM engine that fuels the IBM Security network and serverprotection product lines also provides a unique combinationof proactive security methods, including:

● IBM Virtual Patch® technology—Shielding vulnerabilitiesfrom exploitation, independent of a software patch.

● Client side application protection—Protects end usersagainst attacks targeting applications used everyday such asMicrosoft® Office files, Adobe® PDF files Multimedia filesand web browsers.

● Advanced network protection—Advanced intrusion prevention including DNS protection.

● Data security—Monitoring and identification of unencrypted personally identifiable information (PII) andother confidential data.

● Web application security—Protection for web apps, Web 2.0 and databases (same protection as web applicationfirewall).

● Application control—Reclaim bandwidth and block Skype,peer-to-peer networks and tunneling.

Page 3: IBM Web application security

IBM SoftwareIBM Security Solutions

Solution Brief

3

Eliminating the need to purchase and manage a separate web securitypoint productBy embedding enhanced security capabilities into the coreengine of the latest models of our intrusion prevention prod-ucts, IBM can help you avoid the added cost and complexityof maintaining stand-alone web application firewalls. Each ofour solutions runs a unique injection logic engine (ILE) togive your network, server and web applications a proactivelevel of protection—a significant advantage over typical secu-rity solutions. If you’re already using the latest network andserver intrusion prevention solutions from IBM, the capabil-ity to provide robust protection specifically for your webapplications is already there. So there’s no need to make anadditional technology investment, and you can manage theentire solution from a single IBM Proventia® ManagementSiteProtector system or through IBM Managed SecurityServices.

Providing a proactive approach to web protectionUsing the ILE as leverage, IBM Security intrusion preventionsolutions with the full security of a web application firewallhelps block attacks on your web applications. The ILE helpspreempt injection attacks by calling out unique patterns notusually seen in valid web requests. By totaling and scoringspecific keywords and symbols, the ILE can detect and subse-quently block SQL injection attacks. Instead of reacting tosecurity breaches after they’re discovered, the ILE takes anattack stance toward injections. Through its comprehensivelist of SQL syntactic cues, the ILE helps protect your system by:

● Evaluating and scoring parameter values● Blocking requests that exceed the scoring threshold● Flagging particular keyword combinations to identify what

type of SQL injection is occurring

This proactive approach to web application security is atypical of many web protection solutions, which merelyaudit attacks and react to them.

IBM Web application firewall capabilities inside our intrusionpreventions solutions help address the primary sources ofattack for:

● Web applications—helps block shell command injections,server-side include (SSI) injections, cross-site scripting(XSS) and directory traversal

● Databases—helps block SQL, Lightweight DirectoryAccess Protocol (LDAP) and XML Path Language (XPath)injections

● Web 2.0—helps block Java™ Script Object Notation(JSON) hijacking, potential cross-site request forgery(CSRF) attacks and advanced cross-site scripting techniques

Delivering holistic web app security byintegrating pro-active protection withvulnerability managementIBM delivers a holistic approach to web application securityby integrating threat mitigation solutions from network IPSand server protection with vulnerability management fromIBM Rational AppScan via a common management platformin IBM Security SiteProtector System. In addition to servingas a command and control console for network and serverprotection, SiteProtector integrates with AppScan to reporton web application vulnerabilities, manage resolution of thosevulnerabilities and provide automated policy recommenda-tions to help block attacks against those specific vulnerabili-ties identified by AppScan.

Easing compliance efforts while helpingto protect your data—and your reputationIBM Web application firewall capabilities help you more eas-ily manage compliance requirements and industry regulations,such as those required by the Payment Card Industry (PCI)Data Security Standard (DSS) 6.6. This standard includesrequirements for security management, policies, procedures,network architecture, software design and other critical pro-tective measures essential to maintaining a security-rich envi-ronment for your customers’ payment card transactions. At

Page 4: IBM Web application security

Please Recycle

the same time you gain greater protection for your data, youare also safeguarding your reputation. IBM makes it easier tomanage compliance with PCI DSS 6.6 by including the same full security of a web application firewall in our broadportfolio of IPS solutions.

Why IBM?IBM Web application security is designed to provide a cost-effective solution to help fortify your web applications againstsecurity exposures. This solution leverages our own X-Forceteam of security experts, who evaluate vulnerabilities andsecurity issues, develop assessments and countermeasure tech-nology for IBM Security products and educate the publicabout emerging Internet threats.

When exposures can compromise your data, jeopardize yourreputation or even shut down your business, IBM Web application security can help provide you with coverage thatdoes not require an additional purchase or installation of astand-alone web application firewall. And you can also lever-age the skills and experience of IBM Professional SecurityServices to help you assess your security capabilities, thenplan for, design and deploy an optimal solution for your ITand business needs.

We also offer managed protection services to monitor andmanage your environment to help take this burden off ofyour staff. In addition, IBM Rational AppScan products andservices can perform a security risk analysis of your webapplications. The IBM portfolio of products and serviceshelps you focus on new business initiatives with less worryover where your vulnerabilities lie and how to protect them.

For more informationTo learn more about IBM Web application security, pleasevisit: ibm.com/security

© Copyright IBM Corporation 2010

IBM CorporationSoftware GroupRoute 100Somers, NY 10589 U.S.A.

Produced in the United States of AmericaJuly 2010All Rights Reserved

IBM, the IBM logo, ibm.com and Rational are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in thisinformation with a trademark symbol (® or ™), these symbols indicateU.S. registered or common law trademarks owned by IBM at the timethis information was published. Such trademarks may also be registeredor common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademarkinformation” at ibm.com/legal/copytrade.shtml

Adobe is a registered trademark of Adobe Systems Incorporated in theUnited States, and/or other countries.

Java is a trademark of Sun Microsystems, Inc. in the United States, othercountries, or both.

Microsoft is a trademark of Microsoft Corporation in the United States,other countries, or both.

Other product, company or service names may be trademarks or servicemarks of others.

References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in whichIBM operates.

Product data has been reviewed for accuracy as of the date of initialpublication. Product data is subject to change without notice. Anystatements regarding IBM’s future direction and intent are subject tochange or withdrawal without notice, and represent goals and objectives only.

The customer is responsible for ensuring compliance with legalrequirements. It is the customer’s sole responsibility to obtain advice ofcompetent legal counsel as to the identification and interpretation of anyrelevant laws and regulatory requirements that may affect the customer’sbusiness and any actions the reader may have to take to comply with suchlaws. IBM does not provide legal advice or represent or warrant that itsservices or products will ensure that the customer is in compliance withany law or regulation.

1 2009 IBM X-Force Trend & Risk Report.

2 IBM web application security is embedded into the MX and GX modelsof the network IPS product lines.

SES03002-USEN-01

http://www.ibm.com/security
http://www.ibm.com/legal/copytrade.shtml

IBM Security Privileged Identity Manager: PeopleTools ...public.dhe.ibm.com/software/security/products/isim/... · v Checking the connection between the PeopleSoft Application Server

IBM Security Privileged Identity Manager: PeopleTools ...public.dhe.ibm.com/software/security/products/isim/... · v Checking the connection between the PeopleSoft Application Server

Documents
Unit 1-1 - IBM Security Intelligence Overview - IBM Security … 1-1 - IBM Security... · 2019-05-27 · IBM QRadar is the centerpiece of IBM Security integrations IBM X-Force Research

Unit 1-1 - IBM Security Intelligence Overview - IBM Security … 1-1 - IBM Security... · 2019-05-27 · IBM QRadar is the centerpiece of IBM Security integrations IBM X-Force Research

Documents
IBM Security Directory Suite: Command Referencepublic.dhe.ibm.com/software/security/products/SDS/... · IBM ® Security Directory Suite, previously known as IBM Security Directory

IBM Security Directory Suite: Command Referencepublic.dhe.ibm.com/software/security/products/SDS/... · IBM ® Security Directory Suite, previously known as IBM Security Directory

Documents
Introducing the IBM Security Framework and Architecture ... · PDF fileIntroducing the IBM Security Framework and IBM Security ... This security blueprint is influenced by several

Introducing the IBM Security Framework and Architecture ... · PDF fileIntroducing the IBM Security Framework and IBM Security ... This security blueprint is influenced by several

Documents
IBM SECURITY STRATEGY - phmintl.com · IBM QRadar Sense Analytics Servers and mainframes Data activity Network and virtual activity Application activity Configuration information

IBM SECURITY STRATEGY - phmintl.com · IBM QRadar Sense Analytics Servers and mainframes Data activity Network and virtual activity Application activity Configuration information

Documents
Ibm virtualization security

Ibm virtualization security

Technology
Sg246316 IBM WebSphere Application Server V6.1 Security Handbook

Sg246316 IBM WebSphere Application Server V6.1 Security Handbook

Documents
Security Director Application Guide for JSA and IBM QRadar · PDF fileTitle: Security Director Application Guide for JSA and IBM QRadar Created Date: 20171226101016Z

Security Director Application Guide for JSA and IBM QRadar · PDF fileTitle: Security Director Application Guide for JSA and IBM QRadar Created Date: 20171226101016Z

Documents
IBM Security Verify Governance 10.0, formerly IBM Security

IBM Security Verify Governance 10.0, formerly IBM Security

Documents
IBM Security: Intelligence, Integration, Expertisepublic.dhe.ibm.com/.../IBM_Security_Intelligence_Integration_Expertis… · IBM Security: Intelligence, Integration, Expertise

IBM Security: Intelligence, Integration, Expertisepublic.dhe.ibm.com/.../IBM_Security_Intelligence_Integration_Expertis… · IBM Security: Intelligence, Integration, Expertise

Documents
IBM Tivoli Composite Application Manageme nt · IBM Tivoli Composite Application Manageme nt ... TEMS ITM 6.1 Security MQ Brokers Adapters Interchange ... Auto discovery and

IBM Tivoli Composite Application Manageme nt · IBM Tivoli Composite Application Manageme nt ... TEMS ITM 6.1 Security MQ Brokers Adapters Interchange ... Auto discovery and

Documents
IBM TRIRIGA Application Platform &CLr9 T r · IBM TRIRIGA Application Platform V3 R5 IBM TRIRIGA Application Platform &CLr9(: T\r\ IBM "

IBM TRIRIGA Application Platform &CLr9 T r · IBM TRIRIGA Application Platform V3 R5 IBM TRIRIGA Application Platform &CLr9(: T\r\ IBM "

Documents
ENSURE APPLICATION AVAILABILITY AND INTEGRITY WITH F5 BIG-IP APPLICATION SECURITY MANAGER AND IBM SECURITY APPSCAN Ron Carovano, Manager, Business Development,

ENSURE APPLICATION AVAILABILITY AND INTEGRITY WITH F5 BIG-IP APPLICATION SECURITY MANAGER AND IBM SECURITY APPSCAN Ron Carovano, Manager, Business Development,

Documents
© 2006 IBM Corporation Introduction to z/OS Security Lesson 8: Application Security

© 2006 IBM Corporation Introduction to z/OS Security Lesson 8: Application Security

Documents
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research

Documents
Using IBM DataPower for rapid security and application integration with an open source enterprise

Using IBM DataPower for rapid security and application integration with an open source enterprise

Technology
No SQL! no injection? · 2015 IBM Corporation 2© Aviv Ron Security Researcher for IBM Cyber Security Center of Excellence at Beer Sheva @aviv_ron Focus on Application Security in

No SQL! no injection? · 2015 IBM Corporation 2© Aviv Ron Security Researcher for IBM Cyber Security Center of Excellence at Beer Sheva @aviv_ron Focus on Application Security in

Documents
Security on the Mainframe...Operating system and application security IBM Security Blueprint and Framework IBM mainframe security concepts International Technical Support Organization

Security on the Mainframe...Operating system and application security IBM Security Blueprint and Framework IBM mainframe security concepts International Technical Support Organization

Documents
IBM Research, Watson Research Laboratory © 2007 IBM Corporation Security for Web2.0 application scenarios: Exposures, Issues and Challenges Sumeer Bhola,

IBM Research, Watson Research Laboratory © 2007 IBM Corporation Security for Web2.0 application scenarios: Exposures, Issues and Challenges Sumeer Bhola,

Documents
IBM Security AppScan Enterprise Edition€¦ · IBM Security AppScan Enterprise Edition (AppScan) offers advanced application security testing and risk management with a platform

IBM Security AppScan Enterprise Edition€¦ · IBM Security AppScan Enterprise Edition (AppScan) offers advanced application security testing and risk management with a platform

Documents
® IBM Software Group © 2010 IBM Corporation Get Ready for Web Application Security Testing Alan Kan Technical Manager IBM Rational Software alankan@nz1.ibm.com

® IBM Software Group © 2010 IBM Corporation Get Ready for Web Application Security Testing Alan Kan Technical Manager IBM Rational Software [email protected]

Documents
Reduce Risk and Improve Security on IBM Mainframes: Volume ... · Reduce Risk and Improve Security on IBM Mainframes: Volume 3 Mainframe Subsystem and Application Security Axel Buecker

Reduce Risk and Improve Security on IBM Mainframes: Volume ... · Reduce Risk and Improve Security on IBM Mainframes: Volume 3 Mainframe Subsystem and Application Security Axel Buecker

Documents
IBM smartcloud: security

IBM smartcloud: security

Education
Case Closed with IBM Application Security on Cloud infographic

Case Closed with IBM Application Security on Cloud infographic

Technology
IBM Security Network Intrusion Prevention System€¦ · IBM Software IBM Security Solutions. Data Sheet. IBM Security Network Intrusion Prevention System . Comprehensive protection

IBM Security Network Intrusion Prevention System€¦ · IBM Software IBM Security Solutions. Data Sheet. IBM Security Network Intrusion Prevention System . Comprehensive protection

Documents
IBM Rational AppScan: enhancing Web application security

IBM Rational AppScan: enhancing Web application security

Documents
Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan aka Hacking 101

Discovering the Value of Verifying Web Application Security Using IBM Rational AppScan aka Hacking 101

Technology
Security Target IBM Internet Security Systems GX6116 ... · Security Target: IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector ... IBM Internet

Security Target IBM Internet Security Systems GX6116 ... · Security Target: IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector ... IBM Internet

Documents
What IBM has to offer - IBM Security Solution Portfoliooobdata.com/wp-content/uploads/2018/11/IBM-Security-Offerings.pdf · IBM Security QRadar Incident Forensics Continuous Response

What IBM has to offer - IBM Security Solution Portfoliooobdata.com/wp-content/uploads/2018/11/IBM-Security-Offerings.pdf · IBM Security QRadar Incident Forensics Continuous Response

Documents
IBM Security Framework - AskCypertaskcypert.org/sites/default/files/IBM Security Strategy Overview... · IBM Security Framework Intelligence, Integration and Expertise Sadu Bajekal,

IBM Security Framework - AskCypertaskcypert.org/sites/default/files/IBM Security Strategy Overview... · IBM Security Framework Intelligence, Integration and Expertise Sadu Bajekal,

Documents