Our Vulnerability Scanning Program INTERACTIVE CODE SCANNING KRI s z/os Interactive Code Scanning strengthens an organizations enterprise security by: Providing Interactive Application Security Testing (IAST) of the operating system, third-party software, and homegrown software and exits. Classifying the source and types of z/os code vulnerabilities found (including CVSS scoring) Detailed reporting which pinpoints the exact location of the identified code vulnerability Ensures that all code residing within the OS layer meets IBM standards for System Integrity. z/assure VAP, using proprietary Intellectual Property (IP), can: Be licensed and used as a packaged solution to continuously test for vulnerabilities on a regular basis Be used as part of the infrastructure update/quality assurance process whenever configurations change. Be used as part of a Penetration test in combination with a Compliance Audit. Be used as part of an Application Security Audit. 1
Our Third-Party Program THIRD-PARTY SOFTWARE TESTING KRI s Third Party Software Testing Program strengthens a vendors compliance with IBM s standards for System Integrity by: Automatically scanning and attesting to the security posture of each program in the software package Recommending resolutions which empower developers to remediate vulnerabilities and produce secure software Third Party Vendors can: License z/assure VAP to use as a packaged solution to continuously test for vulnerabilities on a regular basis as part of their QA or Continuous Improvement processes Send software packages to KRI for evaluation as part of a sales cycle to meet contractual obligations with an Enterprise Establish independent proof of security excellence to their clients 2
Our Strategy: Secure Data; Not Applications Components in an Enterprise Quadrant Operating System (OS) layer: End Users have NO direct control over - System programs (services) - System memory OS facilitates communication between End Users, Application layer, and Resources Access to the Application ayer is through the OS layer Application layer: End User has control of: - Which user programs to execute - Can modify the user programs - Can allocate, modify, and free user memory Each End User has their own Application layer (Address space) All end users share the OS layer Resources such as Printers, DASD, and other nodes in the network - Accessed by Application llayer through the OS layer 3
End User Network Enterprise Quadrant Architecture Operating System Layer RESOURCES Systems Programs Systems Memory Printers DASD Application Layer User Programs User Memory 4
Our Strategy: Interactively Scan the OS Layer Operating System Layer IBM s Statement of Integrity is the basis for z/os Enterprise Security Management The Statement of Integrity is the reason Security is possible in the Enterprise All Security Programs must reside in OS layer This includes Application Security programs External, independent code validation is essential for both software development best practices and controlling enterprise security risk associated with the deployment of third-party applications During Internal application development and deployment When maintenance or a new version of software is deployed z/assure VAP provides accurate results without modification to your operating environment, organization, or processes and ensures z/os System Integrity is maintained: 5
Our Strategy: Interactively Scan the OS Layer Operating System Layer Vulnerabilities Code vulnerabilities allow security to be bypassed information is compromised z/os Clients believe that their External Security Managers (ACF/2, RACF, Top Secret) are adequately protecting mission-critical platforms, third-party applications and information ESMs However ESMs cannot: Identify code vulnerabilities in the z/os layer Identify when code vulnerabilities are exploited Remediate the code vulnerabilities 6
Overview of z/assure VAP Detailed and In-depth Analysis Accurate Dynamic code scanning in a run-time environment of the: - z/os layer - Third-Party Software - Internally written exits and software - Application code running in the OS layer Simple Does not require any manpower overhead to run - Executes in a hardened environment; not production - Delivers immediate results Precise Delivers concise reporting - Developers know exactly where to go to fix the vulnerability - Management knows the immediate risk associated with each vulnerability 7
In Summary z/assure VAP uses IAST to scan the OS layer to identify code vulnerabilities (many of which are zero-day vulnerabilities). The problem is compounded by poor application security architectures which reside in the application layer To date, z/assure VAP has found over 130 z/os code vulnerabilities with CVSS scores of 8.4 and higher! December, 2013 a Major Financial Services Company Installed on z/os 1.13-15 vulnerabilities found with average CVSS score of 8.4 8