Our Vulnerability Scanning Program



Similar documents
z/os VULNERABILITY SCANNING AND MANAGEMENT Key Resources, Inc. (312) KRI

Mark Wilson Session Details: The Introduction

Patch and Vulnerability Management Program

PCI-DSS Penetration Testing

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Vulnerability Management

PRACTICAL TIPS FOR Z/OS VULNERABILITY SCANNING & PROACTIVE SECURITY MANAGEMENT

Sample Vulnerability Management Policy

Goals. Understanding security testing

Part Banker. Part Geek. All Security & Compliance.

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Cyber Security for Competitve Advantage: How SaaS Providers are Transforming their Business

External Penetration Assessment and Database Access Review

Avoiding the Top 5 Vulnerability Management Mistakes

STATE OF NEW JERSEY IT CIRCULAR

Navigate Your Way to NERC Compliance

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Cautela Labs Cloud Agile. Secured.

Penetration Testing. I.T. Security Specialists. Penetration Testing 1

Vulnerability Intelligence & 3 rd party patch management

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

REQUEST FOR PROPOSAL INFORMATION SECURITY PROGRAM PROVIDER

Metrics Suite for Enterprise-Level Attack Graph Analysis

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

IBM Security IBM Corporation IBM Corporation

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Network Test Labs (NTL) Software Testing Services for igaming

Technical Brief Distributed Trusted Computing

Vendor Questions and Answers

Current IBAT Endorsed Services

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

E-SPIN PCI Compliancy Solution

The Power of Selective IT Outsourcing

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Remote 2014 Monitoring & Control. Securing Mobile Devices November 7 th 2014

AHS Flaw Remediation Standard

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

OFFICE OF CORPORATE CREDIT UNIONS Risk Reporting for Corporate IT Networks.. Risk Assessment Reporting in Corporate Credit Unions

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Three Ways to Secure Virtual Applications

SafeNet DataSecure vs. Native Oracle Encryption

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Managed Services For Business FAQ Blue Saffron IT Resource Management

Organizations Should Implement Web Application Security Scanning

How To Buy Nitro Security

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Penetration Testing Services. Demonstrate Real-World Risk

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Building a Robust Web Application Security Plan

HOSTING. Managed Security Solutions. Managed Security. ECSC Solutions

Cisco Security IntelliShield Alert Manager Service

The webinar will begin shortly

Agenda , Palo Alto Networks. Confidential and Proprietary.

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

Strategies for assessing cloud security

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

RACF & Payment Card Industry (PCI) Data Security Standards RUGONE May 2012

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

IBM Managed Security Services Vulnerability Scanning:

WEB Penetration Testing

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

McAfee Database Security. Dan Sarel, VP Database Security Products

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

PHILADELPHIA GAS WORKS Information Security Assessment and Testing Services RFP#30198 Questions & Answers December 4, 2015

IBM Security Intelligence Strategy

Patching & Malicious Software Prevention CIP-007 R3 & R4

Five Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

SAP Product and Cloud Security Strategy

Is your business prepared for Cyber Risks in 2016

Using QUalysgUard to Meet sox CoMplianCe & it Control objectives

HOW TO PROTECT YOUR VIRTUAL DESKTOPS AND SERVERS? Security for Virtual and Cloud Environments

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

HP Fortify Software Security Center

INCIDENT RESPONSE CHECKLIST

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

COUNTERINTELLIGENCE VULNERABILITY ASSESSMENT FOR CORPORATE AMERICA

Penetration Testing //Vulnerability Assessment //Remedy

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

2011 Forrester Research, Inc. Reproduction Prohibited

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Keeping your data yours.

Transcription:

Our Vulnerability Scanning Program INTERACTIVE CODE SCANNING KRI s z/os Interactive Code Scanning strengthens an organizations enterprise security by: Providing Interactive Application Security Testing (IAST) of the operating system, third-party software, and homegrown software and exits. Classifying the source and types of z/os code vulnerabilities found (including CVSS scoring) Detailed reporting which pinpoints the exact location of the identified code vulnerability Ensures that all code residing within the OS layer meets IBM standards for System Integrity. z/assure VAP, using proprietary Intellectual Property (IP), can: Be licensed and used as a packaged solution to continuously test for vulnerabilities on a regular basis Be used as part of the infrastructure update/quality assurance process whenever configurations change. Be used as part of a Penetration test in combination with a Compliance Audit. Be used as part of an Application Security Audit. 1

Our Third-Party Program THIRD-PARTY SOFTWARE TESTING KRI s Third Party Software Testing Program strengthens a vendors compliance with IBM s standards for System Integrity by: Automatically scanning and attesting to the security posture of each program in the software package Recommending resolutions which empower developers to remediate vulnerabilities and produce secure software Third Party Vendors can: License z/assure VAP to use as a packaged solution to continuously test for vulnerabilities on a regular basis as part of their QA or Continuous Improvement processes Send software packages to KRI for evaluation as part of a sales cycle to meet contractual obligations with an Enterprise Establish independent proof of security excellence to their clients 2

Our Strategy: Secure Data; Not Applications Components in an Enterprise Quadrant Operating System (OS) layer: End Users have NO direct control over - System programs (services) - System memory OS facilitates communication between End Users, Application layer, and Resources Access to the Application ayer is through the OS layer Application layer: End User has control of: - Which user programs to execute - Can modify the user programs - Can allocate, modify, and free user memory Each End User has their own Application layer (Address space) All end users share the OS layer Resources such as Printers, DASD, and other nodes in the network - Accessed by Application llayer through the OS layer 3

End User Network Enterprise Quadrant Architecture Operating System Layer RESOURCES Systems Programs Systems Memory Printers DASD Application Layer User Programs User Memory 4

Our Strategy: Interactively Scan the OS Layer Operating System Layer IBM s Statement of Integrity is the basis for z/os Enterprise Security Management The Statement of Integrity is the reason Security is possible in the Enterprise All Security Programs must reside in OS layer This includes Application Security programs External, independent code validation is essential for both software development best practices and controlling enterprise security risk associated with the deployment of third-party applications During Internal application development and deployment When maintenance or a new version of software is deployed z/assure VAP provides accurate results without modification to your operating environment, organization, or processes and ensures z/os System Integrity is maintained: 5

Our Strategy: Interactively Scan the OS Layer Operating System Layer Vulnerabilities Code vulnerabilities allow security to be bypassed information is compromised z/os Clients believe that their External Security Managers (ACF/2, RACF, Top Secret) are adequately protecting mission-critical platforms, third-party applications and information ESMs However ESMs cannot: Identify code vulnerabilities in the z/os layer Identify when code vulnerabilities are exploited Remediate the code vulnerabilities 6

Overview of z/assure VAP Detailed and In-depth Analysis Accurate Dynamic code scanning in a run-time environment of the: - z/os layer - Third-Party Software - Internally written exits and software - Application code running in the OS layer Simple Does not require any manpower overhead to run - Executes in a hardened environment; not production - Delivers immediate results Precise Delivers concise reporting - Developers know exactly where to go to fix the vulnerability - Management knows the immediate risk associated with each vulnerability 7

In Summary z/assure VAP uses IAST to scan the OS layer to identify code vulnerabilities (many of which are zero-day vulnerabilities). The problem is compounded by poor application security architectures which reside in the application layer To date, z/assure VAP has found over 130 z/os code vulnerabilities with CVSS scores of 8.4 and higher! December, 2013 a Major Financial Services Company Installed on z/os 1.13-15 vulnerabilities found with average CVSS score of 8.4 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information