IBM Boosts Secure Development Practices

IBM this week announced multiple initiatives and software updates to help organizations build security into their software development practices, applications, Web services, cloud projects, and portals.

"As customers drive new Web-based services and portal initiatives, they must balance the growing need for exposing data with the ability to provide secure access to these critical resources on a need-to-know basis," the company said in a statement.

Accordingly, IBM updated Tivoli Access Manager to provide centralized authentication, policy management, and access control services for cloud, service-oriented architecture, portal, and Web application environments.

Similarly, IBM also announced a new "Secure By Design" initiative, which combines a new IBM-developed framework for secure software engineering, backed by source code security testing tools, source code scanning assessment services, and identity and access management capabilities.

From its acquisition of security vendor Ounce Labs, IBM also introduced a new Web application security tool, AppScan Source Edition, meant to help developers spot and remediate Web application vulnerabilities before code moves into beta or general release.

According to a study conducted last year by IBM researchers, Web applications accounted for 49% of all software vulnerabilities in the wild. For two-thirds of those vulnerabilities, however, no patch existed. Unfortunately, these vulnerabilities are often easily accessible to attackers, since the software runs online.

For years, software experts have known that the most cost-effective way to secure software is by specifying it at the start of a project, and making it an integral part of the software development lifecycle. Historically, however, many software development houses -- driven by time-to-market or cost-control concerns -- have skimped on security planning, and when they do attempt to secure their software, bolt it on after the fact, which costs more and is typically less effective.

But according to the Open Web Application Security Project, which tracks Web application vulnerabilities, many if not all of today's top vulnerabilities -- e.g., SQL injection, cross-site scripting attacks, broken session management, and failure to restrict URL access -- can be prevented simply by more rigorously designing and testing code, before the software ships.