IBM aims at securing Internet-exposed apps

Big Blue unveils tools and services for reducing risks of developing for and working in SOA and cloud computing environments

IBM today announced a host of offerings geared toward bolstering the security of the new generation of applications and services that fit into interconnected, vulnerability-prone SOA and cloud computing environments.

Among Big Blue's announcements at its Innovate 2010 conference are updates to the Tivoli Access Manager family, designed to help organizations provide centralized authentication, policy management, and access control services across cloud computing, SOA, portal, and Web-app environments. The idea here is to extend the type of broad, centralized security control IT admins have over internal applications to Web-based offerings, such as or Google Apps.

[ Also on In 5 years, will Microsoft be relevant in the cloud? | The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in the Web Browser Security Deep Dive PDF guide. ]

This approach, according to IBM, saves IT admins the headaches of having to manage security policies for users on a service-by-service or app-by-app basis. Rather, admins can create and manage policies for groups or individuals in a granular fashion from a central location while giving users single sign-on simplicity to access all of their services, apps, and data -- whether hosted internally or by a provider.

Additionally, IBM has introduced AppScan Source Edition, which is designed to scan applications for security vulnerabilities and compliance risks during the development process, rather than once the apps have gone live. The traditional "bolt-on" approach of adding security to systems once they're developed or implemented isn't effective, according to IBM, plus fixing apps after the fact is far more costly than making them secure from the start.

Built on technology that IBM secured with its acquisition of Ounce Labs, AppScan Source Edition supports several development languages, plus the ability to manage more than 1 million findings and integrations, useful for compliance reporting and better collaboration.

Complementing AppScan Source Edition, IBM is also launching a new Application Source Code Security Assessment service, aimed at organizations that lack in-house application security know-how or otherwise prefer to outsource such assessments. Through the service, IBM consultants test applications, identify security and compliance risks, and provide detailed recommendations to address any problems.

Finally, IBM has made available a free paper titled "Security in Development: The IBM Secure Engineering Framework," which provides a Big Blue's prescribed best practices around security for developing Internet-exposed applications, services, and products. The goal of this framework, according to IBM, is to enable greater collaboration with others in the industry, standards bodies, and governments around the world to refine how organizations approach security.

This article, "IBM aims at securing Internet-exposed apps," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.