IBM Software IBM Security Solutions
Web application security with IBM Security Solutions Enhance your IT security investment with robust web application protection
Designed to deliver the full protection of a web application firewall through network and server intrusion prevention solutions
Offers proactive web application, Web 2.0 and database protection to limit potential business interruptions and exposures
Integrates with IBM Rational® AppScan® to automatically generate recommended security policies for your specific web application vulnerabilities identified by AppScan
Helps meet regulatory compliance requirements and industry standards, including PCI DSS
Fortifying your IT security solution with protection for web applications Web applications can help foster closer interactions with your customers and improve collaboration with your employees. During the past several years, however, the number of web-related threats to enterprises of nearly all sizes has risen sharply. About half of these attacks targeted web applications. Even more alarming, by year-end 2009, two-thirds of all disclosed web application vulnerabilities had no patch available. Two signiﬁcant areas of vulnerability, Structured Query Language (SQL) injection attacks and Cross Site Scripting (XSS) attacks, dominated the attack landscape in 2009.1 These growing areas of targeted attacks on sensitive information exploit websites by altering back-end code to manipulate data entered by users and exploits the trust relationship between users and the websites they visit. The increase in attacks is due in part to the sheer number of web applications being developed—a number that is skyrocketing. In spite of their potential, the interactive nature of these new, collaborative techniques for sharing information makes them highly susceptible and vulnerable to attacks. To help protect your business—and reputation—you need to ﬁnd ways to enhance your company’s security solutions. With web application protection built into the core IBM intrusion prevention engine, IBM offers the same security as a web application ﬁrewall to address web-related vulnerabilities and strengthen your security posture. Integrated into the latest models of the IBM Security family of network and server security products, this feature can help you control attacks at the network, gateway and server levels.
IBM Software IBM Security Solutions
In addition to enhancing web application protection, the PAM engine that fuels the IBM Security network and server protection product lines also provides a unique combination of proactive security methods, including:
Backed by the security expertise of the IBM X-Force® research and development team, we employ a unique protocol analysis module (PAM) as the core technology of solutions to help provide deep-packet inspection. Coupled with the sophisticated security capabilities of IBM WebSphere® DataPower® appliances, including policy enforcement, ﬁne-grained authentication and authorization, advanced XML threat protection and accelerated Secure Sockets Layer (SSL) processing, this solution helps identify intrusions and assists in blocking malicious packets sent to web applications and back-end databases.
Rather than purchasing a stand-alone web application ﬁrewall, you can take advantage of web protection that is already enabled in trusted IBM Security Solutions, such as: ●
IBM Security Network Intrusion Prevention System2, which helps enable preemptive protection against a wide variety of Internet threats IBM Security Server Protection products, which help keep data and applications reliable, available and conﬁdential by providing automated, near real-time intrusion protection and detection by analyzing events, host logs and inbound and outbound network activity on critical enterprise servers IBM Security Virtual Server Protection, which limits access to critical data, tracks user access, reports on the virtual infrastructure and provides defense-in-depth, dynamic security with VM rootkit detection and virtual infrastructure auditing and monitors traffic with VMsafe integration.
IBM Virtual Patch® technology—Shielding vulnerabilities from exploitation, independent of a software patch. Client side application protection—Protects end users against attacks targeting applications used everyday such as Microsoft® Office ﬁles, Adobe® PDF ﬁles Multimedia ﬁles and web browsers. Advanced network protection—Advanced intrusion prevention including DNS protection. Data security—Monitoring and identiﬁcation of unencrypted personally identiﬁable information (PII) and other conﬁdential data. Web application security—Protection for web apps, Web 2.0 and databases (same protection as web application ﬁrewall). Application control—Reclaim bandwidth and block Skype, peer-to-peer networks and tunneling.
IBM Protocol Analysis Modular Technology DNS
APPLICATION CONTROL FEATURING
VIRTUAL PATCH ®
Client-side Application Protection
Web Application Protection
Threat Detection and Prevention
The IBM protocol analysis module (PAM) drives security convergence to deliver network and server protection that goes beyond traditional IPS. With its modular architecture that allows for extensible protection, PAM now includes web protection technologies.
IBM Software IBM Security Solutions
IBM Web application ﬁrewall capabilities inside our intrusion preventions solutions help address the primary sources of attack for:
Eliminating the need to purchase and manage a separate web security point product By embedding enhanced security capabilities into the core engine of the latest models of our intrusion prevention products, IBM can help you avoid the added cost and complexity of maintaining stand-alone web application ﬁrewalls. Each of our solutions runs a unique injection logic engine (ILE) to give your network, server and web applications a proactive level of protection—a signiﬁcant advantage over typical security solutions. If you’re already using the latest network and server intrusion prevention solutions from IBM, the capability to provide robust protection speciﬁcally for your web applications is already there. So there’s no need to make an additional technology investment, and you can manage the entire solution from a single IBM Proventia® Management SiteProtector system or through IBM Managed Security Services.
Delivering holistic web app security by integrating pro-active protection with vulnerability management IBM delivers a holistic approach to web application security by integrating threat mitigation solutions from network IPS and server protection with vulnerability management from IBM Rational AppScan via a common management platform in IBM Security SiteProtector System. In addition to serving as a command and control console for network and server protection, SiteProtector integrates with AppScan to report on web application vulnerabilities, manage resolution of those vulnerabilities and provide automated policy recommendations to help block attacks against those speciﬁc vulnerabilities identiﬁed by AppScan.
Providing a proactive approach to web protection Using the ILE as leverage, IBM Security intrusion prevention solutions with the full security of a web application ﬁrewall helps block attacks on your web applications. The ILE helps preempt injection attacks by calling out unique patterns not usually seen in valid web requests. By totaling and scoring speciﬁc keywords and symbols, the ILE can detect and subsequently block SQL injection attacks. Instead of reacting to security breaches after they’re discovered, the ILE takes an attack stance toward injections. Through its comprehensive list of SQL syntactic cues, the ILE helps protect your system by: ●
Web applications—helps block shell command injections, server-side include (SSI) injections, cross-site scripting (XSS) and directory traversal Databases—helps block SQL, Lightweight Directory Access Protocol (LDAP) and XML Path Language (XPath) injections Web 2.0—helps block Java™ Script Object Notation (JSON) hijacking, potential cross-site request forgery (CSRF) attacks and advanced cross-site scripting techniques
Easing compliance efforts while helping to protect your data—and your reputation IBM Web application ﬁrewall capabilities help you more easily manage compliance requirements and industry regulations, such as those required by the Payment Card Industry (PCI) Data Security Standard (DSS) 6.6. This standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures essential to maintaining a security-rich environment for your customers’ payment card transactions. At
Evaluating and scoring parameter values Blocking requests that exceed the scoring threshold Flagging particular keyword combinations to identify what type of SQL injection is occurring
This proactive approach to web application security is atypical of many web protection solutions, which merely audit attacks and react to them.
the same time you gain greater protection for your data, you are also safeguarding your reputation. IBM makes it easier to manage compliance with PCI DSS 6.6 by including the same full security of a web application ﬁrewall in our broad portfolio of IPS solutions. © Copyright IBM Corporation 2010
IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A.
IBM Web application security is designed to provide a costeffective solution to help fortify your web applications against security exposures. This solution leverages our own X-Force team of security experts, who evaluate vulnerabilities and security issues, develop assessments and countermeasure technology for IBM Security products and educate the public about emerging Internet threats.
Produced in the United States of America July 2010 All Rights Reserved IBM, the IBM logo, ibm.com and Rational are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their ﬁrst occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
When exposures can compromise your data, jeopardize your reputation or even shut down your business, IBM Web application security can help provide you with coverage that does not require an additional purchase or installation of a stand-alone web application ﬁrewall. And you can also leverage the skills and experience of IBM Professional Security Services to help you assess your security capabilities, then plan for, design and deploy an optimal solution for your IT and business needs.
Adobe is a registered trademark of Adobe Systems Incorporated in the United States, and/or other countries. Java is a trademark of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft is a trademark of Microsoft Corporation in the United States, other countries, or both.
We also offer managed protection services to monitor and manage your environment to help take this burden off of your staff. In addition, IBM Rational AppScan products and services can perform a security risk analysis of your web applications. The IBM portfolio of products and services helps you focus on new business initiatives with less worry over where your vulnerabilities lie and how to protect them.
Other product, company or service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
For more information To learn more about IBM Web application security, please visit: ibm.com/security
The customer is responsible for ensuring compliance with legal requirements. It is the customer’s sole responsibility to obtain advice of competent legal counsel as to the identiﬁcation and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the reader may have to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law or regulation. 1
2009 IBM X-Force Trend & Risk Report.
IBM web application security is embedded into the MX and GX models of the network IPS product lines.