IBM Pitches Code, Network Security


Security threats continue to grow, year after year, which is why IBM continues to evolve its security portfolio. At this week's RSA security conference that kicked off Monday, IBM rolled out a series of new security products designed to help secure enterprises from the application code level all the way to deployment.

Among the new tools and services being announced by IBM is a new static source code analysis solution, a secure Web gateway service as well as a managed firewall and unified threat management service.

"Security is constantly evolving, so there is always a need for innovative new tools to help, but definitely one of the key challenges, especially in application security, is awareness and adoption," David Grant, director of security and compliance solutions at IBM Rational, told "What we have clearly noticed as a top adoption challenge in application security is the fact that developers, testers and outsourced providers need security tools in their ... environment and not an add-on."

One of those new tools is the IBM AppScan Source Edition, which is the first Ounce Labs product under IBM that does static analysis. IBM acquired Ounce Labs in July 2009 and has been working on integrating the Ounce Labs technology ever since.

Application security a priority

"In the race to stay ahead, many companies fail to give application security the attention and priority it needs," Grant said. "IBM goes to great lengths to ensure that security is woven into the very fabric of an organization's infrastructure. The static analysis technologies acquired from Ounce Labs are further helping us to offer organizations the ability to design these products and services securely, from the ground up."

The AppScan Source edition differs from other versions of AppScan, which focus on dynamic analysis for penetration testing. IBM acquired the AppScan technology from Watchfire in 2007 and has since updated it to protect against Flash and other AJAX vulnerabilities.

"Currently, we have introduced the first phase of our integrated hybrid testing (code and app analysis) and it does require two different AppScan editions," Grant said. "We will continue to integrate the technologies to provide the most accurate application security testing solution. We have not made decisions on combined packaging at this point."

IBM rival HP recently took the wraps off its own partnership effort to provide a hybrid static and dynamic analysis solution together with Fortify. As is the case with the IBM solution, the HP/Fortify approach also requires two separate products.

Managed IBM security for Web gateways, firewalls

IBM also today unveiled a new secure Web gateway service, which is an IBM Managed Security Service (MSS) offering that supports secure Web gateway appliances -- specific types of security devices that perform Web content filtering, proxy/caching, application control, SSL, ICAP and Directory Service integration. Providing MSS for such appliances represents a new area for IBM, but one in which it said there's a real need to extend managed security.

"We provide 24/7/365 monitoring and management of a client's secure Web gateway devices," Greg Adams, director of security product management at IBM, told

Additionally, IBM today introduced the IBM Managed Firewall Service and IBM Unified Threat Management Service (UTM), a bundled offering that delivers IBM Managed Security Services for enterprise users of Check Point firewall and unified threat management device platforms.

"IBM Managed Security Services-Secure Web Gateway Management is the MSS service associated with that type of device," Adams said. "Managed Firewall is the equivalent for firewalls, and IBM MSS for Unified Threat Management service is equivalent for unified threat management devices."

Adams added that the most critical feature of the IBM Managed Firewall Service and MSS for UTM service may be one of its least obvious: Its right-to-use agreement.

"This means the client does not have to outlay a capital expense for the hardware and software -- they can take it as an operational expense billed monthly," Adams said.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.