21-07-2012, 12:53 PM
SPICE Security open pages Integrated grace Environment
SPICE.docx (Size: 843.05 KB / Downloads: 51)
Open Pages
Open Pages®, an IBM company, is a leading provider of integrated governance, risk, and compliance (GRC) solutions for global corporations. OpenPages provides software that helps companies more easily identify and manage risk and compliance activities across the enterprise, enabling them to increase insight and focus on business performance while avoiding unexpected outcomes.
Rational AppScan
Rational AppScan Standard Edition automates vulnerability testing to help protect against the threat of cyber-attack with a solution that combines dynamic analysis, static JavaScript analysis and ease of use.
• Enables comprehensive automated testing of Web applications for vulnerabilities with hybrid analysis – the combination of dynamic and static testing in a single solution
• Automates dynamic (black box) security testing for emerging Web vulnerabilities including Web Services, Web 2.0 and Rich Internet Applications (JavaScript, Ajax and Adobe Flash)
• Includes JavaScript Security Analyzer for advanced static (white box) analysis of client-side security issues, such as DOM-based cross site scripting and code injection
• Scans Web sites for embedded malware and links to malicious or undesirable sites
• Provides customization and extensibility with the AppScaneXtension Framework, which allows the user community to build and share open source add-ons
• Includes regulatory compliance reporting templates with 40 out-of-the box compliance reports including PCI Data Security Standard, Payment Applications Data Security (PA-DSS) (new), ISO 27001 and ISO 27002 (new) and Basel II
2. Architecture
The following picture try to show the target architecture aimed for. It envisages the Openpages as the top tier of the security framework. It takes care of security in all operational domains such as Application security, Data security, Network security, Endpoint security, Identity & Endpoint security. IBM also has various security products in all these domains. The aim is to integrate all these products with Openpages so that there will be an integrated view about the security of the organization and its compliance to the regulations like SOX,PCI etc.
This integration should be done in two steps. First we should be able to map the rules defined in openpages into policies in the respective products. The second step is to get feedback from the products into Openpages about the effectiveness of the policies defined.
This will help us to continuously monitor the organization and provide real time visibility about the security and identify the gaps in the security at a faster rate.
3.Usecases
Three usecases are defined to represent the three major functions of the OpenPages software. They are
• KPI Evaluator
• Automated Control Testing
• KRI Calculator
The data can be introduced andexecuted into openpages using the objectmanager. It takes properly formatted xml files to create the apropriate values.
3.1 KPI Evaluator
The aim of this usecase is to show how we can track the perfomance of the assets defined in openpages. An asset could be anything an server, an software, an infrastructure etc. Here we have taken an sofware which is Tivoli Identity Manager (TIM) as the asset. We have to track the progress of the adaption of into into the existing software environment.
For this we have chosen to find the percentage of no. of services being run on TIM and the total number of services the organization provides.
A KPI contains following features in openpages:
• Name
• Tarket value
• Threshold value
• Frequency
The TIM API should be acessed to find out the number of services being run by TIM and we will have the total number of services as property using the .properties file.
The code which will fetch the number of services from TIM and calculate the percentage will be executed according to the frequency defined in the KPI above.
If the value of the percentage is less than the threshold value then an issue will be created in the openpages which wil be sent to appropriate authorities.
3.2 Automated Control Testing
The aim of this usecase is to show that some of the tests defined in the openpages can be automated increasing the effectiveness of test and the frequency at which they are conducted.
A test is defined within the openpages with following atttributes.
• Test Frequency
• Test Performed By
• Acceptable Level
Here we have taken an example test of background verifivation. In this test we have check how many database administrators have background verification.
We have to get this test from the openpages which will give us the xml string with all the above information. We have to parse this information from that string and use it find out the frequency with which we should conduct the test. Once we find that out we schedule the test to be run according to its frequency.
When the test is executed the code first fethces the list of databse administrators from TIM which will have list of all the employees and their responsibilities by using the web api of TIM. Then we will search the background verification database for each administrator and find out if any of them do not have background check. These will be added to a exception list. We compute the score as
Score = no of verifed adminstrators/ total no. of administrators.
After executing the test we will check whether the score is above or below acceptable Level. Then we will create the TestResult object in openpages and associate this to the test above.The test Result object will contain following information.
• Test Performed By
• Test Result(Pass/Fail)
• Date Performed
• Exceptions(if any)
• Test associated with