PRESS RELEASE

ARMONK, NY -- February 4, 2009 -- IBM (NYSE: IBM) today announced new capabilities designed to address the security and compliance concerns of businesses creating dynamic and interactive Web sites. As companies infuse more Web 2.0 content into their global, online presence, they are seeing an increased risk of security vulnerabilities. Using IBM Rational AppScan, companies can now test Web 2.0-based applications to identify security vulnerabilities on a frequent basis, helping to make the Web experiences they provide to customers more secure from hackers. The new features also enhance customers' abilities to address regulatory mandates and meet business policies.

Helping to Secure Online Businesses from Web 2.0 and SOA Vulnerabilities

According to the newly released 2008 IBM X-Force Trend Report, Web applications remain the Achilles heel for the security industry. In fact, more than half of all vulnerabilities disclosed in 2008 were Web application based. Many of these vulnerabilities can be prevented or avoided by taking a preemptive approach to security.

Despite these shortcomings, companies increasingly rely on their Web presence to serve as the face of their business, drive collaboration and community-building, and generate new opportunities in today's global economy. To remain competitive, organizations are using a new set of Web 2.0 capabilities, derived from technologies such as the Adobe' Flash' platform, or Ajax (Asynchronous JavaScript and XML), to create interactive and graphically rich Web sites. However, due to the dynamic and changing nature of these technologies, companies are facing new challenges for meeting the compliance and security needs of their online businesses.

Hackers and other cyber criminals target Web 2.0 technologies because of their prevalence across the Web. With IBM Rational AppScan Standard Edition 7.8, IBM is introducing new functionalities that enable companies to scan and test rich, Flash-based Web content and applications for security defects before the content is deployed. This new software can also scan Web sites built with Ajax technology.

"The use of Adobe Flash Platform technologies in the enterprise is increasing, and software such as IBM Rational AppScan can help content creators take a preemptive approach to security," said Brad Arkin, director, Adobe Secure Software Engineering Team at Adobe. "By scanning and testing code for potential issues in the early development stages, companies can help prevent security and compliance problems before they ever happen."

For companies that are concerned that their Web services will face the same vulnerabilities as their Web applications, the new version of IBM Rational AppScan now also supports complex Service Oriented Architecture (SOA) applications. This new technology from IBM provides organizations with the ability to scan their critical Web services, representing a significant step forward in the testing support available for SOA environments.

Managing the Ongoing Risk of Compliance and Security

IBM today also announced new risk assessment capabilities in this new version of IBM Rational AppScan. The new features help customers better understand where security vulnerabilities are located and suggest an action plan to minimize further risk. According to IBM research, 80% of user's time is spent on managing the results of security scans.* Even after an issue is identified, users might have trouble understanding the issue, validating whether it really exists, determining how severe it is, and communicating it to other teams who can help fix the problem. With IBM Rational AppScan, customers will save valuable time and money by receiving results that are communicated in a common language that non-security experts understand.

Through new production monitoring capabilities delivered with IBM's Rational AppScan OnDemand offering, users can also catch and be alerted to vulnerabilities, making it easier and quicker to repair flaws and remain compliant. This is especially critical for organizations that make frequent changes to their Web site, and that have an increased need to scan for security vulnerabilities on a regular basis. For instance, a large company that updates its Web site every 15-minutes can now automatically scan their online application four times per hour (i.e. 96 times per day), helping to creating a safer online experience for its customers.

Additionally, security alerts can be sent to mobile devices as they occur, allowing customers to quickly fix vulnerabilities. Previously, security experts would only test applications before they went into production, which would not address the further risks posed after deployment. Today, speed and responsiveness are crucial when dealing with dynamic applications, given the time and money that organizations can lose due to failing to meet compliance mandates or exposing their customers' data to hackers. With IBM Rational AppScan OnDemand, customers now can have confidence that they can continuously act to protect their Web sites and manage compliance risks.

Addressing Security and Compliance throughout the Lifecycle

Customers can also lower costs by implementing security testing throughout the entire software delivery lifecycle, from development through the post-production phase. Bug-ridden, poor quality software costs businesses billions of dollars annually** and the cost of identifying and repairing a software defect in a product that is already being used by consumers can cost upwards of $16,000*** for each defect. By integrating IBM Rational AppScan Tester Edition into the recently released IBM Rational Quality Manager, teams can build security and compliance testing into the software development and delivery process, avoiding many problems that can be extremely costly to fix at a later point in the software delivery lifecycle.

"We're witnessing a trend with governments mandating that organizations deliver software built with security-tested code. Clearly, application security is moving towards being a compliance requirement, not just a best practice," said Dr. Daniel Sabbah, general manager, IBM Rational Software. "It's more crucial than ever for customers to treat security and compliance as a top priority. By offering customers the ability to infuse continuous security testing into their Web 2.0 and SOA application development, IBM can help them reduce cost, manage risk and provide better online experiences for consumers."

IBM Rational offers security solutions that span across all areas of application delivery, including the development, testing, deployment and operational phases. To learn more about IBM Rational's security solutions, please visit: http://www.ibm.com/software/rational/offerings/websecurity/.

*IBM internal study. ** According to a 2002 report from the U.S. Commerce Department's National Institute of Science and Technology (NIST). ***Applied Software Measurement, Caper Jones, 1996

AppScan is designed to identify a variety of potential security and compliance issues in web applications. It does not test all vulnerabilities or compliance risks, nor does it act as a barrier to security attacks. IBM does not represent or warrant that AppScan will provide complete security vulnerability or compliance information or that your web application is secure or compliant. The information provided by AppScan does not constitute legal advice. The security or compliance of your website, and any remedial actions, are your responsibility alone, and you should seek your own legal advice. Security threats, regulations and standards continually change, and AppScan may not reflect all such changes.

Contact Faye Abloeser IBM [email protected] 908-770-0762