This white paper provides a general framework your organization can use to create or build upon an application security program. It includes guidelines that can be useful at different stages of your security program’s maturity. By addressing key considerations, providing clear and actionable items, and offering real-world examples, these five steps provide an adaptable strategy to help your organization get started and maintain an effective, ongoing application-security strategy.

1. IBM Software
Thought Leadership White Paper
October 2012
Five steps to achieve success in
your application security program
Guidelines to help define your initiative, meet your goals and ensure
ongoing security

2. 2 Five steps to achieve success in your application security program
Contents
2 Introduction
2 Taking a smart approach to ensure long-term
application security
4 Step 1: Know where you are going
5 Step 2: Understand where you are today
6 Step 3: Create a plan
8 Step 4: Drive operational excellence
10 Step 5: Govern responsibly
11 Summary
11 For more information
11 About IBM Security Systems software
Introduction
For organizations developing applications today, security is not
an option. The constant threat of security breaches and the
potential loss of data, impact to business-critical systems and
damage to reputation drive an ever-increasing focus on applica-
tion security.
In fact, in 2011, the number and severity of worldwide security
breaches became great enough for the IBM® X-FORCE®
research and development team to declare 2011 the “Year of the
security breach.”1 High-profile incidents including data leaks,
denial-of-service attacks and others affected organizations across
a wide range of industries. Attacks such as these—many of which
target applications—have become a catalyst for organizations to
reevaluate their application security policies and practices.
In an attempt to prevent breaches and their resulting data
loss or systems and reputational damage, many organizations
are looking to implement programs focused on application
security. But they must first understand that there is no single,
one-size-fits-all application security solution. Organizations
looking to start programs, and even those that already have pro-
grams in place, need to make sure their application security pro-
grams are tailored to their specific business needs and adapted to
the risk levels associated with each application and its data.
A successful program needs to have not only the right focus, but
also a realistic timeframe. Application security is not something
that happens overnight. Taking a phased approach that starts
small and can be applied gradually across the enterprise is a sen-
sible method organizations can follow when launching a security
initiative.
This white paper provides a general framework your
organization can use to create or build upon an application
security program. It includes guidelines that can be useful at dif-
ferent stages of your security program’s maturity. By addressing
key considerations, providing clear and actionable items, and
offering real-world examples, these five steps provide an adapt-
able strategy to help your organization get started and maintain
an effective, ongoing application-security strategy.
Taking a smart approach to ensure
long-term application security
Providing data security is one goal that is virtually universal
throughout today’s business environment. Although most orga-
nizations strive to protect critical business data and prevent
potentially damaging security breaches, the prospect of taking

3. 3IBM Software
action and initiating an application security effort can be daunt-
ing. The technology that supports application development and
security plays an important role, but it cannot solve security
problems by itself. Organizations need to implement a strategy
with a clear and focused path to ensure success.
Application security programs must be adapted to an organiza-
tion’s specific needs, such as application types, potential security
risks and compliance requirements. These priorities should drive
the investment direction of the program, since the ineffective
pursuit of application security can easily become a financial
sinkhole. Organizations need to focus on finding cost-effective
ways to execute their initiatives.
Just as programs for application security can vary according to
specific business needs, the starting points for organizations can
vary according to the maturity of their security programs. In the
early phases of application security, some organizations may
simply want to understand more and see what their options are
going forward. Others may already have tried various programs
and methods but want to take their capabilities to the next step
and improve their program’s effectiveness.
Regardless of their stage of maturity, organizations across a
wide range of types and sizes can ensure application security
using the set of guidelines outlined in this paper. This
step-by-step strategy offers a phased approach that your
organization can roll out over time. Each step presents impor-
tant considerations, clear and actionable items, and potential
services or products you can use. Although these steps provide a
helpful framework, keep in mind that an application security
program takes time and can be a multi-year journey. Taking the
right approach can be well worth the time and effort and can
ensure continual efficiency and security improvements for your
program.
Figure 1: The five steps to achieve success in application security programs are designed for a wide range of organizations with varying levels of security
experience and are easily adaptable to help you meet your specific security and business goals.
Know where
you are
going
Understand
where you
are today
Create a
plan
Drive
operational
excellence
Govern
responsibly
1 month or more 1 to 3 months 2 to 4 months 1 to 2 years Ongoing
1 2 3 4 5
The journey to application security

4. 4 Five steps to achieve success in your application security program
Step 1: Know where you are going
Once you have decided to embark upon your journey toward
application security, your first instinct may be to immediately
start evaluating your organization’s applications and identifying
their security vulnerabilities. However, before diving in, you
need to have a firm grasp of the environment you are venturing
into. You don’t need to be a security expert on day one, but hav-
ing an understanding of the basic security landscape and the
nature of security threats can help you to be prepared.
Security threats and breaches come in many shapes and sizes,
ranging from SQL injection to Trojan horses to URL tamper-
ing. The types of breaches reported in the media today will
likely continue to evolve and fluctuate in frequency over time.
Techniques used by attackers also can change over time. And
their scope can vary to include broad attacks that may target the
entire Internet or highly targeted attacks that focus on breaking
into particular organizations. Attackers can use off-the-shelf
tools and common techniques, or highly customized tools and
sophisticated techniques that can exploit vulnerabilities before
anyone else is aware of them.
Understanding the common breaches and attacks relevant to
your organization is therefore an important part of your security
knowledge, as different industries tend to have different vulnera-
bilities. For example, in 2011, the financial industry faced a
much larger percentage of cross-site scripting (XSS) attacks than
injection attacks.1 Identifying the types of attacks common to
similar organizations in your industry can help give you a better
idea of what specific challenges you may be facing.
Compliance requirements also can present security challenges
that affect your applications. Regulations such as the Payment
Card Industry Data Security Standard (PCI DSS), the Health
Insurance Portability and Accountability Act (HIPAA) or the
Sarbanes-Oxley Act may require your applications to have
specific or additional security measures. Regulations may also
affect the security processes you adopt. For example, you may
need to produce reports documenting your compliance efforts.
It is also important to understand how your organization and
its overall structure relate to application security. You should
identify which of your teams and which individual roles are key
to the security program. This knowledge can also help you with
another critical step in your project—gaining executive sponsor-
ship. At this point, it is a good idea to start thinking about which
roles or groups will be able to support your project—an essential
step to get the initiative off the ground.
Things you can do:
●● Educate yourself: To learn more about the current security
environment and how threats and risks pertain to your
organization, you can take advantage of the many free online
resources, purchase web-based security training or hire an
expert to provide educational services. Many organizations
begin security programs with the assistance of a security
consultant who can help them prepare for the critical first
steps.
●● Understand your organization as it relates to application
security: Pinpoint who is in charge of application security in
your organization. To start, identify the chief information
security officer in your organizational chart. If your organiza-
tion does not have that role, look within the group of the chief
information officer and identify the group or groups respon-
sible for security.
●● Seek executive sponsorship: Having executive backing and
the budget to support your project along its journey is a must.
You will need to know who in your organization has the
ability to support your initiative, so now is a good time to start
making a convincing argument and a plan for your program.
Your organization as a whole needs to agree that application
security is an important issue, and having the right support
can help shape your security priorities to ensure the success
of your program.

5. 5IBM Software
Services you can use:
●● Security education: To learn more about security, you can
take advantage of publicly available training offerings and
resources, including the IBM Institute for Advanced Security2
and IBM web-based training offerings. If you require the
services of a consultant to help you through this step, the
IBM Professional Security Services team offers world-class
expertise, and IBM Business Partners also can provide
services.
Case study: Higher education
To provide proactive security for its web applications, a large
US university with 30,000 students launched an initiative to
address its application vulnerabilities. To ensure a successful
program, the university began by assessing its needs and
potential risks and created a simple list of requirements.
Primarily, the university wanted to avoid security breaches
that could result in negative media exposure. Another
goal was to reduce risks that could potentially impact the
university’s day-to-day operations. Addressing regulatory
requirements also was an important priority. By conducting a
thorough analysis of its security environment and goals, the
university provided the necessary foundation for its program,
which continued onward to significantly improve the security
of the university’s web applications.
Step 2: Understand where you are today
Whether you are new to application security or your organiza-
tion and its security staff are seasoned experts, understanding
where you currently stand on application security is another
important step along your project’s journey.
A large part of risk identification is knowing where data can be
lost or compromised. Your organization needs to know how data
enters applications, whether from user data entry, field selection
or other methods. Understanding the nature of the client—web
or mobile—is also important. You should identify the number
and type of application users, including public, authorized, inter-
nal and external. Knowing the importance of the application and
whether it is mission-critical can help you determine the priority
you will give to different components of your program.
Another part of risk identification is to understand the
nature of the data exposure your application may be allowing.
Understanding the types of data—such as non-critical informa-
tion or highly sensitive customer account information—and
knowing the types of authentication used to protect it can help
you determine how to address vulnerabilities.
Identifying the threat types—internal or external—can also help
you narrow your focus. Applications hosted within the organiza-
tion cannot be ignored, as internal users such as employees are
typically granted higher levels of access than external users.
However, external access points typically pose a larger threat to
organizations because they can expose the organization to
attacks from anywhere on the Internet. For example, a bank with
thousands of applications and multiple external interface points
can face numerous threats from external users who would steal
financial data or account information.
Things you can do:
●● Obtain or perform an application inventory: Taking an
inventory of all of your organization’s applications can be a big
task, but is worth the effort to help you know which applica-
tions you have and which ones need the most attention. To
identify who owns an application list or can create one,
determine who manages the web environment. In a larger
organization, you may need to contact individual lines of
business. Once you have a list of applications, determine
which person or group owns each one. You can keep track of
this in a simple spreadsheet or with an extensive database,
depending on the number or scale of your applications. Out of
these, identify the most important applications—such as those
that are public-facing—using your own tools or with the help
of a consultant.

6. 6 Five steps to achieve success in your application security program
●● Conduct a vulnerability assessment: Begin with one or two
applications and perform a vulnerability assessment. Using
dynamic analysis—testing how your applications respond to
attacks as the applications are running—can help you quickly
check all of the critical points in the application and in its
development process and help you generate a list of potential
vulnerabilities. Once these are known, perform a risk analysis
to identify the risk levels associated with each of the identified
vulnerabilities.
●● Identify key focus areas: After conducting an initial vulner-
ability assessment, organizations often find their applications
and development processes riddled with problems such as
XSS vulnerabilities. At this point, use your information from
the vulnerability assessment and decide which areas your
application security program needs to focus on. You may want
to show the results of your assessment and risk analysis to
your executive sponsor. These findings can be very useful to
help you and your sponsor generate support and funding for
your project.
Products you can use:
●● Dynamic analysis: Application-scanning tools such as
IBM Security AppScan® Standard software can help you
perform an initial vulnerability assessment. These tools can
be used to perform a dynamic analysis of an application and
generate detailed information on its vulnerabilities.
Services you can use:
●● Vulnerability assessment: Many organizations choose to hire
consultants to help them assess the current state of their
applications and to conduct a vulnerability assessment.
Consulting services such as the IBM Professional Security
Services team or services available through IBM Business
Partners can assist you with an application security assessment.
Case study: Global software developer
A global leader in software development needed to enhance
the quality of its online applications and also increase
customer confidence in the security of these applications.
After undergoing a restructuring of its product portfolio, the
company evaluated its inventory of applications and began
to conduct vulnerability assessments. Using IBM Security
AppScan Standard software, the company was able to
efficiently and thoroughly scan its applications to identify
vulnerabilities and remediate risks. This enabled the company
to meet its security goals and correct issues before applica-
tions were deployed for public release.
Step 3: Create a plan
After conducting an initial vulnerability assessment and choosing
key security areas to target, you can start creating a plan for your
security program by identifying a small number of initial
applications to work with. Focus on applications of highest
importance to your organization, those that need the most atten-
tion or those that can benefit the most from your program. It is
a good idea to start with a limited number of stakeholders and
team members. This approach can help your program begin
smoothly and maintain focus.
After you identify the right applications to prioritize, focus on
fixing the critical issues in these applications. Where possible,
correct the issue and educate the development teams about the
vulnerability, including detailed information on the problem and
how it can be fixed. Keep in mind that not every application can
be fixed today and that development and testing can take time.

7. 7IBM Software
Once you have achieved some initial successes, create a repeat-
able model and apply it to a larger number of applications. To
continue the momentum of your program and increase your
executive support, utilize your initial teams to evangelize the
project and serve as role models for other teams to emulate.
Things you can do:
●● Start a pilot project: At first, focus on a small number of
applications—perhaps only one. Use careful selection when
choosing not only applications, but also application owners.
Working with an application team that is committed to
application security helps to ensure a smoother pilot project
and enables you to use the application owners as role models
for the rest of the organization. When creating a process for
your project, make sure it is tailored to your organization’s
needs. Work to improve the security of your applications,
measure the results and build upon your internal knowledge
and capability.
●● Track your progress: Make sure to track the progress of
your program and keep your executive sponsors in the loop.
Before you begin to measure your progress, it is a good idea
to create a baseline including information such as the number
of applications you are addressing and the number of initial
vulnerabilities present. Continue to track the progress of your
project against the baseline as you address more applications
and resolve more vulnerabilities.
●● Streamline testing: Where possible, automate your new
testing processes and integrate best practices into your existing
tools and processes.
●● Share information: To keep your teams connected and well
informed, use knowledge-sharing tools such as wikis or
educate team members using brown-bag sessions.
Products you can use:
●● Dynamic analysis: Tools for dynamic analysis can help
your testers understand how applications respond to attacks
as the applications are running. You can use software such as
IBM Security AppScan Standard and start with a small
number of licenses (one per tester). As your organization
expands its analysis process, more advanced tools such as
IBM Security AppScan Enterprise can provide additional
functionality such as broad-based reporting and self-serve
dynamic scanning.
●● Static analysis: If your team is using static analysis, which
analyzes application source code, you can use tools such as
IBM Security AppScan Source with its included IBM Security
AppScan Enterprise server software for data sharing, reporting
and oversight capabilities.
●● Hybrid analysis: If you are using a hybrid combination of
dynamic and static analysis to test your applications, tools such
as IBM Security AppScan Enterprise can be useful to help you
consolidate the testing data.
●● Intrusion prevention solutions: In addition to using
dynamic, static or hybrid analysis for applications in develop-
ment, you also may choose to identify vulnerabilities in your
deployed applications that need immediate protection.
Intrusion prevention measures such as IBM Security Network
Intrusion Prevention System solutions can be used to block
attacks against these applications. Using a layered approach
instead of relying on a single security solution is an important
best practice to integrate into your organization’s security.

8. 8 Five steps to achieve success in your application security program
Services you can use:
●● Application security testing: If you choose not to use your
existing teams to test your applications, you can work with
expert in-house security auditors such as the IBM Professional
Security Services team, or you can use services available
through IBM Business Partners.
Case study: Insurance company
With a primary goal to increase customer focus, a
Fortune 100 insurance company wanted to expand the
mobility of its agents and improve their application access.
But to provide this, the company needed to address the
security risks for its applications. After developing a solid plan
for an application security program, the company embarked
upon a phased, multi-year mission. Using testing methods
including static analysis, the company was able to reduce
application vulnerabilities and use the knowledge gained to
develop an internal training course curriculum providing
standard processes for its application teams.
Step 4: Drive operational excellence
Regardless of your program’s stage of maturity, there is always
room to improve the operations throughout your application
security program—from application development to production.
After you have created a proven set of processes to address
vulnerabilities, you can employ a systematic approach to ensure
efficiency when applying your program across the organization.
Whether you are using dynamic, static or hybrid analysis, you
can begin to build out repeatable and measurable processes.
One way to improve your program’s operations is to address the
needs of the different groups involved, which can help you
bridge the communication gaps and eliminate silos of teams. For
example, development teams are typically designing and building
code to meet functional and performance objectives. Initially,
they often do not have security requirements established, so they
do not design, build or test for security. On the other hand,
teams that specialize in security typically play an auditing role in
which they review software just before it goes into production,
identifying security vulnerabilities late in the development cycle.
This can create a bottleneck and cause tension between these
teams. By understanding how different teams are involved and
adjusting your processes accordingly, you can help to ensure
operational efficiency in your program.
Addressing the development lifecycle also can help your
organization uncover cost-saving opportunities. By identifying
vulnerabilities early in development as opposed to later in the
application’s lifecycle, you can substantially reduce the cost of
fixing vulnerabilities. As illustrated in Figure 2, fixing defects
found late in the cycle can prove to be much more expensive
than fixing them earlier during development. Also, creating
processes that help you discover vulnerabilities earlier can help
you provide extra defense against security breaches, since it is
less likely that the vulnerabilities will slip through the process
and exist in the final product. Building security into the applica-
tion lifecycle from the start is therefore an important best prac-
tice to consider for your application security program.

9. 9IBM Software
Things you can do:
●● Measure the cost of being secure: As you scale out your
security program, measure the cost per defect for fixing
vulnerabilities. This helps you focus on reducing costs and
places emphasis on early detection and remediation.
●● Build security into your process: Engage with your software
architects to focus on secure application design and work with
testers to build security into their test plans. Develop a
template of security requirements, which can save planning
time and help to ensure that processes are followed consis-
tently. It is also a good idea to build security into your
procurement process. Create a list of security requirements
for third parties who develop or deliver software to your
organization.
●● Audit your web applications: Use your internal teams to
conduct regular audits of your web applications to identify and
fix vulnerabilities early in the development cycle—before
vulnerable software is deployed into your live environment.
●● Perform regular third-party audits of your environment:
In addition to leveraging internal teams, using third parties to
conduct security audits can greatly improve your organiza-
tion’s chances of finding application security issues.
●● Address advanced persistent threats: Using intrusion
prevention systems can help provide a critical layer of
protection for your applications in production, which can
prevent many types of breaches such as SQL injection.
●● Have an incident response plan: Be prepared for a potential
security breach and create detailed plans describing how your
organization will respond.
Estimated costs based on IBM Global Business Services industry standards*
Reduce costs by finding application vulnerabilities early*
Coding Build Quality assurance Security Production
Find during
development
$80/defect $240/defect $960/defect
Find during
build
Find during
quality assurance/test
Find in
production
$7,600/defect
Figure 2: By identifying vulnerabilities early in the application lifecycle, your organization can prevent unnecessary costs when fixing application security issues.
The costs represented in this illustration are based on a hypothetical hourly rate, but the magnitude of cost escalation that occurs through the application lifecycle is
typical of what many organizations experience.3

10. 10 Five steps to achieve success in your application security program
Products you can use:
●● Advanced testing, reporting and integration: At this phase
of your program’s maturity, you can benefit from using
advanced tools such as IBM Security AppScan Enterprise,
which provides the scalability and control to support security
testing as early as possible in the development lifecycle. Tools
such as these with developer-friendly reporting can be used to
produce insights and actionable items for development teams.
IBM Security AppScan Enterprise also supports integration
with development tools to help minimize disruption to the
development processes.
Case study: Federal department
A large US Federal government department wanted to
incorporate static analysis as part of its application develop-
ment lifecycle. After adopting a new approach to development,
whereby automated security testing is performed as the
software is built, the department was able to identify defects
as early as possible and with minimal manual effort. This
helped the department to reduce the cost of development
throughout the software lifecycle by avoiding expensive
reworking and patching of software. By focusing on security
tests that could be automated and on tests with high probabil-
ity rates of success, the department found it could reduce the
cost of fixing vulnerabilities while increasing the visibility of
security throughout the organization.
Step 5: Govern responsibly
Creating a long-term program for application security can be a
challenging and complex process, but implementing an efficient
program capable of achieving your security goals can be
invaluable to your organization. However, it is critical to your
program’s—and your organization’s—future that you maintain
your security posture and continue to guide your program along
its ongoing journey.
Governing your program is an ongoing activity, one that should
begin as soon as you have gained an executive sponsor. If you
have kept closely tuned to your program’s progress, you should
have new perspectives about where your organization is today
and how far it has come since the program began. Make sure to
keep your sponsor and staff—including management, security,
development and quality-assurance teams—well informed on
your progress.
In addition to communicating with your teams, make sure
your program stays on track and its processes and guidelines
are consistently followed. This is important not only to maintain
security, but also to keep you prepared for security audits.
Ensuring that your teams play by the rules is an important part
of your program’s continued success.
Things you can do:
●● Continue to measure security: Make security one of your
key performance indicators and continue to track the progress
of your program.
●● Measure and report regularly: Continue to measure the
results of your program and create reports to keep teams and
management informed.
●● Leverage security intelligence systems: Integrate your
application vulnerability data with your security intelligence
systems to strengthen the overall security of your program.

11. 11IBM Software
Products you can use:
●● Reporting and dashboarding: To help provide oversight
for your entire application security program, tools such as
IBM Security AppScan Enterprise include useful reporting
and dashboarding features that can help you improve the
visibility and communication of your program’s progress.
IBM Security AppScan Enterprise includes roles and permis-
sions features to ensure that information is shared on a
need-to-know basis. Compliance reporting is also included to
help you meet regulatory requirements.
●● Advanced visualization and analysis: You can take advantage
of your known vulnerability information using products such
as QRadar SIEM solutions with advanced threat visualization
and impact analysis capabilities. These solutions integrate with
the IBM Security AppScan family and can provide meaningful
insights to help you identify and remediate threats and assess
potential impacts.
Summary
Starting an application security program can be a significant
endeavor, but breaking up the journey into phases can help you
to build upon individual accomplishments and ensure continual
success for the program. By using the five phases presented in
this white paper as a framework for your program, you can have
the flexibility to ensure that your security goals and processes
are tailored to meet your organization’s needs. And by using
advanced tools such as those offered in IBM Security AppScan
family, you can quickly identify and fix application vulnerabilities
early in the development lifecycle, improve communication
across the organization, and save considerable time and costs
throughout your journey to application security.
For more information
To learn more about the IBM Security AppScan family, please
contact your IBM representative or IBM Business Partner, or
visit: ibm.com/software/awdtools/appscan/
About IBM Security Systems software
IBM Security offers one of the most advanced and integrated
portfolios of enterprise security products and services. The
portfolio, supported by world-renowned IBM X-FORCE
research and development, provides security intelligence to help
organizations holistically protect their people, infrastructures,
data and applications, offering solutions for identity and access
management, database security, application development, risk
management, endpoint management, network security and
more. These solutions enable organizations to effectively
manage risk and implement integrated security for mobile,
cloud, social media and other enterprise business architectures.
IBM operates one of the world’s broadest security research,
development and delivery organizations, monitors 13 billion
security events per day in more than 130 countries, and holds
more than 3,000 security patents.
Additionally, IBM Global Financing can help you acquire
the software capabilities that your business needs in the most
cost-effective and strategic way possible. We’ll partner with
credit-qualified clients to customize a financing solution to
suit your business and development goals, enable effective
cash management, and improve your total cost of ownership.
Fund your critical IT investment and propel your business
forward with IBM Global Financing. For more information,
visit: ibm.com/financing

12. © Copyright IBM Corporation 2012
IBM Corporation
Software Group
Route 100
Somers, NY 10589
Produced in the United States of America
October 2012
IBM, the IBM logo, ibm.com, X-FORCE, and AppScan are trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or
other companies. A current list of IBM trademarks is available on the web at
“Copyright and trademark information” at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be
changed by IBM at any time. Not all offerings are available in every country
in which IBM operates.
The client examples cited are presented for illustrative purposes only. Actual
performance results may vary depending on specific configurations and
operating conditions.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED
“AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED,
INCLUDING WITHOUT ANY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND ANY WARRANTY OR CONDITION OF
NON-INFRINGEMENT. IBM products are warranted according to the
terms and conditions of the agreements under which they are provided.
The client is responsible for ensuring compliance with laws and regulations
applicable to it. IBM does not provide legal advice or represent or warrant
that its services or products will ensure that the client is in compliance with
any law or regulation.
IT system security involves protecting systems and information through
prevention, detection and response to improper access from within and
outside your enterprise. Improper access can result in information being
altered, destroyed or misappropriated or can result in damage to or misuse of
your systems, including to attack others. No IT system or product should be
considered completely secure and no single product or security measure can
be completely effective in preventing improper access. IBM systems and
products are designed to be part of a comprehensive security approach,
which will necessarily involve additional operational procedures, and may
require other systems, products or services to be most effective. IBM does
not warrant that systems and products are immune from the malicious or
illegal conduct of any party.
1 IBM X-FORCE, “IBM X-Force 2011 Trend and Risk Report,”
IBM Corporation, March 2012. https://www14.software.ibm.com/
webapp/iwm/web/signup.do?source=swg-Tivoli_Organic&S_PKG=xforce-
trend-risk-report
2 For more information on the IBM Institute for Advanced Security,
visit http://instituteforadvancedsecurity.com
3 RTI, “Planning Report 02-3: The Economic Impacts of Inadequate
Infrastructure for Software Testing,” National Institute of Standards &
Technology, May 2002.
WGW03014-USEN-00
Please Recycle