IBM® Application Security Product Professional Services Offering portfolio IBM Security Services Benton K. Rhee IBM North America Security Services Solutions Leader Mobile: 301-452-1002 | Fax: 703-943-3611 E-mail: benton_rhee@us.ibm.com www.ibm.com/Security

Our approach can help you build more secure applications IBM can help… Employ a combination of services and tools to enhance your SDLC process Planning Analysis Design Maintenance SDLC Consulting and Systems Integration Managed Security Services Tools and Products Implementation Source Code Review Threat Modeling Security Requirements Analysis Application Security Testing Computer Based Training Appsec program gap / maturity assessment Vulnerability Remediation Assistance AppScan Application Risk Assessment & Classification Application Security On Cloud (ASOC) Model and Require-ments Identification and Validation (SD Elements) Secure SDLC consulting Secure development standards Hosted Application Security Management (HASM)

Consulting and Systems Integration Our approach includes consulting services to provide expertise to existing staff, or staff augmentation if needed… Consulting and Systems Integration Consulting offering What does it do? Appsec program gap / maturity assessment Provides a gap analysis against major security frameworks or industry best practices, and by identifies improvement opportunities, action plans and roadmap (may include Secure SDLC Consulting). Application Risk Classification Helps identify business risk impact and criticality level associated with each application, in order to priority application security strategy and roadmap. Secure SDLC Consulting Consulting service designed to help clients align their development process / technology / organization to a secure SDLC model. Secure development standards Collects business drivers, assemble profiles of existing applications, and draft a reusable set of secure development standards tailored to your organization’s application needs. Threat Modeling Analyzes the security of an application and enables you to identify, quantify, and address the security risks associated with an application. This, combined with the documentation produced as part of the threat modeling process, can give the reviewer a greater understanding of the system. This allows the reviewer to see where the entry points to the application are and the associated threats with each entry point. Security Requirements Analysis Identifies minimal Security Requirements to be implemented during application development phase. Vulnerability Remediation Assistance Provides application security experts to help identify solution to fix application vulnerabilities. Source Code Review Application source code review to identify coding malpractices and implementation errors or flaws. Application Security Testing Automated or manual testing of a application in an runtime environment to identify vulnerabilities and exploit scenarios. Planning Analysis and Design Implementation

Portfolio Overview and Benefits IBM® Application Security Product Professional Services drive client success using IBM® Application Security Products IBM® Security Product Professional Services Dynamic and Static Foundation Services Dynamic and Static Assessment Services Mobile Application Protection Review DevOps Integration Application Security Health Check Advanced IBM® Application Security Solutions Application Security Program Management Portfolio Overview and Benefits IBM® Security Product Professional Security Services drive client success in Application Security with the strategy for, implementation of, and knowledge transfer on IBM® Application Security Products. With these services, IBM can: Help companies integrate IBM® Security AppScan® and IBM® Application Security on Cloud into their security assessment practices Provide knowledge transfer of current best practices relating to both dynamic and static application security testing Assist in protecting brand reputation through protection of clients and other sensitive or regulated information Provide detailed recommendations to help clients create and maintain secure applications throughout the SDLC Enhance security posture by adapting IBM® Application Security Products into Devops and automated SDLC practices Expand and integrate IBM Security AppScan® to interface with other critical security and reporting systems

Offering Descriptions IBM® Application Security Product Professional Services help protect critical assets by improving application security IBM Application Product Professional Security Services Offering Descriptions Dynamic and Static Foundation Services Assist clients with the strategy for, implementation of, and knowledge transfer to implement dynamic and static application security testing using IBM® Security AppScan® and IBM® Application Security on Cloud. Dynamic and Static Assessment Services Conduct dynamic and static application security testing for the client, using the client’s IBM® Security AppScan® and IBM® Application Security On Cloud solutions. Mobile Application Protection Review Verify the client’s implementation is in line with client expectations and standard practices for an Arxan® product implementation for GuardSpec development. DevOps Integration Define and implement the Application Security Lifecycle Architecture to integrate IBM® Security AppScan® into the organization’s Development Operations (DevOps) and SDLC processes. Application Security Health Check Investigate and recommend improvements to a client’s Application Security program and implementation of IBM® Security AppScan®. Advanced IBM Application Security Solutions Develop customizations and integrations to enable clients to extend the IBM® Security AppScan® Solution and IBM® Security Application On Cloud into the enterprise. Application Security Program Management Assist clients with the planning for and implementation of enhancements to the client’s Application Security Program, leveraging IBM® Security AppScan® and IBM® Application Security on Cloud.

Application Security Program Management Offering overview Application Security Program Management provides the planning for and implementation of enhancements to a client’s Application Security Program leveraging IBM Application Security products Objectives Actions Deliverables Assist clients in effective development and implementation of an Application Security Deployment Plan that leverages IBM Application Security Products, and is designed to meet the client’s business, operations and application security objectives. . Develop/review Application Security Deployment and Portfolio Risk Plan Implement IBM Application Security Products in accordance wit Deployment and Portfolio Risk Plan Conduct knowledge transfer on Application Security using IBM Application Security Products Provide scanning services Lead or Augment client’s Application Security Program roll out to the organization(s) . Prioritized Application Security Deployment Plan Portfolio Risk Plan and Deployed Application Security Management Deployed IBM Application Security products Knowledge transfer deliverables Scan Reports Periodic Reviews on progress and Priority Foundation Services Quick start services typically 2 to 3 week engagement. Used to address initial rollout of AppScan® to New customers How it works Information gathering workshop held to understand the clients security objectives The scope of the engagement is established and agreed and written into a SOW A consultant contacts the client to schedule the engagement

Managed Services Offering overview Hybrid Approach blending customer gaps with IBM solutions. Objectives Actions Deliverables Essential upfront deployment planning, tying the solution directly to your business needs, for the best chance at success. Provide rapid knowledge transfer to client staff supporting IBM® Security AppScan® to increase productivity. Help plan for future Application security needs with lessons learned and experience for next steps. Build a single instance of IBM® Security AppScan® solution, with on- boarding of people and projects. Gain hands-on experience and skills. Benefit from the expertise offered by IBM consultants. Conduct dynamic scans and recommended practices for remediating found vulnerabilities. Pre-implementation consultation Detailed business analysis and deployment planning with end users to determine reporting and analysis needs of stakeholders Installation and configuration of IBM® Security AppScan® with assistance configuring scans, reports, users, and dashboards Demonstration to IBM® Security AppScan® users and administrators to simplify skills acquisition Foundation Services Quick start services typically 2 to 3 week engagement. Used to address initial rollout of AppScan® to New customers How it works The scope of the engagement is established, agreed and written into a SOW A consultant contacts the client to schedule the engagement

Managed Services (cont.) Setup and configure Intelligent Findings Analytics (IFA) within IBM’s or customer’s environment. Incorporated into customer’s build process. Foundation Services Quick start services typically 2 to 3 week engagement. Used to address initial rollout of AppScan® to New customers

Managed Services (cont.) IBM Application Security on Cloud Consulting Services Assessment Review Scan for Me Application Penetration Test Expert assistance reviewing test reports, including understanding and prioritizing vulnerabilities in the application. “Concierge” scan service where the expert will configure and run the scan, validate results, prioritize required remediation, and conduct a walk-through with the customer. Human executed, controlled tests to identify vulnerabilities. Foundation Services Quick start services typically 2 to 3 week engagement. Used to address initial rollout of AppScan® to New customers Advisor on Demand Fast Start Expert assistance in understanding and optimally using the Application Security on Cloud testing and risk management features Deep interaction with experts on specific application security assistance such as program management, configuration, vulnerability remediation assistance, code analysis and repair. ASoC SaaS Application Risk Management & Testing

Dynamic Foundation Services Offering overview Dynamic Foundation Services. This service offering provides a foundational implementation of a dynamic testing solution using IBM® Security AppScan® Standard and/or AppScan® Enterprise. Includes basic configuration and transfer of information. Objectives Actions Deliverables Essential upfront deployment planning, tying the solution directly to your business needs, for the best chance at success. Provide rapid knowledge transfer to client staff supporting IBM® Security AppScan® Standard and/or Enterprise to increase productivity. Help plan for future Application security needs with lessons learned and experience for next steps. Build a single instance of IBM® Security AppScan® Enterprise, with on-boarding of people and projects. Gain hands-on experience and skills. Benefit from the expertise offered by IBM consultants. Conduct dynamic scans and recommended practices for remediating found vulnerabilities. Pre-implementation consultation Detailed business analysis and deployment planning with end users to determine reporting and analysis needs of stakeholders Installation and configuration of IBM® Security AppScan® Standard and/or Enterprise, with assistance configuring scans, reports, users, and dashboards Demonstration to IBM® Security AppScan® users and administrators to simplify skills acquisition Foundation Services Quick start services typically 2 to 3 week engagement. Used to address initial rollout of AppScan® to New customers How it works Sold in conjunction with or immediately after purchase of IBM® Security AppScan® The scope of the engagement is established, agreed and written into a SOW A consultant contacts the client to schedule the engagement

Static Foundation Services Offering overview Static Foundation Services. This service offering provides a foundational implementation of a static testing solution using IBM® Security AppScan® Source. Includes basic configuration and transfer of information. Objectives Actions Deliverables Essential upfront deployment planning, tying the solution directly to your business needs, for the best chance at success. Provide rapid knowledge transfer to client staff supporting IBM® Security AppScan® Source to increase productivity. Help plan for future Application security needs with lessons learned and experience for next steps. Build an IBM® Security AppScan® Source Solution, with on boarding of people and projects, execution of static scans of source code, and recommended practices for remediating found vulnerabilities. Gain hands-on experience and skills. Benefit from the expertise offered by IBM consultants. Conduct static scans and recommended practices for remediating found vulnerabilities, Pre-implementation consultation Architectural overview and deployment planning assistance Installation and configuration of IBM® Security AppScan® Source Demonstration and transfer of information to IBM® Security AppScan® users and administrators to simplify the skills acquisition for AppScan® Source Deployment Summary Foundation Services Quick start services typically 3 to 5 week engagement. Used to address initial rollout of AppScan® Source to New customers How it works Sold in conjunction with or immediately after a purchase of IBM® Security AppScan® The scope of the engagement is established, agreed and written into a SOW A consultant contacts the client to schedule the engagement

Dynamic and Static Assessment Services Offering overview Dynamic and Static Assessment Services. This service offering helps improve a client’s application security posture by identifying vulnerabilities, which are the most common vector for cyber attacks. By identifying vulnerabilities earlier in the SDLC, the application security assessment can reduce costs while increasing an organization’s security posture. Objectives Actions Deliverables Provide dynamic and static application security assessments using the client’s IBM® Security AppScan® and IBM® Application Security On Cloud solutions. Can be used for a one time assessments or to accelerate or supplement a client’s application security program. Can help a client to meet a compelling deadline such as a PCI audit or other compliance conditions. Identify vulnerabilities within the code base, early in the SDLC. Monitor issues arising from new releases or newly identified attack strategies. Clean data and evaluate for risk, with an actionable remediation report. Detailed debrief session to outline and explain the findings, discuss remediation and prioritizing of actions arising from the test. Detailed scan findings report from IBM® Application Security Product(s) used for assessment Results review meeting using IBM Application Security Product and web conference to highlight issues IBM® Security AppScan® and IBM® Application Security On Cloud scan files for client’s potential future use Access to IBM® Security AppScan® online reporting console, including consolidation of findings and executive dashboards Assessment Services How it works Information gathering workshop held to understand the client’s security objectives The scope of the engagement is established, agreed and written into a SOW A consultant contacts the client to schedule the engagement

Application Security Health Check Offering overview Application Security Health Check. This service offering provides a workshop based investigation of a client’s Application Security program and implementation of IBM® Security AppScan®. Objectives Actions Deliverables Gain understanding of client’s high- level application security requirements Update client with current recommended IBM® Security AppScan® best practices and conduct workshop-based information transfer. Develop a high-level milestone plan for success and agreed action plan for improved application security. . Review application security goals and drivers Review management objectives and timelines Identify organizational stakeholders Confirm current situation and environment Identify integration with other initiatives Document key considerations and constraints High-level milestone plan and agreed action plan for improved application security Scope based on a phased implementation approach Schedule and key milestones to be achieved Resources required and their roles Outline of risks specific to the client Documented implementation and mitigation strategies Health Check Review Objectives for the Workshop IBM understanding of Customer High-level Requirements Customer familiarization with IBM Recommended AppScan® Practices Development of a high-level milestone plan for success Agreement to move forward together Identification of next steps IBM Reviews Current Understanding of Customer Situation - Customer High-level Requirements: Application Security goals and drivers (What do you need to accomplish, why it is important to your business, and why now?) Management objectives and timelines (What are the key objectives and milestones that need to be met? Why are they important?) Current situation and environment (Where are you starting from? Is AppScan® currently used..etc) Integration with other initiatives (Defect Tracking, Build integrations, LDAP…etc) Key Considerations and Constraints (What are the things that need to be taken into account when putting a plan together, such as **** standards, *** initiatives, etc.?) Organizational stakeholders (Who needs to be involved and what is their role?) IBM Recommended Practices: AppScan® architecture design strategy and recommendations License level considerations for AppScan® Deployment strategy (Centralized, Distributed or Automated) Education approach (Application assessment based mentoring, Formal training, or Foundation based rollout) Project Staffing Considerations (IBM, Customer, BP ) Joint development of an initial high-level plan Scope based on a phased implementation approach Schedule and key milestones to be achieved Resources that will be required and their roles Risks specific to the Customer implementation and mitigation strategies Review of initial plan and gain agreement to move forward together - Next steps Development of security project milestones and services approach How it works Information gathering workshop held to understand the clients security objectives The scope of the engagement is established and agreed and written into a SOW A consultant contacts the client to schedule the engagement

DevOps Integration Offering overview DevOps Integration. This service offering defines and implements the Application Security Lifecycle Architecture to integrate IBM® Security AppScan® into the organization’s Development Operations (DevOps) and automated SDLC processes. Objectives Actions Deliverables Provide the necessary software and services to examine a client’s existing security practices Make recommendations that will help protect their organization and enable them to maintain compliance standards. Provide a complete and tailored security solution for embedding security into DevOps practices working with application developers, build teams, security, and QA analysts. Review application security goals and drivers Management objectives and timelines Automation and Devops objectives Integration with other initiatives Key considerations and constraints Organizational stakeholders Pilot solution Solution architectural design Implementation of DevOps solution and integrations based around IBM® Security AppScan®. Demonstration and transfer of information relating to the solution to application developers, build engineers, security, and QA analysts Solution summary document and Plan Devops Integration How it works Information gathering workshop held to understand the clients security objectives The scope of the engagement is established, agreed and written into a SOW A consultant contacts the client to schedule the engagement

Advanced IBM® Security AppScan® Solutions Offering overview Advanced IBM® Security AppScan® Solutions and Integrations. This service offering develops customizations and integrations to enable clients to extend the IBM® Security AppScan® Solution into the enterprise. Objectives Actions Deliverables Provide skills and support to assist a client in expanding IBM® Security AppScan® products to integrate into other commercial and custom interfaces. This may include integrations both into and out of IBM® Security AppScan® to GRC products, quality management, defect tracking tools and custom solutions. Review and document IBM® Security AppScan® integration success criteria. Document requirements and design for the interface programs and related utilities. Develop and deliver customization(s) as documented and agreed. Test the solution and related utilities to insure the program works according to the Functional Requirements. Provide information transfer and documentation to support the solution Functional Requirements document Software solution as defined in the Functional Requirements document User documentation Advanced AppScan® Solutions and Integrations How it works Information gathering workshop held to understand the clients security objectives The scope of the engagement is established, agreed and written into a SOW A consultant contacts the client to schedule the engagement

Mobile Application Protection Review Offering overview Mobile Application Protection Review. This service offering verifies the client’s implementation is in line with client expectations and standard practices for an Arxan® product implementation for GuardSpec development. Objectives Actions Deliverables Help clients integrate IBM® Security AppScan® and Arxan® solutions into their mobile applications. Provide an IBM® Security AppScan® and Arxan® integrated solution for clients to extend their security posture across the mobile application lifecycle, from analysis to remediation and run-time protection. Shield applications across the full scope of risks, from programming flaws to advanced integrity attacks and malware exploits. Review the client developed protection scheme against: Client’s intent of application of the protection Standard Practices Guide for Arxan Product Implementation Field experience in Protection Design Recommend corrective action and provide assistance to address identified gaps Arxan report outlining the recommendations identified Mobile Application Protection Review The solution consists of 1. Technical guide for using IBM AppScan® and Arxan in conjunction within the SDLC (or mobile application lifecycle) to control full scope of risks and build in security from testing to run- time protection. 2. Augmented IBM AppScan® rules (custom scan configuration) to better identify app integrity risks (vulnerable parts of your app that present attack targets even after adhering to safe coding practices) and to inform required protections. 3. Usage of Arxan® protection tools based on AppScan®-aided integrity risk assessment, supplemented by manual analysis. Design and implement "defend", "detect", and "react" protections inside your app, without modifying its source code. • Defend itself against compromise (Code Obfuscation, Pre-Damage, Encryption, String Encryption, Symbol Stripping and Renaming, etc.) • Detect if it is attacked (Jailbreak/Root Detection, Resource Verification, Checksum, Anti- Debug, Swizzling Detection, etc.) • React to ward off attacks (Self-Repair, Exit, Custom React, Alert, etc.) 4. IBM Ready for Security Intelligence validated/tested solution, with sample app demonstrations for using the solution. How it works Information gathering workshop held to understand the clients security objectives The scope of the engagement is established, agreed and written into a SOW A consultant contacts the client to schedule the engagement