Grab a hot cup of Java, lock your physical and digital doors, and listen to the tail of the threat that potentially lurks within your IBM product. Your IBM product may not be all it seems.
Many IBM products are shipped with applets – lightweight applications provided and designed to support implementation and integration. However, these applications can also introduce potential risk to the integrity of your environment by introducing vulnerabilities and unmonitored dark corners where threat actors can lurk.
No ‘silver-bullet’ exists and risk can never be zero, so what can you do!? Before you reach for the garlic and wooden stakes, here are a few tricks and treats (proactive actions) that you can take so your application doesn’t go ‘bump in the night’.
Treat: Reduce the Risk
Ask yourself, “what do I need from this IBM product to deliver operations?” Then get an understanding of the context and determine what functionality is required. Record and track the true risk. Once you have this, employ the Principle of Least Functionality (PoLF).
Consider employing Defence in Depth (DiD) to help mitigate actions across the ecosystem and take multiple mitigation actions to achieve your desired risk appetite. This enables gradual change, resiliency, and agility along with the implementation of mitigating actions at your own tempo aligned to your own security maturity journey.
Cautiously, so as to not impact operations, remove unwanted functionality, applets and code, then confirm all is working on completion. This will reduce the risk of an unknown, or known vulnerability being present, and therefore, potentially reduce the risk of exploitation. It also reduces the risk of a licensing non-compliance issue and could subsequently save you money from licensing, support costs and potential fines. Furthermore, it provides the opportunity to remove ‘bloat’ from your ecosystem and therefore introduce potential efficiencies.
Trick: Expelling the Vulnerabilities
Many applets are Open Source, meaning many new vulnerabilities are identified and shared far and wide at a regular tempo. An IBM specific would be Java vulnerabilities.
There is no guarantee that software vendors will hear about these vulnerabilities first, which would result in less time to respond with a patch or fix. Nor is there any obligation for them to respond at all. Furthermore, patch/fixes are developed for the majority, not for the individual, and therefore introduce the potential risk of other vulnerabilities or integration issues.
Origina provides a myriad of vulnerability busting tools and services including access to products and security SMEs, Hardening Guides and vulnerability advisories providing a clear and concise selection of mitigating actions across your ecosystem – thus enabling a tailored approach to your risk management, and one that is on your terms.
Reach out to us before your IBM products go ‘bump in the night’ and your CISO runs out of the office screaming.