Application Security, Inc. Brings Compliance Best-Practices Where Recent Attacks Demonstrate They Are Needed Most -- Corporate Databases

Market Wire, April, 2005

Reflecting the crucial tie between database security and regulatory compliance, Application Security, Inc. (www.appsecinc.com) today announced the immediate availability of best-practice policies to help organizations meet requirements under The Sarbanes-Oxley Act (SOX) and The Federal Information Security Management Act (FISMA). AppSecInc is the leading provider of proactive security solutions for corporate and government applications, with products that deliver the industry's only complete vulnerability management solution for the application tier.

These policies will be showcased at two upcoming industry events: InfoSec World Conference in Orlando, FL, April 4-5, 2005 (Booth # 805), and FOSE 2005 in Washington, D.C., April 5-7, 2005 (Booth # 2241). AppSecInc executives are available to meet with members of the media and market research communities during the conferences. To schedule an appointment, contact Rebecca Knowles (rknowles@appsecinc.com, 781-276-4508) or Christine Atkinson at CHEN PR (catkinson@chenpr.com, 781-466-8282, ext. 39).

Based on interactions with customers, leading security consultants, and auditors, AppSecInc's best-practice policy templates complement the company's application-level vulnerability assessment scanner, AppDetective(TM) and real-time database intrusion detection and security auditing solution, AppRadar(TM). By using these policies, customers can easily tune their application security to the protections that are most relevant to the corresponding regulatory requirement, thus bolstering compliance. With database applications part of their compliance strategy, firms can make their compliance efforts more granular, demonstrable, and repeatable.

Intuitive and easy-to-use, the policies for AppDetective are available for download from the AppSecInc website at http://www.appsecinc.com/downloads/. Policies for AppRadar will be available later this month. The SOX and FISMA templates augment AppSecInc's extensive range of best-practice policies that address Gramm-Leach-Bliley Act (GLBA), California Senate Bill No. 1386 and National Energy Regulatory Commission (NERC) Cyber Security Standards.

Both the FISMA and Sarbanes-Oxley Security Policies for AppDetective consist of a Pen Test policy and an Audit policy. The Pen Test policy tests security strength from an external perspective to ensure confidentiality, integrity and availability by determining susceptibility to privilege escalation, password attacks, and other known vulnerabilities. The Audit policy determines vulnerability to insider threats by testing for privilege escalation -- users with limited capabilities attempting to gain enhanced status. These tests span all application components and include checks for misconfigurations (i.e. using default passwords, disabling/enabling insecure database features/functions), as well as for strong access and identification/password controls.

"Working with our customers, who include both end-user organizations and their auditors, we've found that for regulatory efforts to be effective they must be granular, demonstrable, and repeatable," said Ted Julian, VP Marketing, AppSecInc. "As most sensitive data ultimately resides in a database application, this means compliance efforts must include establishing controls on the applications which process sensitive information, as well as a method for reviewing and enforcing those controls. AppSecInc has established itself as the top provider of security solutions for the application-tier and our best-practice policies simply leverage what we've learned as a result and reinforce our value-proposition to our customers."

SOX radically redesigned federal regulation of public company governance and reporting obligations by demanding accountability for the integrity of financial reporting by executives, auditors, securities analysts and legal counsel. Penalties include fines, imprisonment or both. FISMA provides a comprehensive framework for ensuring effective information security controls for all federal information and assets. Based on this framework, FISMA mandates that all government agencies report their overall security posture to the Office of Management and Budget, which in turn reports to Congress.

Databases are among the most important applications because they contain detailed, sensitive information including financial transactions, customer names, patient files, and social security and credit card numbers. Given the increasing risk of unauthorized access, use, disclosure, modification or destruction, compliance efforts must include securing "the crown jewels" at their sources -- the database.

According to research from AMR, companies will spend $15.5 billion on compliance in 2005. Approximately one-third of that money will be spent on technology, as organizations seek to move beyond people-intensive, incomplete and error-prone efforts in order to improve accuracy and reduce staff time while ensuring compliance with an ever-growing list of regulations.