Application Security, Inc. Brings Compliance Best-Practices Where Recent Attacks Demonstrate They Are Needed Most -- Corporate Databases

New SOX and FISMA Policies Safeguard Corporate and Federal Data; Simplifying Adherence to Regulatory Requirements

Reflecting the crucial tie between database security and regulatory compliance, Application Security, Inc. www.appsecinc.com)"> today announced the immediate availability of best-practice policies to help organizations meet requirements under The Sarbanes-Oxley Act (SOX) and The Federal Information Security Management Act (FISMA). AppSecInc is the leading provider of proactive security solutions for corporate and government applications, with products that deliver the industry's only complete vulnerability management solution for the application tier.

These policies will be showcased at two upcoming industry events: InfoSec World Conference in Orlando, FL, April 4-5, 2005 (Booth # 805), and FOSE 2005 in Washington, D.C., April 5-7, 2005 (Booth # 2241). AppSecInc executives are available to meet with members of the media and market research communities during the conferences. To schedule an appointment, contact Rebecca Knowles rknowles@appsecinc.com, 781-276-4508)"> or Christine Atkinson at CHEN PR catkinson@chenpr.com, 781-466-8282, ext. 39)">.

Based on interactions with customers, leading security consultants, and auditors, AppSecInc's best-practice policy templates complement the company's application-level vulnerability assessment scanner, AppDetective(TM) and real-time database intrusion detection and security auditing solution, AppRadar(TM). By using these policies, customers can easily tune their application security to the protections that are most relevant to the corresponding regulatory requirement, thus bolstering compliance. With database applications part of their compliance strategy, firms can make their compliance efforts more granular, demonstrable, and repeatable.

Intuitive and easy-to-use, the policies for AppDetective are available for download from the AppSecInc website at http://www.appsecinc.com/downloads/. Policies for AppRadar will be available later this month. The SOX and FISMA templates augment AppSecInc's extensive range of best-practice policies that address Gramm-Leach-Bliley Act (GLBA), California Senate Bill No. 1386 and National Energy Regulatory Commission (NERC) Cyber Security Standards.

Both the FISMA and Sarbanes-Oxley Security Policies for AppDetective consist of a Pen Test policy and an Audit policy. The Pen Test policy tests security strength from an external perspective to ensure confidentiality, integrity and availability by determining susceptibility to privilege escalation, password attacks, and other known vulnerabilities. The Audit policy determines vulnerability to insider threats by testing for privilege escalation -- users with limited capabilities attempting to gain enhanced status. These tests span all application components and include checks for misconfigurations (i.e. using default passwords, disabling/enabling insecure database features/functions), as well as for strong access and identification/password controls.

"Working with our customers, who include both end-user organizations and their auditors, we've found that for regulatory efforts to be effective they must be granular, demonstrable, and repeatable," said Ted Julian, VP Marketing, AppSecInc. "As most sensitive data ultimately resides in a database application, this means compliance efforts must include establishing controls on the applications which process sensitive information, as well as a method for reviewing and enforcing those controls. AppSecInc has established itself as the top provider of security solutions for the application-tier and our best-practice policies simply leverage what we've learned as a result and reinforce our value-proposition to our customers."

SOX radically redesigned federal regulation of public company governance and reporting obligations by demanding accountability for the integrity of financial reporting by executives, auditors, securities analysts and legal counsel. Penalties include fines, imprisonment or both. FISMA provides a comprehensive framework for ensuring effective information security controls for all federal information and assets. Based on this framework, FISMA mandates that all government agencies report their overall security posture to the Office of Management and Budget, which in turn reports to Congress.

Databases are among the most important applications because they contain detailed, sensitive information including financial transactions, customer names, patient files, and social security and credit card numbers. Given the increasing risk of unauthorized access, use, disclosure, modification or destruction, compliance efforts must include securing "the crown jewels" at their sources -- the database.

According to research from AMR, companies will spend $15.5 billion on compliance in 2005. Approximately one-third of that money will be spent on technology, as organizations seek to move beyond people-intensive, incomplete and error-prone efforts in order to improve accuracy and reduce staff time while ensuring compliance with an ever-growing list of regulations.

"iGov's iSolutions for Wireless and Security provide mission ready secure wireless solutions that meet the stringent data confidentiality and integrity requirements of the federal government," said Jeff Oliveto, CISSP and senior manager of engineering services at iGov. "Best practice security tools like those from AppSecInc are an important part of the IT life cycle process. They provide a consistent, repeatable way to audit, validate and incorporate changes in a distributed database and Web services infrastructure, while ensuring compliance with NIST/ FISMA guidelines."

Gartner Research Director Rich Mogull states in his report on maintaining regulatory compliance, "Security managers can take advantage of regulatory compliance initiatives to improve enterprise security through initiating best practices, expanding identity and access management, using security tools to enhance change and configuration management, increasing audits of key systems, and protecting private data through filtering and encryption."(1)

About Application Security, Inc.

AppSecInc is the leading provider of application security solutions for the enterprise. AppSecInc's products -- the industry's only complete vulnerability management solution for the application tier -- proactively secure enterprise applications at more than 300 organizations around the world. By securing data at its source, we enable organizations to more confidently extend their business with customers, partners and suppliers while meeting regulatory compliance requirements. Our security experts, combined with our strong support team, deliver up-to-date application safeguards that minimize risk and eliminate its impact on business. Please contact us at 1-866-927-7732 to learn more, or visit us on the web at www.appsecinc.com.

AppSecInc, AppDetective and AppRadar are trademarks of Application Security, Inc. All other company and product names are trademarks of their respective companies.

(1) Gartner Report "Maintain Regulatory Compliance Without Neglecting Core Security Requirements" by Rich Mogull. February 22, 2005.

Distributed by Market Wire