Denim Group, Ltd. Blog

By Dan Cornell

After OWASP AppSec 2009 last year everyone knows the OWASP DC folks can run a conference so I am looking forward to the upcoming OWASP DC con.  Their next event will be held November 8^th – 11^th, 2010 at the Washington Convention Center.  Denim Group has a couple of areas where we will be involved:

·         Training: Software Security Remediation on Tuesday November 9^th, 2010

·         Session: Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers

·         Session: Smart Phones, Dumb Apps

For the training we will be giving the same class we did at OWASP AppSec 2010 in Irvine.  The description is:

This class teaches attendees how to fix security vulnerabilities in existing software. It provides a mix of discussion of project concerns for planning and managing remediation efforts with hands-on coding examples fixing specific vulnerabilities. Attendees will learn how to risk-rank vulnerabilities, estimate remediation tasks, perform coding fixes for vulnerabilities and demonstrate the effectiveness of fixes applied. The focus is on the practical: how to use limited resources to make significant improvements to the security of target applications. Code examples use the OWASP ESAPI Java and Microsoft Web Protection Library. Many classes teach developers how to build secure code from the ground up or teach security analysts how to test applications for security vulnerabilities. This class teaches developers and security analysts how to deal with their existing portfolio of insecure applications.

Please click here to register.

For the sessions we will be talking about smartphone security as well as application portoflio risk management.  I will be giving a once-again-updated version of my “Smart Phones, Dumb Apps” presentation.  The abstract is:

Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android.  Many of these applications are constructed without fully considering the associated security implications of their deployment.  Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services.  This talk discusses emerging threats associated with deploying  smartphone applications  and provides an overview of the threat modeling process.  The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.

This is a fun talk and you can see a preview of slides and code here: www.smartphonesdumbapps.com.  I’ll have updated material (even since HouSecCon) so if you’ve seen it before I promise there will be new stuff.

I will also be presenting some new material we have been working on with some clients dealing with how to risk-rank applications in your portfolio and how to create structured assessment plans based on this data.  The abstract is:

Far too often application security decisions are made in an ad hoc manner and based on little or no data. This leads to an inefficient allocation of scarce resources. To move beyond fear, uncertainty and doubt, organizations must adopt an approach to application risk management based on a structured process and quantitative data. This talk outlines such an approach for organizations to enumerate all the applications in their portfolio. It then goes through background information to collect for each application to support further decision-making. In addition, the talk presents an application risk-ranking framework allowing security analysts to quantitatively categorize their application assets and then plan for assessment activities based on available budgets. Attendees will leave with the knowledge and tools required for them to use the approach on the applications they are responsible for in their organization. Template spreadsheets and a How-To guide will also be provided.

Contact us if you would like to meet up in DC.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

By Dan Cornell

HouSecCon is a new conference this year but is shaping up to be a real powerhouse event in the Texas information security space.  They have assembled an all-star speaker lineup with a lot of great content.  Their inaugural conference will be held November 4^th, 2010 at the Microsoft offices in Houston, TX.

Check here for more information about myself and other speakers as well as a registration link: HouSecCon

I will be giving a once-again-updated version of my “Smart Phones, Dumb Apps” presentation.  The abstract is:

Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android.  Many of these applications are constructed without fully considering the associated security implications of their deployment.  Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services.  This talk discusses emerging threats associated with deploying  smartphone applications  and provides an overview of the threat modeling process.  The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.

This is a fun talk and you can see a preview of slides and code here: www.smartphonesdumbapps.com.  I’ll have updated material (even since the OWASP Austin LASCON event) so if you’ve seen it before I promise there will be new stuff.

Contact us if you would like to meet up in Houston.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

By Dan Cornell

The OWASP Austin folks are setting up a great conference for the end of October.  The inaugural Lonestar Application Security Conference (LASCON) is scheduled for October 29^th, 2010 at the Norris Conference Center in Austin.

Check here for more information and for a registration link:

http://www.owasp.org/index.php/Lonestar_Application_Security_Conference_2010

I will be giving an updated version of my “Smart Phones, Dumb Apps” presentation.  The abstract is:

Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android.  Many of these applications are constructed without fully considering the associated security implications of their deployment.  Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services.  This talk discusses emerging threats associated with deploying  smartphone applications  and provides an overview of the threat modeling process.  The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.

This is a fun talk and you can see a preview of slides and code here: www.smartphonesdumbapps.com.  I’ll have updated material so if you’ve seen it before I promise there will be new stuff.

Contact us if you would like to meet up in Austin.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

By Dan Cornell

I will be giving a virtual seminar in conjunction with the SearchSecurity.com and Bitpipe.com folks on October 6^th, 2010 titled “Threat Management Virtual Seminar: Protecting Against Emerging Web Threats and the Web 2.0 Wave”  The seminar will consist of four presentations as well as a live Q&A later that afternoon.

Here’s the event description:

With most companies shifting business to the Web, it comes as no surprise that Web-based attacks are on the rise. Companies often rush applications and functionality to their Web-based storefronts to gain business efficiency. While the business benefits may be obvious, the risks may not.

Attackers are counting on organizations to sacrifice security in the rush to expand and improve business, leaving behind a threat environment rich in potential vulnerabilities.

This virtual seminar explores the emerging Web threats your organization needs to be aware of, the common security mistakes made in bringing applications and functionality to the Web, and how to integrate security into your organization’s collaborative efforts online. Sessions include:

·         The Evolving Web Threat Landscape

·         Threat Modeling Your Web 2.0 Enterprise

·         Vulnerability Management in a Web Application Security World

·         InsideThe Forensics Lab: How Advanced Web Attacks Work

·         Live Q&A: Web Threats Questions Answered with Dan Cornell, CTO, Denim Group

More information and a registration link can be found here:

http://www.bitpipe.com/detail/RES/1282744577_320.html

Contact us for help managing web threats in your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

By Dan Cornell

We recently found out that Denim Group was named to the Inc 5000 list of fastest-growing private companies in America – for the 3^rd year in a row.  Many thanks to all of our customers, partners and employees who helped make this growth possible.  The release can be found online here and there is a copy of the release below.

Contact us to talk about developing secure software and testing the security of your existing software.

--Dan

dan _at_ denimgroup.com

@danielcornell

PRESS RELEASE

Agency Contact:                                                                                               Denim Group Contact:

Alan Weinkrantz                                                                                               John Dickson

210.820.3070                                                                                                      210.572.4400

alan@weinkrantz.com                                                                                   john@denimgroup.com

Denim Group Named to Inc. Magazine 5000 List

Of Fastest Growing Companies For 3^rd Year in a Row

New York, NY and San Antonio, TX – September 14, 2010 - Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risks with their existing software, has been named to the Inc. 5,000 list of the fastest growing privately held companies for the second year in a row.  Denim Group’s profile may be viewed on the Inc. site at: http://www.inc.com/inc5000/profile/denim-group.  The company ranked number 1,925 and has experienced 3-year growth of 140%.

“The leaders of the companies on this year’s Inc. 5000 have figured out how to grow their businesses during the longest recession since the Great Depression,” said Inc. president Bob LaPointe. “The 2010 Inc. 5000 showcases a particularly hardy group of entrepreneurs.”

 “Denim Group has identified an important segment of a market that is not only poised for continued growth, but also solves a fundamental need for companies that are continuing to shift their applications to the Internet,” stated, John Dickson, Principal of Denim Group. “Coupled with our strategic partnership and licensing agreements with companies ranging from Rackspace (NYSE: RAX), Fortify (recently acquired by HP - NYSE: HPQ) and other leading vendors, we are continuing our growth path and global expansion plans moving forward.”

 About Inc. Magazine

Founded in 1979 and acquired in 2005 by Mansueto Ventures LLC, Inc. (www.inc.com) is the only major business magazine dedicated exclusively to owners and managers of growing private companies that delivers real solutions for today’s innovative company builders. With a total paid circulation of 712,647, Inc. provides hands-on tools and market-tested strategies for managing people, finances, sales, marketing, and technology. Visit us online at www.inc.com.

About Denim Group

Denim Group develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security. Denim Group has worked with a range of Fortune 500 companies and public sector organizations, bringing a focused software development approach to the world of software security. Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception. Additionally, Denim Group was ranked 1,925 in Inc. Magazine's 5000 Fastest-Growing Private Companies in America in 2010. For more information about Denim Group, visit www.denimgroup.com.

Reader Contact Information:

Denim Group, 3463 Magic Drive, Suite 315; San Antonio, TX 78229, Tel: 210-572-4400, Fax: 210-572-4401, www.denimgroup.com, john@denimgroup.com.

# # #

Posted via email from Denim Group's Posterous

By Dan Cornell

I just got back from two weeks traveling to Los Angeles (Irvine) and Dublin, Ireland for OWASP conferences where I gave my talk “Smart Phones Dumb Apps”  The talk looks at a generic threat model for a smartphone application and then walks through how attackers can take the applications apart with examples for both Android and iPhone.

Here is the video of my session at OWASP AppSec Irvine 2010:

Dan Cornell, Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications from AppSec USA 2010 on Vimeo.

The slides are available here:

The code used to automate parts of the analysis can be found in the Google Code repository here:

Google Code Repository for Smart Phones Dumb Apps

Also, Colin Watson did a quick writeup on the presentation in Ireland.

This is an ongoing area of research for us so please keep an eye on the blog, Google Code and come see upcoming presentations at Austin LASCON 2010 and OWASP DC 2010.

Contact us for help developing and deploying secure smartphone applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

By Dan Cornell

OWASP AppSec USA is coming up next week at UC-Irvine.  This is shaping up to be a great conference.  Denim Group is a sponsor and we will doing some training and giving some talks.

I’ll be teaching a 1-day course on Software Security Remediation on Tuesday September 7^th, 2010.  This isn’t a “how to hack” course or a theoretical “build new software securely” course.  Instead we will be dealing with how you can fix existing software that is full of vulnerabilities.  There is material on process and theory mixed with hands-on examples.  Should be a good time.

Then John Dickson will be chairing a panel discussion on Thursday at 10:35am titled “Characterizing Software Security as a Mainstream Business Risk – How to Talk to Other CXOs about Software Security”  He has folks such as Tom Brennan (Proactive Risk), Ed Pagett (Lender Processing Services), Richard Greenberg (Los Angeles County Department of Public Health) and John Sapp (McKesson) so this should be a spirited and interesting discussion.

Then I’m giving a presentation at 3:30 on Thursday on smartphone application security: “Smart Phones, Dumb Apps”  We will be looking at threat models for smartphone applications as well as assessment techniques and defense mechanisms.

We will also have a booth and generally be running around.  Contact us if you would like to meet up at OWASP AppSec US 2010.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

Posted via email from Denim Group's Posterous