LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

« September 2011 | Main | November 2011 »

October 26, 2011

Denim Group at LASCON 2011

By Dan Cornell

LASCON 2011 is coming up Friday October 28th and there will be two talks from Denim Group folks. I had to miss LASCON last year because of a last-minute trip to India so I’m really looking forward to this year. The speaker lineup is fantastic and the Austin OWASP gang knows how to throw a party. It should be a really valuable event and a great preview of next year’s OWASP AppSec conference.

Phil Beyer from the Texas Education Agency (TEA) will be presenting with Denim Group’s Scott Stevens in a talk titled “OpenSAMM in the Real World: Pitfalls Discovered and Treasure Collected Along the Way.”  The talk abstract is:

In "Pitfall!", a player must maneuver Pitfall Harry through a maze-like jungle to stay alive. Along the way, he must negotiate numerous hazards, try to recover treasure, and do it all in a limited time. Implementing OpenSAMM in a large organization is kinda like playing that classic game.

It's a little dangerous, requires vision, planning, and precision, and promises rewards. Like many of its size and with its mandate, the Texas Education Agency already has an SDLC. Enter Pitfall Phil. In an effort to build a stronger program, Pitfall Phil shifted the focus of TEA's application security program to align with OpenSAMM. We will present the hazards he discovered and the treasure he found while playing the game.

Also, I will be giving a presentation on some automated virtual patching work we have been doing titled “The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching.” That talk’s abstract is:

Organizations often have to deploy arbitrary applications on their infrastructure without thorough security testing. These applications can contain serious security vulnerabilities that can be detected and exploited remotely and in an automated manner. The applications themselves and the infrastructure they are deployed on are then at risk of exploitation. Configuration changes or vendor-provided software updates and patches are typically used to address infrastructure vulnerabilities. However, application-level vulnerabilities often require coding changes to be fully addressed.

Virtual patching is a technique where targeted rules are created for web application firewalls (WAFs) or other IDS/IPS technologies to help mitigate specific known application vulnerabilities. This allows applications to be “virtually” patched prior to actual code-level patches being applied. These virtual patches are most often applicable to vulnerabilities that have a strong detection signature such as SQL injection and cross-site scripting (XSS) because the detection rules can be targeted to detect these signatures, but limited only to specific parts of the application attack surface where the application is known to be vulnerable.

This presentation examines the automatic creation of virtual patches from automated web application security scanner results and explores scenarios where this approach might be successfully employed. It discusses theoretical approaches to the problem and provides specific demonstrations using Open Source tools such as the skipfish and w3af scanners and Snort and mod_security protection technologies. Finally, it looks at opportunities to apply these techniques to protect arbitrary applications deployed into arbitrary infrastructures so that short-term protection against common web application attacks can be consistently applied while minimizing false blocking of legitimate traffic.

Again – this should be a great conference. Contact us if you want to meet up at OWASP LASCON in Austin.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

October 26, 2011 in Conferences | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , ,

October 21, 2011

Physical Security and Application Security - Where the Two Worlds Collide

By John B. Dickson, CISSP

I recently had the opportunity to attend the ASIS International Annual Seminar and Exhibits in Orlando, Florida. ASIS is the largest physical security conference in the world and arguably one of the oldest security trade groups in the US (they have been around since 1955). With 20,000+ in attendance, it’s hard to argue that this wasn’t one of the premier conferences in the security industry.  I’m probably more of an information security guy than a physical security person, whose limited exposure to the physical security world has been through the CISSP certification (one block of instruction) and during the infrequent red team exercises I’ve participated in during my career where breaking and entering a client’s office complex was part of a contracted project.

SoldierWhat brought me to the ASIS conference was the ISC2, the International Information Systems Security Certification Consortium, and its Security Congress. The Security Congress tracks ran concurrently with the ASIS conference, attracting nearly 1,000 attendees from the traditional information security field. ISC2 had separate speaker tracks that addressed application security, cloud security and social networking. My session had about 40 attendees – a little light but a good group. The interaction was solid and the questions insightful. In short, the speaker session might as well have been at any mainstream information security conference.

Where I experienced culture shock the most was on the ASIS expo floor. For those that argue that the physical security and information security fields are converging, my first ASIS led me to believe otherwise. For starters, more than half of the exhibitors wore dark suits, as did many of the attendees (and, yes, I did see a fair share of three-piece suits). This was in stark comparison to RSA, where most of the booth workers look liked they just hopped off the 18th hole, albeit with matching company golf shirts.

There was a formal air to the expo, including several dark panel wood booths that looked more like a law office library room than a trade show expo stand. Like the info security world, 85-90% of the attendees were men, but the average age at ASIS felt 10-15 years older than RSA, by comparison (I did not quantify that!)

Barbed wireThe biggest difference between ASIS and RSA/Blackhat, etc., were the vendors. Very, very little overlap existed between those at ASIS and the information security conferences I’ve attended recently, and I’ve spoken at and attended a bunch. The big names were 3M, Ingersoll Rand, Honeywell, and not RSA, Symantec, IBM and the usual suspects from the infosec product and service world.

 

Having said that, there were some very cool things I saw at ASIS that I would never see at a mainstream information security conference. Barbed wire, for example. Seeing a barbed wire display actually jolted me into full awareness that I was not at an infosec conference. The company selling remote-controlled helicopters for SWAT surveillance tickling the geeky side of me. Seeing the fully-Kevlared out SWAT booth worker could not have been cooler too. And who could knock the executive security folks and their booth video showing how they whisk high-profile executives out of harm’s way. I want that.

HelicoptersMy head was totally on a swivel as I walked through the acres of trade show booths. I guess it makes sense, but there were a ton of security badge vendors hawking their wares too. Not proximity badge guys, just the guys that actually manufacture the plastic badges and lanyards.  

We get pretty wrapped up in the infosec and appsec world, so ASIS was a good reminder that the physical security world is a robust industry that is as highly valued, if not more valued, than our own. There appeared to be some heavyweight buyers on the tradeshow floor, if the elaborate booths were any indication.

I’d like to see more events where the two worlds converge, but candidly, after ASIS it struck me how far they are in fact apart. Different people, different vendors, and different concerns. I know physical security guys will jump all over this, but my vote is that convergence is still more an aspiration than a reality, at least as evidenced by ASIS 2011.

Contact us for more information about software security at your organization.

 --John

john_at_denimgroup_dot_com

@johnbdickson

October 21, 2011 in Conferences | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

October 13, 2011

Software Security: Is OK Good Enough?

By John B. Dickson, CISSP

I gave a presentation at OWASP AppSec USA in Minneapolis about how we fundamentally think about software security. In “Software Security: Is OK Good Enough?” I show how other industries justify safety. In the food business, restaurants have to adhere to health codes, to keep their employees and consumers safe. In that same way, security is a measure of software safety. And yet, security isn’t always valued in the software world. My presentation outlines why security is important, how other industries justify safety measures, and what we can do to justify security.

Slides from my presentation at OWASP AppSec USA are online here:

Contact us for more information about software security at your organization.

 --John

john_at_denimgroup_dot_com

@johnbdickson

October 13, 2011 in Security | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

October 05, 2011

Slides from Rochester Security Summit Keynote Online: The Need For Open Software Security Standards In A Mobile And Cloudy World

By Dan Cornell

Slides from my keynote at the Rochester Security Summit are now online here:

The Need For Open Software Security Standards In A Mobile And Cloudy World

View more presentations from Denim Group

 

The title of the talk was “The Need For Open Software Security Standards In A Mobile And Cloudy World” and the abstract was:

The security landscape is changing and the security industry must adapt to stay relevant.  The economic and scale benefits of the cloud are causing organizations to move sensitive business processes and data outside of the safety of the corporate environment.  New business models and other opportunities to create value through innovation are moving sensitive data and code onto untrusted mobile devices.  Organizations are going to adopt these new cloud and mobile technologies and information security practitioners will be forced to evolve current models for risk management and mitigation.  This presentation discusses the need for open software security standards to support this evolution.  Being required to trust cloud service providers leads to a need for increased visibility into the software security practices of those providers.  In addition, reliance on these providers’ software as well as the requirement to place software in untrusted environments such as mobile devices creates a demand for better standards for evaluating the security state of complicated systems.  Many previous efforts have been focused on proprietary models that failed to provide sufficient insight or on models that lacked a level of technical rigor required to provide assurance.  The solutions to these issues are open standards that are based on the real risks organizations encounter when adopting cloud and mobile technologies and the presentation outlines potential paths forward that can provide risk managers with the assurances they need while also freeing up businesses to intelligently consume emerging technologies.

I had a great time at the conference and really appreciate the hospitality of the Rochester crew.

Contact us for help crafting your software assurance program.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

October 05, 2011 in Conferences, Mobile | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , ,