Denim Group, Ltd. Blog

Technorati Tags: application security, application security remediation, appsec, dan cornell, denim group, pdf reports, remediation management, software defects, threadfix, vulnerability management, vulnerability reports

February 27, 2012 in Application Security Remediation, ThreadFix Application Vulnerability Management | Permalink | Comments (0) | TrackBack (0)

February 25, 2012

RSA Buzzword Bingo!

Next week we’re going to have a bunch of our folks at the RSA security conference. I’ll be giving a talk on what it costs to fix software security vulnerabilities as well as leading a Peer2Peer session on why organizations decide not to fix vulnerabilities. John Dickson will be leading a Peer2Peer session on running software security programs on a budget. If you’re going to be around please drop by the booth or come by a session.

We were just going to hand these out at the conference, but given the enthusiasm from folks yesterday on Twitter we figured we’d let people print out their own if they’d like. So by popular demand we bring you… RSA 2012 Buzzword Bingo cards!

We have two editions:

RSA Buzzword Bingo Denim Group Edition

You can also print out copies for your friends:

RSA Buzzword Bingo ThreadStrong Edition

You can also print out copies for your friends:

Obviously this is all meant in good fun. But just for giggles play a round or two at a talk or a keynote and see how well you do. Drop by the booth or a session and let us know how you did.

--Dan

dan _at_ denimgroup.com

February 25, 2012 in Conferences, Games | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: conferences, dan cornell, denim group, rsa bingo, rsa conference, rsac2012, security buzzwords

February 23, 2012

ThreadFix Thursday: Updated Beta, Blog and Newsletter Mentions, RSA Next Week

Yet another fun two weeks here in ThreadFix-land. We’ve been having a lot of great conversations with beta testers. Here are a couple of things that have come up since our most recent status update post:

An updated beta build (beta5) has been pushed out to Google Code for download.
We continue to receive bug reports and feature requests, which is fantastic. Please feel free to log things like this in the Google Code issue tracker.
ThreadFix was mentioned in the OWASP Web Application Virtual Patching Survey. If you are interested in virtual patching please take a look and fill it out.
I posted some information about how we are hoping ThreadFix promotes/accelerates the creation and adoption of open standards for software vulnerability data.
Mark Curphey mentioned ThreadFix in a couple editions of his Software Security Weekly newsletter (#1, #2)
Eoin Keary of BCC Risk Advisory mentioned ThreadFix in a recent blog post about Enterprise Security Intelligence.

Also we’ll be at RSA next week. Stop by the booth to say hello and get a ThreadFix demo or reach out and we can set up a time to meet in person.

--Dan

dan _at_ denimgroup.com

Technorati Tags: application security vulnerability management, dan cornell, denim group, threadfix, vulnerability management

February 23, 2012 in Application Security Remediation, ThreadFix Application Vulnerability Management | Permalink | Comments (0) | TrackBack (0)

February 20, 2012

RSA 2012: Where to Find Denim Group

We're heading to RSA 2012 in San Francisco next week, as are many of you, I imagine. The Moscone Center will be teeming with thousands of security professionals. It'll be tricky to find us amidst the fray, but here are the places where we'll definitely be:

On the tradeshow floor - We're partnering with Veracode in their booth, #1853. If you're at RSA and are interested in talking about ThreadFix, drop by the booth.
At presentations -I'm giving a presentation on Thursday, March 1 at 9:30 a.m. Remediation Statistics: What Does Fixing Application Vulnerabilities Cost? is interesting because I take actual data from remediation projects to help match costs to vulnerabilities.
At Peer2Peer sessions - I'll be leading a Peer2Peer session, which is a small group discussion. Why Aren't We Fixing Vulnerabilities? is a great forum for talking about the barriers to remediation projects, and will be on Wednesday, February 29 at 3:20 p.m. John Dickson is leading Software Security on a Budget on Thursday, March 1 at 8 a.m.

Of course, we'll be attending sessions, hanging out by the elevators, and competing for open outlets all over the Moscone Center. If you'll be at RSA and want to chat, drop us a line and let us know.

--Dan

dan _at_ denimgroup.com

Technorati Tags: application security, application security conference, application vulnerability management, dan cornell, john dickson, moscone center, rsa 2012, rsa security conference 2012, san francisco, sheridan chambers

February 20, 2012 in Conferences | Permalink | Comments (1) | TrackBack (0)

February 13, 2012

New Webinar: Key Security Questions to Ask Before Building a Mobile Application

Next week, John B. Dickson, Denim Group Principal, is giving a great webinar on things you should think about before you or your organization builds a mobile application. Although there's more awareness these days about mobile security, there's more that can be done. The webinar is on Thursday, February 23 at 1pm CST. See below for details and registration info.

Key Security Questions to Ask Before Building a Mobile Application with John B. Dickson, CISSP
Thursday, February 23
1 p.m. CST
Register now

The demand for mobile applications is breathtaking, but the number of experienced mobile developers who understand secure development is incredibly small. Many organizations are relying on internal resources to build mobile applications, and as a result, executives and security leaders are overlooking some key considerations when building a mobile application. In this webinar, John Dickson, CISSP, will discuss they key questions all organizations should ask before building a mobile application, from responsibility for security to data breach processes. Find out what you need to consider, internally and externally, before launching a mobile application.

--Dan

dan _at_ denimgroup.com

February 13, 2012 in John Dickson, Mobile | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: denim group, john b. dickson, john dickson, mobile application security, mobile applications, security webinar, webinar

Software Vulnerability Data: We Need Interoperability

One of the reasons we created ThreadFix was that we worked with a lot of organizations that were struggling to manage software vulnerability data from an ever-expanding set of sources:

Web application scanners
Static code scanners
Network scanners
SaaS providers
Manual penetration tests
Threat models
And so on…

Also we found that different groups were adopting different tools and services so there was vulnerability data coming from different parts of organizations:

Security teams
Development teams
Internal IT audit teams
External auditors
And so on…

The net result is that there is a lot of data on software vulnerabilities floating around the organization, but no one has a consolidated view. Vulnerabilities are found by multiple sources and then reported and re-reported to development teams, giving them an excuse to ignore these reports because security is “wasting their time” Lots of one-off Excel spreadsheets get created and lots of swear words get used. Pretty standard situation, but, as an industry, I think we can do better.

Fortunately there are some movements in a positive direction:

Obviously, as mentioned above, we hope that ThreadFix is a tool organizations will find valuable for addressing these issues. We’re starting to publish information about the different static and dynamic scanners we support as well as the SaaS services (WhiteHat and Veracode) we can import data from. Also we’ve published our internal data model and how we do merging and consolidation. Like what we’ve done? Don’t like what we’ve done? Let us know!

A while back we published a proposed draft for a Simple Software Vulnerability Language (SSVL). This reflects a lot of the work we had done on ThreadFix and proposes a standard way for static scanners, dynamic scanners and manual test results be communicated in an XML format. It ties everything back to the MITRE CWE. Everyone should be able to view that document – if anyone would like write access to provide comments and updates just email me (dan at denimgroup dot com) with your Google ID and I can set you up.

The MITRE folks have SAFES (Software Assurance Findings Expression Schema) but there isn’t a lot of public information out there yet.
The HoneyApps/Risk I/O folks have a SaaS application that also tackles some of these issues.
OWASP has the OWASP Data Exchange Format project run by Psiinon. This is an even more ambitious project than what has been discussed here because they are looking at communicating information above and beyond vulnerability data including sessions, request/response pairs, web application layout, etc. Check out their Google Code site for more information. We’re hoping we can fold some of the lessons we’ve learned building ThreadFix into their vulnerability data format.

The practice of software security is growing up. Given so many high-profile breaches as well as increasing pressure from their customers I find we spend far less time trying to convince security managers that they need to be concerned about application-level vulnerabilities. Instead, our conversations have shifted to treating these issues in a structured and strategic manner rather than an ad hoc and tactical manner. An important step in making this possible – let alone manageable – will be the creation and adoption of standards.

--Dan

dan _at_ denimgroup.com

Technorati Tags: application security vulnerability, application security vulnerability remediation, dan cornell, denim group, software vulnerabilities, software vulnerability data, threadfix

February 13, 2012 in Application Security Remediation, ThreadFix Application Vulnerability Management | Permalink | Comments (0) | TrackBack (0)

February 09, 2012

ThreadFix Thursday: Updated beta, bug report, RESTful API

As we said in our original ThreadFix beta release announcement, we are looking to provide updated builds on a regular basis as we finish up some features and address defects and feature requests. For the next couple of weeks we will try to provide weekly builds every Thursday (ThreadFix Thursdays!) so keep an eye out. Notes on ThreadFix progress since last week:

Updated beta build (build4) pushed live yesterday. It can be downloaded from the ThreadFix Google Code site.
Got our first big write-up of ThreadFix in an article on Network World.
Our first defect submitted from an outside reviewer. (We have also received bugs from Tasos Laskos of the Arachni web application scanner project as well as some of our other private beta testers) We love feedback so please submit any bugs or features requests at the Google Code tracker.
Pushed code up for an initial version of the REST web services. We had previously been using some SOAP-based services to externally script ThreadFix, but we pulled those out to replace them with a RESTful API. This scripting lets us do fun things like our self-healing cloud demonstration and also makes it easy to integrate ThreadFix into other parts of your enterprise.

Thanks to all the folks who have been downloading ThreadFix and special thanks to the folks who have provided feedback. Contact us if you have questions or comments.

--Dan

dan _at_ denimgroup.com

Technorati Tags: application vulnerability management, dan cornell, denim group, threadfix, vulnerabilities

February 09, 2012 in Application Security Remediation, ThreadFix Application Vulnerability Management | Permalink | Comments (0) | TrackBack (0)

Making Security Decisions About File Storage for Android Apps

A while back I posted about some static analysis techniques for analyzing file usage in Android applications and this post looks at the same topic but from the standpoint of an application developer making decisions about file storage for their apps.

If you are building applications for Android, you should always create files with the default permissions (Context.MODE_PRIVATE) This will make it so that only your app should be able to read the file and write to the file. Other malicious applications – even if they know the file’s location – should not be able to modify it. If you have to create a file that is readable by other applications (Context.MODE_WORLD_READABLE) you should probably have a good reason and you should assume that any data stored in that file might be read by any other application installed on the device. If you have to create a file that is writable by other applications (Context.MODE_WORLD_WRITEABLE) you should have an even better reason and you should assume that malicious apps will corrupt the contents of this file. This means that any time data from this file is used it must be positively validated to make sure that any changes made to the file by other apps do not cause unexpected behavior.

PLEASE NOTE: If a device with your application falls into the hands of a malicious user, or if another application is able to execute an attack that elevates its privileges then they will still have access to the files so you should plan accordingly and never store truly sensitive information on mobile devices.It is much safer to store sensitive data server-side and retrieve it to the device only when needed.

--Dan

dan _at_ denimgroup.com

Technorati Tags: android applications, dan cornell, denim group, file storage on android, mobile application security, mobile applications

February 09, 2012 in Mobile | Permalink | Comments (1) | TrackBack (0)

February 02, 2012

New Denim Group Team Members

Adam, IT Support Specialist

Adam previously worked at Pitney Bowes for three years on their hardware and software team supporting customers and service reps, and was promoted to technical support lead while at Pitney Bowes for all of product support. He’s also worked at Indus on behalf of the Air Force supporting their domain, and at the Air Force Network at Lackland Air Force Base. Adam has a bachelor of arts in Business Administration from Eastern Washington University. In his spare time, Adam likes to be outside hiking or biking, or inside painting.

Fang, Consultant III, Application Development

Fang worked as Denim Group as an intern on the summer of 2011 and returned this year to join our staff full-time. She holds a bachelor of science in computer science from Jianxi University of Finance and Economics in Nanchang, China. She’s currently working on a master of science in computer science from the University of Texas at San Antonio.

Carla, Consultant III, Application Development

Carla joins the Denim Group team after being an intern with the company in the summer of 2011. She has also interned at Trinity University and Sierra Nevada in San Antonio. She will graduate from the University of Texas at San Antonio with a bachelor of science this year.

Patrick, Business Development Manager

Patrick joins Denim Group, bringing extensive experience in account management within the information technology industry. Prior to joining Denim Group, Patrick was a Managing Director and Principal for Peak Systems, and has also worked for Siemens Business Services, Goldman Sachs, Deutsche Bank and Martha Stewart Living.

Cyndi, e-Learning Account Manager

Cyndi comes to Denim Group with over 28 years of successful sales experience. She has sold hardware, accounting software, training, development services, click fraud protection for advertisers and physical security services. Cyndi is a graduate of the University of Texas at Austin with a Bachelor of Science in Education and a current member of ASIS. She has been married for 26 years and has two daughters – one attending St. Mary’s University School of Law and one at Texas A&M University in College Station. She can proudly say “Hook em Horns” and “Whoop!” Her favorite hobby is tennis.

February 02, 2012 | Permalink | Comments (0) | TrackBack (0)

February 01, 2012

ThreadFix 1.0 Public Beta Now Available

After more than two years in development we’re finally publicly releasing our ThreadFix open source application vulnerability management system. It is still pre-production, but it represents an almost complete rewrite from the “Technology Preview” version we released when it was still called “Vulnerability Manager.”

A more complete description of the system and its capabilities is:

ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto generating application firewall rules, this tool allows organizations to continue remediation work uninterrupted. ThreadFix empowers managers with vulnerability trending reports that show progress over time, giving them justification for their efforts.

So what’s next? You can download ThreadFix here. The current beta is available as a pre-built Tomcat install (the final release will likely be a pre-configured virtual machine). Just unzip and run. During the beta period we will be looking to push new versions on a weekly basis. Also we have a “Getting Started” guide that runs through the major functionality as well as other documentation on the wiki to describe the different parts of the system.

There is still work to do – we need to improve the stability of the scan importers, we need to tighten up the security of parts of the system, and we need to build out the REST API. If you run into any issues using ThreadFix or if you have feature requests please use the online bug tracking system here or email me at the address listed below.

Also you can follow ThreadFix on Twitter: @threadfix

We’re tremendously excited to get this software released to a wider audience. Contact us if you are interested in learning more about using ThreadFix for application vulnerability management.

--Dan

dan _at_ denimgroup.com