We've got another beta build of ThreadFix (beta22) available for download - both the demo ZIP version and the VM appliance. Updates in this release include:
More error checking to avoid accepting bad scans
Scheduled updates to bug tracker defect statuses as well as scheduled times to pull down new results from SaaS providers (WhiteHat, Veracode, and Qualys)
Major updates to the Snort virtual patches to improve performance
Support for Qualys in the EU region
Updates to the Burp importer to handle more vulnerability types
Upgrades to Tomcat 7 and Servlet 3.0
We're really thrilled with all the feedback we've been receiving - please keep it coming. I'm especially interested in folks exercising the scan importers for various technologies. We have a limited set of test data we use to create and debug the importers so having folks test them with their output files helps us clean up any rough edges which is really valuable.
Have a great Labor Day weekend and if you have some free time run ThreadFix through its paces and let us know what you think.
It’s been a busy few weeks around here, and Denim Group has been quoted in a few articles recently.
Over at TechTarget,Dan Cornellis participating in the Ask the Expert series, answering questions about security. A recent question deal with migrating applications or hardware to the cloud. Check out“Migrating legacy applications to a cloud environment”(registration required) to know what to consider before moving to cloud servers.
And also on TechTarget Dan is talking about mobile application security, and how it’s connected to web services and the cloud.
Organizations are more concerned about application security than ever and have a growing awareness of security concerns.SearchSoftwareQuality.com’s newest expert, Dan Cornell, principal of software consulting companyDenim Group, discusses mobile security, what organizations can do to build security requirements into software and security challenges in cloud ALM. He views the most serious concerns with mobile software security as falling into two major areas: 1) how organizations expose their users to risk, and 2) how applications expose the companies themselves to risk.
John Dicksongave his two cents about San Antonio as a cybersecurity hub in Global Corporate Xpansion magazine.
“There's a critical mass of companies and talent here that realistically make it the No. 2 cybersecurity node outside of the D.C. area — certainly on the services side,” says John Dickson, principal, Denim Group Ltd. “We've got the strong foundation of a good business climate and a very reasonable cost of living, but what's interesting is how in the last few years we've stepped up information sharing that didn't used to happen. Today this cross-pollination between the local commercial sector, UTSA and the military is having a big impact, especially on our workforce. We suspect there will be even more companies that will want to relocate or organically grow here.”
John also recently gave a cool webinar on BrightTALK on better logging for security.
Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.
Much-improved Fortify support that can deal with arbitrarily large files. (We had a bit of a boneheaded bug before that copied the entire contents of the file into a byte array which pretty much negates any scalability benefits of using XML SAX parsing. Fixed now!)
An updated front-end UI that can deal with many more results. This has been tested with around 100k vulnerabilities for a single application; hopefully your apps aren't on the high side of that number...
The first round-trip-tested version of our Imperva virtual patching. There will probably still be some updates, but at least what we are generating right now has been through the full scan/generate rules/install rules/re-scan sequence.
Overhauled JIRA bug tracker integration using their recommended REST API.
We also now have a pre-installed VM appliance that will be more suitable for production use than the beta builds we've been delivering as ZIP files with pre-configured Tomcat/HSQL. The VM is Linux-based and has pre-installed and pre-configured Apache/Tomcat/mod_jk/MySQL so you should just be able to give it some memory, assign it some disk space and be off to the races with a durable ThreadFix installation. To do this we used a combination of various DevOps tools - Fabric, Chef and Vagrant. We will be putting up a blog post (next week?). Check out this page for more information on downloading and spinning up the ThreadFix VM appliance. The current version is a starting point - we'll be pushing some updates out here pretty quickly.
I just got back from a week in Las Vegas where we demonstrated ThreadFix at the BlackHat Arsenal and I gave a talk with Josh Sokol at BSidesLV on Symbiotic Security using ThreadFix as an example of how security tools can be made to work together. Check out this blog post for a recap of last week in Vegas showing off ThreadFix. Also the ToolsWatch folks put up a post about this as well.
I've been reaching out individually to our beta testers to upgrade to these more mature, updated builds. I'm also always thrilled to hear from new users so please fire these builds up and send along any thoughts or comments. You can report bugs to the Google Code issue tracker or you can email me directly (dan _at_ denimgroup dot com)
Contact us to talk about running your software assurance program on ThreadFix.
--Dan
dan _at_ denimgroup.com
@danielcornell
Once again, the impossible has been made possible in the security industry. Congratulations to General Manager Trey Ford, Founder Jeff Moss, and the entire organizing crew for Black Hat 2012 who made this year’s event another hard act to follow. Instead of filling out the bubble chart feedback form, I opted to provide feedback on this year’s event in narrative format, providing several pointers that might make future Black Hat conferences more memorable.
1. Standardize all attendees dress to be a black T-shirt and jeans - To quote Dan Cornell (who has probably quoted someone else), the jeans-black T-shirt combo is the “little black dress” for gents. It works, it’s easy, and it’s modestly stylish. Plus, it would help the deeply out-of-place attendees who wore suits or pleated pants from Jos A. Bank. By way of comparison, wearing kilt to Black Hat is an earned privilege. I would suggest you only get to wear a kilt if you’ve been to five or more Black Hat conferences, have facial hair, and are actually not from Scotland.
2. Give out Volksmarch pins for the 10k of walking within Caesars - The Germans have perfected the walk in the countryside – the Volksmarch, or “people’s march.” Upon completion of a long march, typically participants receive a keepsake medal. Black Hat should do the same, given the grueling kilometers participants have to hike to navigate the bowels of the Caesars Conference Center.
To get the ball rolling, we’d like to propose the following mock up.
3. Install foot massage stations - See #2 above for business justification.
4. Install water stations - They have them at 10ks, so why not at Caesars? We’d all be better hydrated and more alert. The fatigue (and hangover) factor on days 2 and 3 would be less painful too.
5. Declare a Moratorium on Sun Tzu quotes - During the Black Hat Executive Briefings, Josh Corman (@joshcorman) lamented that speakers at Black Hat would once again over-quote Sun Tzu. Josh’s “No Sun Tzu Quotes Bro” request was quickly followed by Wednesday’s keynote speaker leading with a Sun Tzu quote. Can I recommend, instead, a wholesale shift to quoting Carl Philipp Gottfried von Clausewitz, the 18th century Prussian soldier and military strategist who military guys will recognize is equally over-quoted in the uninformed ranks? He has some great gems that security folks would love to shoehorn into presentations:
War's climate of danger, exertion, uncertainty, and chance also demands other intellectual qualities.
The defensive form of war is not a simple shield, but a shield made up of well-directed blows.
Theory becomes infinitely more difficult as soon as it touches the realm of moral values.
6. Recruit Japanese subway guys – For the more popular sessions and the attendee lunches, fly a few of the white-gloved guys in from Tokyo to encourage maximum use of the Caesars Palace Conference Center Floor.
This solution is great because the maze that is the Caesars Palace Conference floor is just as confusing at the Tokyo subway system.
7. More conference training schedules that look like UNIX log files – No explanation needed.
8. Trade escalators for slides -After each session and before lunch, invariably the hungry masses head downstairs to lunch, packing the escalators and jamming the hallways. Perhaps we can draw inspiration from hosting giant Rackspace, and develop a more efficient way to transport attendees down to the lunch floor via slides:
9. Cap the number of after-hour vendor parties to roughly the same number of Summer Olympics events - For those curious, that number that I can best find is 300 events. Surely we don’t need more than 300 parties in less than a week, right?
Suggestions considered but not included:
Binoculars for the outside viewing pavilions over the Caesars pool.
Light sabers or ninja swords for all attendees, not just the lucky few.
Let anyone in for free if they have a real Mohawk.
Put BSides in the Casino Royale, DefCon at the Bellagio, and install zip lines between the hotels so attendees can more efficiently transit from one security show to the other.
Hopefully everyone is recovering from their week in Las Vegas for BlackHat, BSidesLV and DefCon. I had a great time out there, although this year I might have been Patient 0 for the ConFlu so I had to take it easy from Wednesday on. Probably for the best.
I had a blast presenting with Josh Sokol at BSidesLV 2012 on his new concept of "Symbiotic Security" looking at ways security tools should be able to communicate with one another. You can see our slides online here:
We had some really good questions about the wisdom of automating virtual patching and other security system interactions. The point we were trying to make was less about promoting specific interactions between tools and systems, but rather having the open communication capabilities that make those sort of interactions possible. (Josh and I will also be giving an updated version of the talk at HouSecCon on October 11th, 2012.)
The BSidesLV guys are lightning-fast getting videos online, so you can also see Josh and I's actual presentation on YouTube here:
We were also fortunate enough to be able to showcase ThreadFix at the BlackHat Arsenal. This was really valuable as it gave us the opportunity to talk to a lot of folks who had been beta testing ThreadFix to get their feedback. We also got to meet a lot of new folks to talk about how ThreadFix might be valuable in their environments. Many thanks to the BlackHat and Netpeas folks for the opportunity to participate.
