LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

March 10, 2013

Denim Group at BSides Austin 2013: Building Secure Mobile Apps and Software Security Implementation Patterns

By Dan Cornell

 

BSides Texas Logo w color hat
I will be up at BSides Austin 2013 in a couple of weeks. Thursday March 21st I will be giving a short training class from 4:00pm through 6:00pm titled "Developing Secure Mobile Applications." The brief abstract is:

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

We've only got two hours so I can't teach you everything about building and testing secure mobile apps (assuming I even knew everything about the subject...) but I can help make you smarter. Should be a good time.

Also on Friday March 22nd from 1:00pm to 2:00pm I will be giving a talk titled "Implementation Patterns for Software Security Programs" The abstract for this talk is:

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

This should be a fun one because we talk through war stories of things we've seen be successful as well as things we've seen go horribly wrong.

Contact us if you want to meet up at BSides Austin 2013. The last time I checked there were still tickets available.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 10, 2013 in Application Security Remediation, Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Mobile, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, Static Analysis, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

February 20, 2013

Security Snafu on ThreadFix: Don't Code Your Own Vulnerability Management System

By Dan Cornell

Security_snafu
Recently Securty Snafu took a look at ThreadFix and posted some thoughts. First I wanted to thank them for taking a look - we're always thrilled to have folks work witih ThreadFix and provide feedback. Also I wanted to emphasize a couple of things they mentioned:

  • If You're Thinking About Rolling Your Own Application Vulnerability Management System: Don't - This is something we've encountered over and over again as we've talked to different organizations in the course of developing ThreadFix. We have found so many home-grown, in-house vulnerabilty management solutions. What we typically see in these cases is that something got built to solve a specific need and then the project ballooned, resulting in a whole bunch of code that no one wants to maintain. We think ThreadFix is a great alternative in cases like this because it provides all the basics of importing and consolidating vulnerability results, is under active development and is freely available under the Mozilla Public License (MPL). Commercial support is available for organizations who are interested so they don't have to rely on tracking down internal resources that have probably moved on to other initiatives. This provides a much better base for most vulnerability management programs than a bunch of unmaintainable in-house code. And if you need special functionality, you can fork ThreadFix and build your in-house solution on it as a base (or have us do it for you). But before you do that, be sure to understand that...
  • ThreadFix's API Makes It Possible To Integrate It With Your Processes - Every organization handles vulnerability management a little different and some handle it very differently. With ThreadFix we've tried to implement the basic workflows that we see over and over again and we've provided a REST-based API that can be used to drive ThreadFix's behavior and to integrate it with the wide variety of tools and processes that interact with organizations' vulnerability management initiatives. Josh Sokol and I talked about this in our presentation "The Magic of Symbiotic Security" (take a look at the bottom of this post if you want to watch a video of this presentation) In addition to the REST API we also provide a command-line tool to simplify these integrations. With the combination of these facilities, it should be possible to integrate ThreadFix into your continuous integration builds, GRC system and so on.

Again - thanks to Security Snafu for taking a look at ThreadFix. We hope that having a resource like ThreadFix available will make organizations think twice before rolling their own vulnerability management solution. It covers the basics, can be extended and modified and it is free. With commercial support available what is not to like?

Contact us for help building your vulnerability management program with ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 20, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

February 19, 2013

Smart Phones Dumb Apps Scripts Updated

By Dan Cornell

Mobile_phone

Last week I pushed some updates to the mobile application assessment scripts we released with my Smart Phones Dumb Apps presentation a while back. These scripts do some light static analysis on Android and (unencrypted) iOS binaries - mainly setting up a list of things to manually examine during a more thorough analysis. Most of these updates are courtesy of Abraham Aranguren ([name] . [surname] @owasp.org, @7a_ on Twitter) who updated a couple of packaged external tools those scripts relied on such as FindBugs and dex2jar (thanks!). You can also check out a great blog post Abraham put up listing a number of really valuable Android application security resources.

Mobile application security continues to be an area organizations struggle with. Everyone feels huge schedule pressures to get new applications and new functionality released. Developers dive into development projects without understanding how to design and build secure mobile applications. The result is pretty predictable - vulnerable mobile apps and, even scarier in most cases, vulnerable web services supporting those mobile apps.

Keep an eye on this space - at Denim Group we've been doing a lot of work both assessing the security of mobile applications as well as helping firms design and build secure mobile apps. In the next couple of months we're looking at making more of what we've been doing publicly available and hopefully organizations will be able to use that to step up their mobile security skills.

Contact us for help building secure mobile applications and setting up security assessment program for your organization's mobile strategy.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 19, 2013 in Application Security Tools, Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Open Source, OWASP, Scanners, Security, Static Analysis, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

February 18, 2013

ThreadFix 1.1 RC2 Now Available

By Dan Cornell

ThreadFix_72
Many thanks to everyone who helped us put the ThreadFix 1.1 RC1 through its paces. We've received your feedback, fixed a bunch of bugs and built out a couple of requested feature updates resulting in 1.1RC2. You can get it from the ThreadFix downloads site.

What's new in 1.1RC2? First take a look at what we released with 1.1 RC1. In addition to that we have a couple of things including:

You can see the full list of features and defects addressed during the 1.1 development cycle in the issue tracker. We've posted information on the ThreadFix wiki about how to upgrade your ThreadFix 1.0.1 install to 1.1 and would love to hear any feedback from people going through that process. So take a look and please post any thoughts or bugs either on the ThreadFix issue tracker or join the ThreadFix Google Group and let us know there.

Contact us for help managing your software security program with ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 18, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

January 30, 2013

OWASP Phoenix: Using ThreadFix to Manage Application Vulnerabilities

By Dan Cornell

Owasplogo

I'll be in Phoenix next week on Tuesday February 5th, 2013 speaking to the Phoenix OWASP chapter about ThreadFix.

Title: Using ThreadFix to Manage Application Vulnerabilities

Abstract:

ThreadFix is an open source software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. It imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows organizations to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. This presentation will walk through the major functionality in ThreadFix and describe several common use cases such as merging the results of multiple open source and commercial scanning tools and services. It will also demonstrate how ThreadFix can be used to track the results of scanning over time and gauge the effectiveness of different scanning techniques and technologies. Finally it will provide examples of how tracking assurance activities across an organization’s application portfolio can help the organization optimize remediation activities to best address risks associated with vulnerable software.

The meeting will be held from 6:30 - 7:30pm at the University of Advancing Technology 2625 W. BASELINE RD. TEMPE, AZ 85283-1056. For more information, check out the main OWASP Phoenix site.

Contact us for help running your software security program on ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

January 30, 2013 in Application Security Remediation, Application Security Tools, Blogs, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Pro Services Life, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, Static Analysis, ThreadFix Application Vulnerability Management, Watchfire, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

January 29, 2013

ThreadFix 1.1 Release Candidate Now Available

By Dan Cornell

ThreadFix_72
We've been hard at work on ThreadFix since the 1.0 release in October and we're just about ready to push out an updated 1.1 release. This week we've made a 1.1 release candidate available for folks to take a look at and review. You can get it from the ThreadFix downloads site.

What's new in 1.1? Lots of stuff including:

  • Support for NTObjectives NTO Spider scans (#162)
  • Support for Microsoft Team Foundation Server (TFS) bug trackers (#117)
  • Adding user comments for vulnerabilities (#55)
  • Editing of manually-entered vulnerabilities (#160)
  • "Filter by CWE" for vunerabilities(#163)
  • Updated security model to allow for fine-grained user permissions (#56) (this has been a huge priority for the larger enterprises deploying ThreadFix)
  • Updated Snort rule generation (#113)
  • Updated license from MPL 1.1 to MPL 2.0 (#181)
  • Various updates and bug fixes and enhancements (#159, #168, #176, #196)

You can see the full list of features and defects addressed during the 1.1 development cycle in the issue tracker. We've posted information on the ThreadFix wiki about how to upgrade your ThreadFix 1.0.1 install to 1.1 and would love to hear any feedback from people going through that process. So take a look and please post any thoughts or bugs either on the ThreadFix issue tracker or join the ThreadFix Google Group and let us know there.

Contact us for help managing your software security program with ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

January 29, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 19, 2009

Denim Group and Fortify Press Release

By Dan Cornell

We released a press release today about our use of Fortify's tools on our software development projects.  John has a video describing the release here:

Press release is here.
Business Journal coverage is here.

--Dan
dan _at_ denimgroup.com
@danielcornell

August 19, 2009 in Application Security Tools, Dan Cornell, Denim Group, Fortify, Information Security, John Dickson, Pro Services Life, Security, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 08, 2009

Slide Decks from Last Week's OWASP Presentations Online

By Dan Cornell

IMG_0215

I wanted to thank the OWASP Washington DC and Northern Virginia chapters for their hospitality last week.  John Dickson and I had a great trip through the DC area.

The slide decks from the talks are online on the Denim Group website.  We also started something new and put them up on the Denim Group SlideShare site:


Vulnerability Management In An Application Security World
View more documents from Denim Group.

Application Assessment Techniques
View more documents from Denim Group.


--Dan
dan _at_ denimgroup.com
@danielcornell

August 08, 2009 in Application Security Tools, Dan Cornell, Denim Group, Information Security, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 29, 2009

Upcoming Virginia OWASP Talk: Conducting Application Assessments

By Dan Cornell

I will be presenting to the Virginia OWASP chapter on Thursday August 6th at 6pm.  The location is 13200 Woodland Park Road in Herndon, VA.  For more info check here.  The presentation abstract is:

This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.


The talk will be followed by a panel discussion, which should be a good one.  As always, OWASP meetings are free and open to all.  Hope to see folks there.

--Dan
dan _at_ denimgroup.com
@danielcornell

July 29, 2009 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 28, 2009

Denim Group and WhiteHat Team Up

By Dan Cornell

We're thrilled to announce that Denim Group and WhiteHat Security have teamed up.  Denim Group will be offering WhiteHat's Sentinel web application assessment services and WhiteHat customers can work with Denim Group to integrate Sentinel into their processes and technologies as well as work with Denim Group to help remediate web application vulnerabilities.

Press release is online here.

Here is a video describing the release:


--Dan
@danielcornell

July 28, 2009 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, Security, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

« Previous | Next »