LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

June 11, 2013

Pre-LASCON Training: Running a Software Security Program with Open Source Tools

By Dan Cornell

Lascon

Everybody's excited about LASCON 2013, right? After hosting OWASP AppSecUSA 2012 the LASCON folks aren't resting on their laurels for the 2013 event. The conference proper is in Austin, TX on October 24th and 25th this year and, based on the keynotes that have alrady been announced, this should be a first-rate event. And the LASCON folks are doing something new this year by also sponsoring some training events in the months before the conference starts. I'll be doing the training class in July.

Title: Running a Software Security Program With Open Source Tools

Trainer: Dan Cornell

Dates: July 22nd and 23rd, 9:00am - 5:00pm

Cost: $195/person

Location: Norris Conference Center, Austin, TX

Abstract:

Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on exposure to a variety of freely-available tools that they can use to implement portions of these programs.

Register online here. Several spots have already been taken, so please sign up early if you're interested because this will likely fill up.

Contact us to talk more about getting the most out of the tools you're using - both open source and commercial - in your software security program.

--Dan

dan _at_ denimgroup.com

@danielcornell

June 11, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, Static Analysis, ThreadFix Application Vulnerability Management, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , ,

June 10, 2013

ThreadFix 1.2 RC1 Now Available

By Dan Cornell

ThreadFix_72
Last week we pushed up the binary downloads for ThreadFix 1.2RC1. Major changes include:

  • Streamlined user interface and improved user experience
  • Centralized dashboard showing trending, most vulnerable applications and recent scans and user comments
  • Improved reporting capability as well as five new reports
  • Auto-detection of scan types (no more channels!)
  • Various bugfixes and enhancements.

I'm hoping to upload some screencasts before too much longer. In the meantime, here are a couple of screenshots of ThreadFix 1.2RC1:

Threadfix_dashboard
This is the new dashboard screen you land on after logging in. From here you can see vulnerability trending over the past six months, the top 10 most vulnerable applications, recent scan uploads and recent comments applied to vulnerabilities.

Threadfix_nomorechannels
This is the new scan upload screen. You'll notice that you no longer have to tell ThreadFix what scan type you are uploading. Instead the scan type is auto-detected. No more configuring channels!

Threadfix_reporting
This is the new reporting interface. We reorganized things into different tabs (Trending, Snapshots, Comparisons) and added five new reports (6 and 12 month vulnerability trending, top 10 and 20 most vulnerable applications, top 10 most common vulnerabilities by CWE identifier).

So take a look at ThreadFix 1.2RC1 and let us know your thoughts. Here are some helpful links:

Contact us to talk about ways you can build your software security program on ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

June 10, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

April 26, 2013

Webinar Recording Online: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

By Dan Cornell

Simon Bennetts (@psiinon) and I did a webinar last Wednesday talking about how to set up web application testing programs witih the freely-available tools OWASP Zed Attack Proxy (ZAP) and ThreadFix. The webinar was titled "Running a Web Security Testing Program with OWASP ZAP and ThreadFix" You can see the recorded webinar here:

(fullscreen video came out remarkably sharp!)

For more infomation about the tools and techniques we discussed, check out:

I wanted to personally thank Simon for taking the time to put on this webinar with us. I'm a huge fan of ZAP and I was really excited to get the opportunity to talk with folks about how ZAP and ThreadFix can be used together.

Contact us to talk about ways you can automate parts of your web application testing program with freely-available tools.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 26, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

April 09, 2013

Denim Group at SANS AppSec 2013 in Austin

By Dan Cornell

Appsec-2013

SANS AppSec 2013 will be held from April 22nd through April 27th in Austin, TX. Monday April 22nd, John Dickson will be moderating a panel titled "AppSec 2.0: Strategies for Moving the Needle on Application Security" The panel abstract is:

Thousands of applications, millions of lines of code, numerous development teams spread across the planet. You thought your application security program had it bad! The participants in this panel discussion have been tackling the issue of software security in their large corporate environments for years, helping thousands of software developers improve how they build software and helping identify software vulnerabilities before attackers do. They will discuss how they have built large-scale vulnerability scanning programs, how they interact with their respective business units and how they get executive buypin to further the case of application security. Come join this interactive session with application security industry leaders who will discuss practical approaches to securing software.

Panel participants include:

  • John Dickson, CISSP, Principal, Denim Group (Moderator)
  • Chris Haggard, Manager of eCommerce/Application Security, FedEx
  • John Heimann, Senior Director-Security Programs, Oracle
  • Jim Apple, Senior Manager, Applications, Bank of America

Tuesday I will be giving a lunchtime presentation titled "Do You Have a Scanner or a Scanning Program?" and the abstract is:

By this point, most organizations have purchased at least one code or application scanning technology to incorporate into their software security program. Unfortunately, for many organizations the scanner represents the entirety of that so-called “program” and often the scanners are not used correctly or on a consistent basis.

This presentation looks at the components of a comprehensive software security program and the role that automation plays in these programs. It also looks at common pitfalls organizations encounter when trying to deploy scanning technologies as well as ways to address these issues. Finally it walks through metrics organizations can use to keep tabs on their scanning progress so they can identify and address issues such as portfolio and scanner coverage. Demonstrations using freely available tools are provided as well as discussion of how these approaches can be applied for both commercial and free static and dynamic scanning technologies.

We are looking forward to catching up with folks at SANS AppSec in Austin. Contact us if you would like a special discount code for the event.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 09, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, Open Source, Scanners, Security, Speaking Events, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

April 08, 2013

Webinar: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

By Dan Cornell

Zap128x128ThreadFix_72

Simon Bennetts (@psiinon) and I will be doing a webinar Wednesday April 24th, 2013 at 10:30am Central Daylight Time to talk about how organizations can set up a web security testing program using the freely available tools OWASP Zed Attack Proxy (ZAP) and ThreadFix.

You can register online here: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

Abstract:

OWASP's Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. ThreadFix is a software vulnerability management platform that allows organizations to track the results of testing and communicate vulnerabilities to software development teams. Used together, these open source tools allow organizations to build a comprehensive program of web application security testing and vulnerability management. Security analysts can perform automated and manual testing of critical applications, track the results of their testing and report metrics on their program's effectiveness. This webinar walks through the basics of using OWASP ZAP for web application scanning and testing. It then demonstrates storing and managing these results inside of ThreadFix and communicating them to development teams for resolution. Developers and security professionals alike will benefit from seeing how these two tools used in combination can allow any organization to start taking control of the security of their web applications.

Contact us if you woud like to talk more about getting the most out of great tools like OWASP ZAP and ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 08, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, ThreadFix Application Vulnerability Management, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

April 07, 2013

OWASP Dallas: Implementation Patterns for Software Security Programs

By Dan Cornell

Ologo

I will be in Dallas on May 8th to speak to the OWASP Dallas chapter. The meeting runs from 11:30am through 1:00pm and is located at Richland College, 12800 Abrams Road, Dallas, TX 75243 at Sabine Hall in room SH117.

I will be giving an updated version of my talk titled "Implementation Patterns for Software Security Programs." (See my writeup of BSides Austin 2013 for some more background) The abstract for the presentation is:

Most organizations have finally realized that the software applications they are developing and deploying exposes them to significant risks. Organizations that are serious about this issue have started rolling out software security programs to address these risks in a structured manner. The challenge for these organizations is to determine what measures to put in place and how to implement those measures to best reduce their exposure. Efforts such as BISMM, OpenSAMM and Microsoft's SDL have shown that there are a number of components of software security programs that are reasonably standard, but there are different ways of implementing tools and deploying processes so what was successful for one organization does not guarantee success in others. Matching implementation strategies to the specific capabilities, limitations, strengths and weaknesses of the organizations is critical to a successful program roll-out.

This presentation relates several example case studies for organizations rolling out different portions of their software security programs. Although every organization is different, looking across multiple program implementations allows patterns to emerge and these patterns can provide guidance to other organizations looking to organize plans for their software security programs.

Several aspects of program rollout and the associated program are covered. Firstly, the presentation provides a discussion of selecting the organizational "owner" of the software security program. Although many parts of the organization must be involved, one group must be ultimately responsible for the security state of software developed and deployed. Then the presentation looks into three specific software security activities: static code analysis, dynamic application testing and developer security education. Several implementation patterns for each of these activity rollouts are outlined along with factors organizations can use to decide if a particular approach is well suited to their needs. These patterns help to provide templates that minimize the requirement of an organization to experiment and break new, risky ground by allowing them to benefit from lessons learned from previous efforts.

The presentation is vendor-neutral and based on experiences working with several organizations creating software security programs.

I always enjoy speaking to OWASP groups and I'm thrilled to have the opportunity to come back and talk to the folks in Dallas. Looking forward to seeing everyone there!

Contact us for help building a software security program that works for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 07, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, OWASP, Scanners, Security, Speaking Events, Static Analysis, ThreadStrong e-Learning, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , ,

March 26, 2013

BSides Austin Recap: Implementation Patterns for Software Security Programs

By Dan Cornell

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a talk about different patterns we've seen as we've helped firms put together their software security programs. Slides are online:

The abstract for the talk was:

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

Contact us for help building a software security program that works for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 26, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Scanners, Security, Speaking Events, Static Analysis, ThreadStrong e-Learning, Threat Modeling, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , ,

March 25, 2013

ThreadFix 1.1 Released

By Dan Cornell

ThreadFix_72
ThreadFix 1.1 (final) is now available for download! You can pick up the ZIP (demonstration) install from the Google Code downloads site or you can pick up the VM image (for production use).

There were a whole lot of new features added and bugs updated during the 1.1 development cycle. You can see a full list of the Release 1.1 changes in the Google Code issue tracker. Some highlights include:

I wanted to extend a personal thanks to the invidivuals and organizations who have helped ThreadFix get to this point by providing funding, sending feedback, submitting bugs and otherwise just being a part of the growing ThreadFix community. Hearing from ThreadFix users is thrilling, occasionally humbling and always valuable for us. Feedback is the breakfast of champions, so we really appreciate hearing the good, bad and the ugly.

Looking to keep track of ThreadFix? Here are some resources:

We also sent out a press release for the occasion and the text of that release is:

Denim Group releases Vulnerability Management Platform ThreadFix 1.1 With More Enterprise-Class Features to Meet Customer Demand

ThreadFix Aggregates Disparate Vulnerability Test Results And Delivers A Prioritized List of Software Defects To The Development Team To Secure Applications Faster & More Easily

SAN ANTONIO, TX – March 25, 2013 - Denim Group, the leading secure software development company, today announced ThreadFix 1.1, an intelligent open-source application management platform that imports test results from a variety of testing tools to present a centralized view of the security status of corporate applications throughout the organization.  ThreadFix 1.1 has been upgraded with a variety of enterprise-class capabilities, all sponsored by large organizations eager to adopt this innovative platform into their organization to speed up the securing of their customer-facing and internal applications.  

“Large organizations are seeing the value of consolidating duplicate vulnerability information generated by overlapping reports into a centralized dashboard, enabling their teams to release applications into the marketplace that are not only feature-rich but resilient and secure,” said Dan Cornell, Denim Group CTO.  “Having access to all the available information about a given vulnerability in one spot improves the communications conduit between the developers and security team to such a level that productivity is increased without sacrificing quality, and that’s a win-win for the whole industry.”

ThreadFix imports dynamic, static and manual testing results into a centralized console that removes duplicate findings across multiple testing platforms to provide a prioritized list of the security vulnerabilities for each corporate application.  These results can be quickly exported into defect trackers used by the company’s software developers, injecting these security tasks into their regular work flow.  ThreadFix also uses this vulnerability data to automatically generate web application firewall and IDS/IPS rules that ensure sensitive corporate data is protected during the application repair process. Based on alerts from these virtual patch rules, ThreadFix also tracks current attack attempts, enabling the system to provide a real-world view of the criticality of individual vulnerabilities. Finally, ThreadFix provides trending reports, enabling team members as well as management to track and improve productivity over time. 

The new version of ThreadFix is now compatible with several sophisticated tools to better fulfill the needs of enterprise-wide application development teams.  For example, in addition to the Bugzilla and JIRA bug trackers, ThreadFix’s prioritized and aggregated results can now also be exported into Microsoft Team Foundation Server, the collaboration platform at the core of Microsoft's application lifecycle management used in many enterprises.  As a result of this integration, it is much easier to work with both the developers and the security analysts as both teams continue to use tools they already know.  The integration of both the NTOSpider and IBM Security AppScan Enterprise dynamic analysis testing platforms as well as the static analysis IBM Security AppScan Source tool enables ThreadFix to now import testing results from more than 20 software security testing tools and services, making ThreadFix useable to a wider number of organizations. 

ThreadFix 1.1 also offers a tighter integration with Lightweight Directory Access Protocol (LDAP) and Microsoft Active Directory (AD) authentication protocols enabling ThreadFix to be better integrated inside of the enterprise workflow. As a result, ThreadFix users can now be included in the centralized enterprise management system provided by LDAP and AD to manage user accounts.  The corporation’s software developers and security experts that use ThreadFix across the enterprise will no longer need to manage multiple users IDs and passwords.  The integration also allows access rules to be applied based on a “need-to-know” basis to better reflect real-world team roles to further improve the organization’s overall security posture. 

ThreadFix also now allows security and development teams to add comments and context to individual vulnerability content, enabling meaningful two-way communications that enhance the quality of remediation efforts.  The individualized notes decrease team distractions while improving internal communication about the code’s content.  The result is shorter development and test cycles, once again, accelerating the application vulnerability resolution process.

With these multi-tool and multi-team capabilities, ThreadFix is setting the standard for application security management within organizations of all sizes.  Initially released in September of 2012, the open-source application has been downloaded over two thousand times and has been used to successfully reduce the time required to fix critical application software vulnerabilities. The product’s growing momentum with several Fortune 500 and government organizations demonstrates how large enterprises are embracing ThreadFix as a critical enabling platform to more effectively manage application software security programs.

Immediately available, ThreadFix 1.1 can be downloaded through the following link:  http://www.denimgroup.com/threadfix.  Denim Group also offers additional commercial support and implementation services for organizations deploying ThreadFix. To learn more, contact Denim Group at sales@denimgroup.com or (210) 572-4400.

About Denim Group

Denim Group is the leading secure software development firm. The company builds custom large-scale software development projects across multiple platforms, languages and applications. What makes Denim Group unique is that the company brings significant core competencies in software security to the table, offering an innovative blend of secure software development, testing and training capabilities that protect a company's biggest asset, its data.

Denim Group customers span an international client base of commercial and public sector organizations across the financial services, banking, insurance, healthcare and defense industries. Its depth of experience building large-scale software development systems in a secure fashion has made the company’s leaders recognized experts in their fields. Denim Group has been recognized as one of the 5,000 Fastest Growing Company’s by Inc. Magazine five years in a row, and has won multiple awards including its recent accolades as one of the best places to work in San Antonio. For more information about Denim Group visit http://www.denimgroup.com.

###

Denim Group is a registered service mark of Denim Group, Ltd. Other names and brands may be claimed as the property of others.

Contact us for help managing your software security program with ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 25, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , ,

March 19, 2013

Uncommon Sense Security Looks at ThreadFix

By Dan Cornell

Uncommon_sense_security

John Dickson and I had a chance to catch up with Jack Daniel from the Uncommon Sense Security blog while we were at RSA a couple of weeks ago to talk about what we've been doing with ThreadFix. Jack took the time to write up a blog post about what we talked about (thanks!) and I wanted to highlight some points he made:

  • When Jack mentions how he imagines organizations handling their application vulnerability management he uses phrases like "kludge" and "few spreadsheets tossed in" and that lines up exactly with our experience. Developers don't speak "PDF" and Microsoft Excel is a horrible tool for managing vulnerabilities but that doesn't mean organizations don't try really hard to use those tools to manage their application-level vulns. A big driver behind us creating and releasing ThreadFix was trying to get organizations to do better managing application vulnerabilities by providing them the capability to get a handle on all of the vulnerability data coming from the variety of different sources - dynamic testing, code scanning, penetration tests and threat modeling. If you can't even manage the inputs you are not going to be able to actually get the vulnerabilities resolved.
  • Jack also highlights what we think is one of the great strengths of ThreadFix which is that it can be deployed in a way that fits pretty much any organization. It is freely-available under an open source license, but also has commercial support options available. No budget for licensing? Not a problem - pull down a VM image, fire it up and post to the Google Group or the bug tracker if you have questions. Need more help or want to customize it to for your environment? Great we can help you do that too.

Again - many thanks to Jack for sitting down with us and for taking the time to look at ThreadFix and write up some thoughts. We've accomplished quite a bit with it so far and we're really excited about some of the things we have coming up. Most organizations are still getting their minds wrapped around managing application-level vulnerabilities and we're thrilled that ThreadFix is a tool many organizations are finding valuable to help get this critical process under control.

Contact us to talk about how ThreadFix can help get your application vulnerability management under control.

--Dan

dan _at_ denimgroup.com

@danielcornell

PS - Jack made another solid point about scheduling time to sit down at RSA. The big conferences are great because they attract so many folks, but schedules can get so crazy it really helped to get the important people we wanted to talk with actually on the calendar. That worked a lot better than leaving it up to chance.

Related articles
ThreadFix, an Open Source tool for software vulnerability management
OWASP Phoenix Slides: Using ThreadFix to Manage Application Vulnerabilities
Security Snafu on ThreadFix: Don't Code Your Own Vulnerability Management System

March 19, 2013 in Application Security Remediation, Application Security Tools, Blogs, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, Open Source, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

March 18, 2013

Developers and QA Doing Security Testing: I've Got Management Buy-In, Now What?

By Dan Cornell

One of the things I do is answers questions as an "expert" for the web site SearchSoftwareQuality.com and they recently posted an answer I gave to a question about how to get developers and quality assurance folks to do security testing. You can see my blog post about this here as well as the original question and answer here. After I posted this online, Aaron Weaver on Twitter asked a great question: "What else beside management buy-in?"

Screen Shot 2013-03-18 at 2.14.55 PM
I had to admit - this was a great question and my original response did kind of boil down to:

  • Decide if you really want developers and QA to be performing security testing
  • If so, you have to get management support to make it happen

That's all well and good, but doesn't really address the whole issue which could be summed up in the question "Assuming I want developers and QA to be performing security testing AND I have management buy in how do I do this successfully?" So I figured I would provide some more thoughts based on our experience working to get developers and QA folks to help out with security testing.

In short:

  1. Understand your goals for dev/QA security testing and let the involved parties know what the goals are
  2. Learn about what they are currently doing so you can set proper expectations
  3. Provide them context-specific training and support so they can be successful
  4. Follow up later to see if you are getting what you wanted

Let's look at each of these in a little more detail:

1 - Know and Communicate Your Goals

What exactly is it that you want to get from having developers or QA folks perform security testing? If you're hoping that providing them some testing tools will magically solve your software security problem you are in for a rude awakening so it is important to be realistic. Are you hoping that developers can catch certain types of security bugs early so you don't have to deal with them later? Is your security group understaffed and you're hoping that QA can help shore you up with some manual application penetration testing? You need to know your goals up-front, be realistic about what you can achieve and make sure that the developers and QA testers know their role in the process. If you can't tell these folks what you want them to do - management buy-in or not - they aren't going to be successful in doing it. Also it is probably a good idea at this point to take some measurements of the current state of affairs - how many security bugs are making it past development and QA? How long - calendar time and level of effort - does it take to fix vulnerabilities once they're identified? This will be important later.

2 - Learn About Current Development and QA Processses

Once you know the outcomes you want to see, it is really important to understand what practices, tools and processes developers are QA already have in place for development and testing. Is the team doing Test-Driven Development (TDD)? Are they using a Contininuous Integration (CI) environment with an existing set of unit and functional tests? Or is the situation, candidly, a mess with no processes, little or not automation and no real framework for making changes. Our sample size isn't really big enough yet to state this quantitatively, but one of the things we found doing some stastistics on software security remediation projects was that teams that had good, "modern" development practices in place were able to fix vulnerabilities with less disruption and effort. The same goes for integrating security testing into the activities of development and QA teams - the maturity of their overall environment is going to be an indicator of what you can expect these folks to be able to do on the security front.

3 - Provide Context-Specific Training and Support

After you know what you want developers and testers to do and have reality-checked these goals against the ground truth of what the teams are capable of, you need to show them what you want them to do and the more specific and context-relevant you can make this education, the more successful you are going to be. I used to think that teaching the principles of secure development was sufficient - if developers know they need to do input validation and contextual encoding they'll go out and find the appropriate resources for their particular environment, right? I also used to think that all developers loved to spend their free time looking at different tools and figuring out how they could be useful in their environment. In short, I was an idiot. (Arguably I'm still an idiot, but that is probably something to explore in other blog posts...) Developers and testers already have jobs to do and, prior to your current initiative, those jobs probably didn't require them to do security testing. Management buy-in is helpful to spur actions, but development and non-security testing still has to get done. Assuming you want to developers and testers to adopt new practices and new tools at any sort of scale you need to show them what they need to do and be as specific and prescriptive as possible so that you minimize the impact on ... all the other stuff the developers and QA testers are supposed to do.

4 - Follow Up

If you've crafted your developer and QA security testing program along these lines so far hopefully you're in a position where you can see some results. So next you need to check and see if you're actually getting the results you want. If you wanted developers to start running a static analysis tool and catching things like SQL injection and cross-site scripting (XSS) before it got to pre-deployment testing you should check to see if that is actually happening (you did remember to check and see how many SQLi and XSS you were finding before you made this change, right?) If it is - fantastic! If not - why not? This post is predicated on the assumption that you have enough management buy-in to get these teams to change their behavior. If you like having management buy-in and want to continue to have it in the future you'd best have answers to questions like "I authorized you to spend $X on application security testing - what did we get from that?"

Watching This In Action

I had the opportunity to run through this process with a group who was rolling out a static analysis tool to their developers recently. They had purchased enough licenses for the majority of their developers and wanted to use the static analysis tool to decrease PCI-relevant findings before applications got in front of PCI auditors. We worked with them to understand their development environment and how code was developed, tested and ultimately deployed to production. Based on this we crafted a very specific rollout and training plan. Part of this program development was a conversation like this:

Me: "... and we can show them the different types of analysis the tool can perform - it has some really cool capabilities"

Security Rep: "Don't care"

Me: "... and we can show them how to write their own custom rules - that can be really helpful tuning the tool to work for applications in your environment"

Security Rep: "Don't care"

Me: "... and ..."

Security Rep: "I just want you to show them how to install the IDE plugin, how to click the button to run a scan, and how to interpret and address the results the scan kicks out. Any other problems - they can come to me for help."

And that's exactly what we did. Did we strike a "grand bargain" to radically change the way this organization develops software? No. Did we turn all of their developers into secure software development gurus? No. But what we did accomplish was:

  • Took an investment of money and staff time
  • Acquired a new technology and rolled it out by changing the organization's processes and training the relevant staff on what they need to do to be successful
  • Put the developers in a position to find and address important vulnerabilities earlier in their development process
  • Reduced the vulnerability count in their software and made their PCI audits less painful (with graphs to prove it!)

Was this a "home run" for the cause of software security in this organization? No. Was it a solid single or double? Yeah I think it was. And, possibly more important, it provides a track record of success that can be used to make further advancements. I'll take it.

Contact us to talk about the roles development and QA can play in building secure software.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 18, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Scanners, Security, Static Analysis, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Next »