LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad

Recent Posts

Categories

Subscribe to this blog's feed

Archives

Add me to your TypePad People list
Denim Group



Programming Blogs - Blog Catalog Blog Directory

October 10, 2009

OWASP San Antonio: Next Meeting October 21st, 2009

Sponsored by:

San Antonio OWASP Chapter: October 21, 2009

Topic: Rolling Out an Enterprise Source Code Review Program

Presenter: Dan Cornell, Principal at Denim Group

Date: October 21, 2009 11:30 a.m. – 1:00 p.m.

Location:

San Antonio Technology Center (Web Room)

3463 Magic Drive

San Antonio, TX 78229


View Larger Map

Abstract:

Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects.  However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed.  This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues.

Presenter Bio:

Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies.

 

Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium,  Inc. and as the Vice

President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest

Research Institute.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications.

Sodas and snacks will be provided.  Feel free to bring a brown-bag lunch.

Please RSVP: E-mail owasprsvp@denimgroup.com  or call (210) 572-4400.

Posted via email from denimgroup's posterous

October 10, 2009 in Dan Cornell, Denim Group, Fortify, Information Security, OWASP, Security, Speaking Events, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 19, 2009

Denim Group and Fortify Press Release

By Dan Cornell

We released a press release today about our use of Fortify's tools on our software development projects.  John has a video describing the release here:

Press release is here.
Business Journal coverage is here.

--Dan
dan _at_ denimgroup.com
@danielcornell

August 19, 2009 in Application Security Tools, Dan Cornell, Denim Group, Fortify, Information Security, John Dickson, Pro Services Life, Security, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 29, 2009

Upcoming Virginia OWASP Talk: Conducting Application Assessments

By Dan Cornell

I will be presenting to the Virginia OWASP chapter on Thursday August 6th at 6pm.  The location is 13200 Woodland Park Road in Herndon, VA.  For more info check here.  The presentation abstract is:

This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.


The talk will be followed by a panel discussion, which should be a good one.  As always, OWASP meetings are free and open to all.  Hope to see folks there.

--Dan
dan _at_ denimgroup.com
@danielcornell

July 29, 2009 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

April 22, 2009

Denim Group Mention in InformIT Article on Software Security Industry Trends

By Dan Cornell

Denim Group was mentioned in a recent article on the Software Security industry trends by Gary McGraw.  It highlights how we grew last year - even in a tough economy.

We see similar trends to those mentioned in the article in organizations we work with - penetration testing is still important, but many groups are also starting to put material resources toward source code analysis.  Now that most folks have been through the first rounds of assessments or penetration tests folks are putting more thought into the organizational changes they need to make in order to address software security risks.  Overall this is very healthy as we move into the post-scanner world.

--Dan
dan _at_ denimgroup.com

April 22, 2009 in Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Pro Services Life, Security, Static Analysis, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

January 27, 2009

Houston TechFest Slide Deck Online

By Dan Cornell

The slide deck from my talk at Houston TechFest is now online: Static Analysis Techniques for Testing Application Security.  Also see my previous post about the trip there.

--Dan
dan _at_ denimgroup.com

January 27, 2009 in .NET Users Group, Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Microsoft, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

January 26, 2009

The Road to Houston TechFest

By Dan Cornell

I was up in Houston last weekend for the rescheduled Houston TechFest.  The hurricane delayed this from the original date, but the event was still packed.

I flew into Houston for the day to give my talk on Static Analysis Techniques for Testing Application Security.  Unfortunately, when I was headed to my early-morning flight, I noticed that the airport had been overrun by birds:
IMG_0193
Yikes!  I didn't know who my pilot was, but I wasn't convinced he would be able to successfully land a 737 in the San Antonio River.  After all, the Hudson is a little wider than the Riverwalk...

Fortunately I made it to Houston all right and checked in with the TechFest folks.  The event was at the University of Houston so I went to the bottom of the student center where the event was being held to try and get some work done before my talk.  I soon found myself trapped between a bunch of martial arts students:
IMG_0195
And some folks playing "Magic - The Gathering" :
IMG_0196
No offense to the "Magic - The Gathering" crowd, but I had to cast my lot with the martial arts folks.  Cards representing elven chain mail and whatnot are no match for a crowd of folks ready to break actual bricks with their hands.

Fortunately everyone got to remain friends and I made it to my talk unscathed.

There was a great group there and we had some great questions such as:

  • Does the fact that most .NET static analysis tools rely on decompiling MISL make .NET, as a language, less secure than Java? (Both Java bytecodes and .NET MSIL are pretty easy to decompile, so there aren't a ton of differences there.  .NET static analysis tools usually use MSIL binaries because .NET code exists in a variety of languages and it is easier to write one parser/decompiler for MSIL that will work for all .NET languages wheras Java bytecode is almost always compiled from Java source code, thus making Java source or Java bytecode reasonably equally attractive choices for tool builders.)
  • Are there any subsets of PMD rules that are best for running security checks? (There are security-specific PMD checks, but they are mainly related to API misuse.  I don't know of any collection that includes the explicit security rules along with rules from other categories that often have security implications.)

One thing I talked about Saturday that was relatively new was the OWASP Open Review Project (ORPRO) which provides advanced static analysis capabilities for open source projects.

Overall it was a great session and I will be posting the slide deck shortly.

--Dan
dan _at_ denimgroup.com

January 26, 2009 in .NET Users Group, Application Security Tools, Blogs, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Microsoft, Open Source, OWASP, Pro Services Life, Science, Security, Speaking Events, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

November 17, 2008

SearchSoftwareQuality.com Answer Up Online

By Dan Cornell

Header_logo2

The SearchSoftwareQuality folks have posted a response I put together on a question about security code review tools.  Check it out here.

--Dan
dan _at_ denimgroup.com

November 17, 2008 in Application Security Tools, Dan Cornell, Denim Group, Fortify, Information Security, Open Source, Security, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

November 12, 2008

OWASP EU Summit in Portugal: Thursday

By Dan Cornell

IMG_2162

I must admit - by Thursday I was feeling a little rough.  Mostly because of the two evening soccer (football?) games.  That's far too much running in too short a period of time for me.  Regardless, Thursday shaped up to be another great day with some great project presentations and working groups.  Projects I saw Thursday included:

  • James Walden - Source Code Review Project - The Open Review Project (ORPRO) has been working with James Walden and his folks to get all OWASP projects run through at least an automated security source code review.  James presented on his work over the summer getting workflows set up and working with the automated review platform.
  • Stephan Evans - Securing WebGoat with mod_security - This was a very interesting presentation on how to address the security vulnerabilities in WebGoat using mod_security rules.  It was cool to see how Lua scripting can be used to address issues that go beyond the typical technical vulnerabilities like SQL injection and cross site scripting (XSS).
  • Arturo Busleiman - Enigform and mod_OpenPGP Project - This is an interesting approach to securing web communications that leverages the PGP infrastructure rather than relying on SSL.
  • Marcin Wielgoszewski - AntiSamy.NET Project - This is a port of the AntiSamy project to work for .NET environments.

Working groups I attended were:

  • Intra-Government Working Group - Lots of great ideas here in two areas.  First - how to get OWASP involved with governmental standards bodies so that we can act as a resource as well as influence standards and practices.  Second - how to better communicate with government consumers on how to best use OWASP resources to make their infrastructures safer.
  • OWASP Strategic Planning -  Too many topics to mention here - the results should be coming out in a press release and a summary of the event.
  • Chapter Leaders Working Group - It was great to have an opportunity to interact with chapter leaders running chapters in a variety of state of maturity.  Certainly lots of good suggestions that I can bring back to use for the San Antonio chapter.

Mercifully, the Chapter Leaders session ran all the way until our late dinner time so we couldn't play another game of soccer.

--Dan
dan _at_ denimgroup.com

November 12, 2008 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Fortify, Information Security, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Training, Travel, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

OWASP EU Summit in Portugal: Wednesday

By Dan Cornell

IMG_0138

Wednesday was another day packed full of project presentations and working group sessions.  The project presentations I attended included:

  • Eduardo Neves - Positive Security Project - Many security programs are focused solely on the negative - what should not be done and so on.  This project is intended to create awareness of the "good" activities teams can perform to build security in.
  • Martin Knobloch - Education Project - This goal of this project is to organize OWASP materials so that they can be used in programs to educate developers about application security.  So far they have put together two full training classes with slide decks.
  • Juan Carlos Calderon - Internationalization - This project aims to get OWASP materials translated into a variety of languages to as to better distribute them to the developers that need them.
  • Lucilla Mancini - PASSWD - The PASSWD project aims to use modeling to predict the security state of applications.
  • Me (Dan Cornell) - Open Review Project (ORPRO) - This is a project I have been working with Mario deBoer and the folks from Fortify with for the past couple of months.  The goal is to make security code review services - both automated and manual - available to open source projects.  We are currently working with the folks from Moodle and will be looking to expand that involvement to other projects in the future.  (We're always looking for volunteers, so if you are interesting in performing security reviews for open source code please let me know!)

The working group I attended was:

  • Education Project Working Group - Lots of great discussions in this group including how to best structure the courses of instruction as well as thoughts about using the LiveCD Project as a distribution mechanism for courseware.

--Dan
dan _at_ denimgroup.com

November 12, 2008 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Fortify, Information Security, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Training, Travel, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

OWASP EU Summit in Portugal: Tuesday

By Dan Cornell

[Running a little behind, as usual.  Over the course of today I'll be putting up a series of posts to finish out my OWASP EU Summit notes.]

First of all, my favorite part of Tuesday was that I won a t-shirt at the Sensepost training class on offensive web application hacking.  H4x0r skillz!

IMG_0130
 

In addition to that, Tuesday was a really productive day.  I had the opportunity to attend a number of sessions where folks presented their Summer of Code projects and OWASP projects in general:

  • Jason Li - JSP Testing Tool - This tools tests JSP tag libraries to determine which attributes are properly escaped when they are written out to the HTML stream.  It does this by generating a large number of JSP/HTML examples with various payloads placed into the tags' attributes.  When the page renders, unescaped payloads change colors of parts of the DOM so you can see which attributes are "dangerous"  This is a very cool approach and it would be interesting to see how it applied to ASP.NET web controls as well.
  • Paolo Perego - Orizon - Orizon is a framework for code analysis that can apply various rules to look for security defects.  It currently supports Java and there are plans to make it support .NET.  Source code files are broken down into a number of XML representations and then those XML representations are run through a rules engine to identify potential security issues.
  • Alex Smolen - ESAPI.NET - This is the .NET version of the ESAPI.  Currently it is basically a word-for-word port of the Java ESAPI into C#, but the plan is to update the .NET version to accomodate existing security capabilities of the .NET platform such as the Membership API and the AntiXSS library.

I also had an opportunity to attend a number of working groups:

The energy and enthusiasm at this event was incredible.  As you'll see from the following posts we covered a lot of ground during the week and a lot got accomplished.

--Dan
dan _at_ denimgroup.com

November 12, 2008 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Threat Modeling, Training, Travel, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Next »