By Dan Cornell
I just got back from OWASP AppSecEU in Hamburg, Germany and I have to say I had a great time. The conference was very well run, the talks were very interesting and I had the opportunity to both reconnect with and meet a lot of great folks.
While I was there, I gave a talk titled "Do You Have a Scanner or a Scanning Program?" Here is the video from the presentation:
The slides are also online:
The abstract for the talk is:
By this point, most organizations have acquired at least one code or
application scanning technology to incorporate into their software
security program. Unfortunately, for many organizations the scanner
represents the entirety of that so-called “program” and often the
scanners are not used correctly or on a consistent basis.
This presentation looks at the components of a comprehensive software security program, the role that automation plays in these programs and tools and techniques that can be used to help increase the value an organization receives from its application scanning activities. It starts by examining common traps organizations fall into where they fail to address coverage concerns – either breadth of scanning coverage across the application portfolio or depth of coverage issues where application scans do not provide sufficient insight into the security state of target applications. After discussing approaches to address these coverage issues, the presentation walks through metrics organizations can use to keep tabs on their scanning progress to better understand what is being scanned, how frequently and at what depth.
The presentation also contains a demonstration of how freely available tools such as the open source ThreadFix application vulnerability management platform and the OWASP Zed Attack Proxy (ZAP) scanner can be combined to create a baseline scanning program for an organization and how this approach can be generalized to use any scanning technology.
I also spent an afternoon giving demos of ThreadFix and talking to a bunch of current - and hopefully future - ThreadFix users at the Open Source (Security) Showcase. I really enjoy events like the OS(S)S and the BlackHat Arsenal because of the opportunity to talk with both users and prospective users in-depth about their challenges and how ThreadFix can help them address those challenges.
dan _at_ denimgroup.com