LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad

Recent Posts

Categories

Subscribe to this blog's feed

Archives

Add me to your TypePad People list
Denim Group



Programming Blogs - Blog Catalog Blog Directory

September 27, 2011

The Self Healing Cloud: Slides Online

By Dan Cornell

I gave a presentation at OWASP AppSecUS this year in Minneapolis on some work we’ve been doing on automated virtual patching called “The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching” This builds on work we have done on virtual patching in the past and I’m excited that we can finally release some real-world data on how different scanners and protection technologies perform.

Video should be available soon, and the slides are online here:

The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching
View more presentations from Denim Group

Virtual patching is an exciting use case for IDS/IPS and WAF technologies. As we’ve noted before, web application vulnerabilities have a tendency to live much longer than they should. Application code changes take time so virtual patching is a great way to give development teams some “air cover” so they can get their work done while the organization still enjoys a measure of protection.

Contact us for more information about integrating virtual patching into your application security remediation strategy.

--Dan

dan _at_ denimgroup.com

@danielcornell

September 27, 2011 in Cloud, OWASP | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , ,

June 12, 2011

OWASP AppSecEU 2011 Slides Online: Security Testing Mobile Applications

By Dan Cornell

I just got back from Dublin, Ireland where I attended OWASP AppSecEU 2011. I gave a training class on building secure mobile applications and testing the security of mobile applications and also did a presentation on different techniques for security testing mobile applications.

The slides from the presentation are online here:

During the presentation we looked at different techniques for security testing mobile applications:

  • Static (both source code and binary)
  • Dynamic
  • Forensic

Mobile security testing is different than web application security testing. Techniques like automated dynamic testing that can produce some quick and useful results for web applications do not necessarily provide the same immediate value for mobile apps. The presentation talks through some different approaches and where they can provide the most value. And for a bonus – all the photos in the presentation slide deck came from the Guinness Brewery Tour!

Contact us for help testing the security of your mobile applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

June 12, 2011 in Conferences, Mobile, OWASP | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , ,

May 03, 2011

Denim Group at OWASP AppSec EU 2011

By Dan Cornell

Denim Group’s John Dickson and I will be headed to Dublin, Ireland for the OWASP AppSec EU 2011 conference this June.

I’m teaching a 1-day class on June 8th: “Designing, Building and Testing Secure Application on Mobile Devices.” This course provides an introduction to security for mobile and smartphone applications. It walks through a basic threat model for a smartphone application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques. Particular emphasis will be on the unique security challenges that developing software for mobile devices represent, comparing mobile software security concepts to those in the web application world. You can click here to register for OWASP AppSec EU 2011 Training.

Then John Dickson will be giving his presentation “Software Security: Is OK Good Enough” on June 10th.  The abstract is:

Widely publicized breaches regularly occur involving insecure software. This is due to the fact that the vast majority of software in use today was not designed to withstand attacks encountered when deployed on hostile networks such as the Internet. What limited vulnerability statistics that exist confirm that most modern software includes coding flaws and design errors that put sensitive customer data at risk. Unfortunately, security officers and software project owners still struggle to justify investment to build secure software. Initial efforts to build justification models have not been embraced beyond the most security conscious organizations. Concepts like the “Rugged Software” are gaining traction, but have yet to make a deep impact. How does an organization – short of a breach – justify expending critical resources to build more secure software? Is it realistic to believe that an industry-driven solution such as the Payment Card Industry’s Data Security Standard (PCI-DSS) can drive secure software investment before headlines prompt government to demand top-down regulation to “fix” the security of software?

This presentation will attempt to characterize the current landscape of software security from the perspective of a practitioner who regularly works with Fortune 500 chief security officers to build business cases for software security initiatives. Given the current status of software security efforts, and the struggles for business justification, industry would be well-served to look further afield to other competing models to identify future justification efforts. There is still much that can be learned from models outside the security and information technology fields. For example, the history of food safety provides lessons that the software security industry can draw from when developing justification models. We can also learn from building code adoption by earthquake-prone communities and draw comparisons to communities that have less rigorous building codes. Finally, we can learn much from certain financial regulations that have or have not improved confidence in our financial system.

I will be following that up with my presentation “Putting the Smart into Smartphones: Security Testing Mobile Applications” later that day:

Security testing techniques for web applications are fairly well-understood and documented.  However, mobile applications have different threat models than web applications and also rely on different technologies; therefore the goals of mobile application security testing are different as are the techniques. This presentation outlines a basic threat model for a mobile application and walks through concerns an application developer might have when deploying the application. Different testing techniques that can be used to gain insight into the security properties of the application are discussed and comparisons are made to the testing of web applications and other software to demonstrate the similarities and differences when dealing with mobile applications. Examples are given for both iPhone and Android platforms but the general techniques apply to any mobile application platform.

The OWASP Ireland 1-day conference last year was great and I’m looking forward to heading back over for the full AppSec conference this year. Contact us if you want to meet up at OWASP AppSec EU 2011.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

May 03, 2011 in Conferences, OWASP | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

December 14, 2010

Smart Phones Dumb Apps - Now Coming to an OWASP Austin Near You

By Dan Cornell

 

I will be giving my “Smart Phones Dumb Apps” presentation on smartphone application security at OWASP Austin on January 25th, 2011 at 11:30am.

 

The meeting will be held at:

National Instruments – Conference Room 1S13

11500 North Mopac Expressway

Building C

Austin, TX 78759


View Larger Map

 

You can sign up here.

 

The presentation abstract is:

Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android.  Many of these applications are constructed without fully considering the associated security implications of their deployment.  Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services.  This talk discusses emerging threats associated with deploying  smartphone applications  and provides an overview of the threat modeling process.  The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.

 

Contact us for help building and securing smartphone applications.

 

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous

December 14, 2010 in OWASP | | Comments (2) | TrackBack (0)

October 10, 2009

OWASP San Antonio: Next Meeting October 21st, 2009

Sponsored by:

San Antonio OWASP Chapter: October 21, 2009

Topic: Rolling Out an Enterprise Source Code Review Program

Presenter: Dan Cornell, Principal at Denim Group

Date: October 21, 2009 11:30 a.m. – 1:00 p.m.

Location:

San Antonio Technology Center (Web Room)

3463 Magic Drive

San Antonio, TX 78229


View Larger Map

Abstract:

Source code review technology has rapidly advanced over the past several years and offers great promise of helping organizations detect and address software security defects.  However, many organizations stumble as they try to roll out these technologies because they fail to understand the people and process issues that must also be addressed.  This talk will present lessons learned from the creation of several enterprise source code review programs, including: identifying all sources of custom code in an organization including custom extensions to ERP systems and enterprise portals, selecting the first round of applications to scan and successfully interpreting results and driving resolution to identified issues.

Presenter Bio:

Dan Cornell has over ten years of experience architecting and developing web-based software systems. As CTO of Denim Group, he leads the organization’s technology team overseeing methodology development and project execution for Denim Group’s customers. He also heads the Denim Group security research team, investigating the application of secure coding and development techniques to the improvement of web-based software development methodologies.

 

Dan Cornell has performed as the CTO of BrandDefense, as founder and Vice President of Engineering for Atension prior to its acquisition by Rare Medium,  Inc. and as the Vice

President, Global Competency Leader for Rare Medium’s Java and Unix Competency Center. Cornell has also developed simulation applications for the Air Force with Southwest

Research Institute.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the chapter leader of the San Antonio chapter of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, Denim Group's open source tool for assessing the security of AJAX-enabled web applications.

Sodas and snacks will be provided.  Feel free to bring a brown-bag lunch.

Please RSVP: E-mail owasprsvp@denimgroup.com  or call (210) 572-4400.

Posted via email from denimgroup's posterous

October 10, 2009 in Dan Cornell, Denim Group, Fortify, Information Security, OWASP, Security, Speaking Events, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 28, 2009

Dan Cornell Presenting at OWASP Houston: Conducting Application Assessments

TOPIC: "Conducting Application Assessments"

SPEAKER(S): Dan Cornell, OWASP, Denim Group

ABSTRACT: This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.

Date: Wednesday, September 9th

Time: 6:00 - 7:30pm

Location: HCC
1010 West Sam Houston Parkway North
Spring Branch Campus Commons
Houston, TX 77043

Directions: Physically it is Beltway 8 and I-10 -- Take the Gesner Exit of I-10 from downtown. It is next door to Murphy's Deli.

Contact me for a parking pass: dan _at_ denimgroup.com / @danielcornell

Posted via web from denimgroup's posterous

August 28, 2009 in Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 12, 2009

OWASP San Antonio Meeting: Wednesday August 19, 2009

By Dan Cornell

The next OWASP San Antonio chapter meeting is Wednesday August 19th, 2009.  It will be held at the San Antonio Technology Center, 3463 Magic Drive, San Antonio, TX 78229 from 11:30am - 1:00pm.  The presenters are Matt Burriola and Mario Flores from Randolph-Brooks Federal Credit Union.

Topic: Web Application Firewalls (WAFs)

Abstract:
Web application firewalls (WAFs) have gained considerable momentum as web vulnerabilities have grown.  WAFs now have a proven record of reducing exposures to web vulnerabilities by blocking malicious activity much like a typical firewall.  While WAFs help, it does take time to consider when a WAF is appropriate.  It also takes time to evaluate and implement the WAF as well.  Come listen to reasons why Randolph-Brooks Federal Credit Union chose a WAF and what they learned in the process.


Presenter Bios:
Matt is a Senior Developer on the RBFCU Web Team, but mainly serves the roles of Configuration Management lead and Systems Admin for the team.  Matt maintains the source control repository, application build and release processes, and QA server environments.  Matt also works on web infrastructure initiatives such as Web Application Firewall.  Matt has 10 years IT industry experience, including Java/web technologies, C, C++, Unix/Linux, shell scripting, and Symbol mobile handheld programming.  Matt has a degree in Management Information Systems from Texas A&M University-Corpus Christi.

Mario is currently the Web Development manager for RBFCU.  In this current role, Mario manages the development efforts for the online banking site and the intranet.  Mario also has a solid background in web security and has addressed issues with web application penetration assessments.  Mario has worked for RBFCU for 14 years and he has a degree in Information Systems from Texas Lutheran University.

Sodas and snacks will be provided.  Feel free to bring a brown-bag lunch.

Please RSVP: E-mail owasprsvp@denimgroup.com  or call (210) 572-4400.

--Dan
dan _at_ denimgroup.com
@danielcornell

August 12, 2009 in Dan Cornell, Denim Group, Information Security, OWASP, Security, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 08, 2009

Slide Decks from Last Week's OWASP Presentations Online

By Dan Cornell

IMG_0215

I wanted to thank the OWASP Washington DC and Northern Virginia chapters for their hospitality last week.  John Dickson and I had a great trip through the DC area.

The slide decks from the talks are online on the Denim Group website.  We also started something new and put them up on the Denim Group SlideShare site:


Vulnerability Management In An Application Security World
View more documents from Denim Group.

Application Assessment Techniques
View more documents from Denim Group.


--Dan
dan _at_ denimgroup.com
@danielcornell

August 08, 2009 in Application Security Tools, Dan Cornell, Denim Group, Information Security, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 29, 2009

Upcoming Virginia OWASP Talk: Conducting Application Assessments

By Dan Cornell

I will be presenting to the Virginia OWASP chapter on Thursday August 6th at 6pm.  The location is 13200 Woodland Park Road in Herndon, VA.  For more info check here.  The presentation abstract is:

This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.


The talk will be followed by a panel discussion, which should be a good one.  As always, OWASP meetings are free and open to all.  Hope to see folks there.

--Dan
dan _at_ denimgroup.com
@danielcornell

July 29, 2009 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 28, 2009

Upcoming DC OWASP Talk: Vulnerability Management in an Application Security World

By Dan Cornell

I will be speaking to the DC-area OWASP meeting next week on Wednesday August 5th at 6:30 on the GWU campus.  Check out the OWASP DC site and the Yahoo Events page for more info.

The presentation will outline strategies security teams can use for communicating with development teams to manage and ultimately correct application-level vulnerabilities. Similarities and differences between the security practice of vulnerability management and the development practice of defect management will also be addressed.

As always, OWASP meetings are free to all.  Hope to see folks there.

--Dan
dan _at_ denimgroup.com
@danielcornell

July 28, 2009 in Dan Cornell, Denim Group, Information Security, OWASP, Security, Speaking Events, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Next »