LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

June 11, 2013

Pre-LASCON Training: Running a Software Security Program with Open Source Tools

By Dan Cornell

Lascon

Everybody's excited about LASCON 2013, right? After hosting OWASP AppSecUSA 2012 the LASCON folks aren't resting on their laurels for the 2013 event. The conference proper is in Austin, TX on October 24th and 25th this year and, based on the keynotes that have alrady been announced, this should be a first-rate event. And the LASCON folks are doing something new this year by also sponsoring some training events in the months before the conference starts. I'll be doing the training class in July.

Title: Running a Software Security Program With Open Source Tools

Trainer: Dan Cornell

Dates: July 22nd and 23rd, 9:00am - 5:00pm

Cost: $195/person

Location: Norris Conference Center, Austin, TX

Abstract:

Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on exposure to a variety of freely-available tools that they can use to implement portions of these programs.

Register online here. Several spots have already been taken, so please sign up early if you're interested because this will likely fill up.

Contact us to talk more about getting the most out of the tools you're using - both open source and commercial - in your software security program.

--Dan

dan _at_ denimgroup.com

@danielcornell

June 11, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, Static Analysis, ThreadFix Application Vulnerability Management, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , ,

April 26, 2013

Webinar Recording Online: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

By Dan Cornell

Simon Bennetts (@psiinon) and I did a webinar last Wednesday talking about how to set up web application testing programs witih the freely-available tools OWASP Zed Attack Proxy (ZAP) and ThreadFix. The webinar was titled "Running a Web Security Testing Program with OWASP ZAP and ThreadFix" You can see the recorded webinar here:

(fullscreen video came out remarkably sharp!)

For more infomation about the tools and techniques we discussed, check out:

I wanted to personally thank Simon for taking the time to put on this webinar with us. I'm a huge fan of ZAP and I was really excited to get the opportunity to talk with folks about how ZAP and ThreadFix can be used together.

Contact us to talk about ways you can automate parts of your web application testing program with freely-available tools.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 26, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

April 08, 2013

Webinar: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

By Dan Cornell

Zap128x128ThreadFix_72

Simon Bennetts (@psiinon) and I will be doing a webinar Wednesday April 24th, 2013 at 10:30am Central Daylight Time to talk about how organizations can set up a web security testing program using the freely available tools OWASP Zed Attack Proxy (ZAP) and ThreadFix.

You can register online here: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

Abstract:

OWASP's Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. ThreadFix is a software vulnerability management platform that allows organizations to track the results of testing and communicate vulnerabilities to software development teams. Used together, these open source tools allow organizations to build a comprehensive program of web application security testing and vulnerability management. Security analysts can perform automated and manual testing of critical applications, track the results of their testing and report metrics on their program's effectiveness. This webinar walks through the basics of using OWASP ZAP for web application scanning and testing. It then demonstrates storing and managing these results inside of ThreadFix and communicating them to development teams for resolution. Developers and security professionals alike will benefit from seeing how these two tools used in combination can allow any organization to start taking control of the security of their web applications.

Contact us if you woud like to talk more about getting the most out of great tools like OWASP ZAP and ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 08, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, ThreadFix Application Vulnerability Management, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

April 07, 2013

OWASP Dallas: Implementation Patterns for Software Security Programs

By Dan Cornell

Ologo

I will be in Dallas on May 8th to speak to the OWASP Dallas chapter. The meeting runs from 11:30am through 1:00pm and is located at Richland College, 12800 Abrams Road, Dallas, TX 75243 at Sabine Hall in room SH117.

I will be giving an updated version of my talk titled "Implementation Patterns for Software Security Programs." (See my writeup of BSides Austin 2013 for some more background) The abstract for the presentation is:

Most organizations have finally realized that the software applications they are developing and deploying exposes them to significant risks. Organizations that are serious about this issue have started rolling out software security programs to address these risks in a structured manner. The challenge for these organizations is to determine what measures to put in place and how to implement those measures to best reduce their exposure. Efforts such as BISMM, OpenSAMM and Microsoft's SDL have shown that there are a number of components of software security programs that are reasonably standard, but there are different ways of implementing tools and deploying processes so what was successful for one organization does not guarantee success in others. Matching implementation strategies to the specific capabilities, limitations, strengths and weaknesses of the organizations is critical to a successful program roll-out.

This presentation relates several example case studies for organizations rolling out different portions of their software security programs. Although every organization is different, looking across multiple program implementations allows patterns to emerge and these patterns can provide guidance to other organizations looking to organize plans for their software security programs.

Several aspects of program rollout and the associated program are covered. Firstly, the presentation provides a discussion of selecting the organizational "owner" of the software security program. Although many parts of the organization must be involved, one group must be ultimately responsible for the security state of software developed and deployed. Then the presentation looks into three specific software security activities: static code analysis, dynamic application testing and developer security education. Several implementation patterns for each of these activity rollouts are outlined along with factors organizations can use to decide if a particular approach is well suited to their needs. These patterns help to provide templates that minimize the requirement of an organization to experiment and break new, risky ground by allowing them to benefit from lessons learned from previous efforts.

The presentation is vendor-neutral and based on experiences working with several organizations creating software security programs.

I always enjoy speaking to OWASP groups and I'm thrilled to have the opportunity to come back and talk to the folks in Dallas. Looking forward to seeing everyone there!

Contact us for help building a software security program that works for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 07, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, OWASP, Scanners, Security, Speaking Events, Static Analysis, ThreadStrong e-Learning, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , ,

February 20, 2013

Security Snafu on ThreadFix: Don't Code Your Own Vulnerability Management System

By Dan Cornell

Security_snafu
Recently Securty Snafu took a look at ThreadFix and posted some thoughts. First I wanted to thank them for taking a look - we're always thrilled to have folks work witih ThreadFix and provide feedback. Also I wanted to emphasize a couple of things they mentioned:

  • If You're Thinking About Rolling Your Own Application Vulnerability Management System: Don't - This is something we've encountered over and over again as we've talked to different organizations in the course of developing ThreadFix. We have found so many home-grown, in-house vulnerabilty management solutions. What we typically see in these cases is that something got built to solve a specific need and then the project ballooned, resulting in a whole bunch of code that no one wants to maintain. We think ThreadFix is a great alternative in cases like this because it provides all the basics of importing and consolidating vulnerability results, is under active development and is freely available under the Mozilla Public License (MPL). Commercial support is available for organizations who are interested so they don't have to rely on tracking down internal resources that have probably moved on to other initiatives. This provides a much better base for most vulnerability management programs than a bunch of unmaintainable in-house code. And if you need special functionality, you can fork ThreadFix and build your in-house solution on it as a base (or have us do it for you). But before you do that, be sure to understand that...
  • ThreadFix's API Makes It Possible To Integrate It With Your Processes - Every organization handles vulnerability management a little different and some handle it very differently. With ThreadFix we've tried to implement the basic workflows that we see over and over again and we've provided a REST-based API that can be used to drive ThreadFix's behavior and to integrate it with the wide variety of tools and processes that interact with organizations' vulnerability management initiatives. Josh Sokol and I talked about this in our presentation "The Magic of Symbiotic Security" (take a look at the bottom of this post if you want to watch a video of this presentation) In addition to the REST API we also provide a command-line tool to simplify these integrations. With the combination of these facilities, it should be possible to integrate ThreadFix into your continuous integration builds, GRC system and so on.

Again - thanks to Security Snafu for taking a look at ThreadFix. We hope that having a resource like ThreadFix available will make organizations think twice before rolling their own vulnerability management solution. It covers the basics, can be extended and modified and it is free. With commercial support available what is not to like?

Contact us for help building your vulnerability management program with ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 20, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

February 19, 2013

Smart Phones Dumb Apps Scripts Updated

By Dan Cornell

Mobile_phone

Last week I pushed some updates to the mobile application assessment scripts we released with my Smart Phones Dumb Apps presentation a while back. These scripts do some light static analysis on Android and (unencrypted) iOS binaries - mainly setting up a list of things to manually examine during a more thorough analysis. Most of these updates are courtesy of Abraham Aranguren ([name] . [surname] @owasp.org, @7a_ on Twitter) who updated a couple of packaged external tools those scripts relied on such as FindBugs and dex2jar (thanks!). You can also check out a great blog post Abraham put up listing a number of really valuable Android application security resources.

Mobile application security continues to be an area organizations struggle with. Everyone feels huge schedule pressures to get new applications and new functionality released. Developers dive into development projects without understanding how to design and build secure mobile applications. The result is pretty predictable - vulnerable mobile apps and, even scarier in most cases, vulnerable web services supporting those mobile apps.

Keep an eye on this space - at Denim Group we've been doing a lot of work both assessing the security of mobile applications as well as helping firms design and build secure mobile apps. In the next couple of months we're looking at making more of what we've been doing publicly available and hopefully organizations will be able to use that to step up their mobile security skills.

Contact us for help building secure mobile applications and setting up security assessment program for your organization's mobile strategy.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 19, 2013 in Application Security Tools, Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Open Source, OWASP, Scanners, Security, Static Analysis, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

February 18, 2013

ThreadFix 1.1 RC2 Now Available

By Dan Cornell

ThreadFix_72
Many thanks to everyone who helped us put the ThreadFix 1.1 RC1 through its paces. We've received your feedback, fixed a bunch of bugs and built out a couple of requested feature updates resulting in 1.1RC2. You can get it from the ThreadFix downloads site.

What's new in 1.1RC2? First take a look at what we released with 1.1 RC1. In addition to that we have a couple of things including:

You can see the full list of features and defects addressed during the 1.1 development cycle in the issue tracker. We've posted information on the ThreadFix wiki about how to upgrade your ThreadFix 1.0.1 install to 1.1 and would love to hear any feedback from people going through that process. So take a look and please post any thoughts or bugs either on the ThreadFix issue tracker or join the ThreadFix Google Group and let us know there.

Contact us for help managing your software security program with ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 18, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

January 30, 2013

OWASP Phoenix: Using ThreadFix to Manage Application Vulnerabilities

By Dan Cornell

Owasplogo

I'll be in Phoenix next week on Tuesday February 5th, 2013 speaking to the Phoenix OWASP chapter about ThreadFix.

Title: Using ThreadFix to Manage Application Vulnerabilities

Abstract:

ThreadFix is an open source software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. It imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows organizations to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. This presentation will walk through the major functionality in ThreadFix and describe several common use cases such as merging the results of multiple open source and commercial scanning tools and services. It will also demonstrate how ThreadFix can be used to track the results of scanning over time and gauge the effectiveness of different scanning techniques and technologies. Finally it will provide examples of how tracking assurance activities across an organization’s application portfolio can help the organization optimize remediation activities to best address risks associated with vulnerable software.

The meeting will be held from 6:30 - 7:30pm at the University of Advancing Technology 2625 W. BASELINE RD. TEMPE, AZ 85283-1056. For more information, check out the main OWASP Phoenix site.

Contact us for help running your software security program on ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

January 30, 2013 in Application Security Remediation, Application Security Tools, Blogs, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Pro Services Life, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, Static Analysis, ThreadFix Application Vulnerability Management, Watchfire, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

January 29, 2013

ThreadFix 1.1 Release Candidate Now Available

By Dan Cornell

ThreadFix_72
We've been hard at work on ThreadFix since the 1.0 release in October and we're just about ready to push out an updated 1.1 release. This week we've made a 1.1 release candidate available for folks to take a look at and review. You can get it from the ThreadFix downloads site.

What's new in 1.1? Lots of stuff including:

  • Support for NTObjectives NTO Spider scans (#162)
  • Support for Microsoft Team Foundation Server (TFS) bug trackers (#117)
  • Adding user comments for vulnerabilities (#55)
  • Editing of manually-entered vulnerabilities (#160)
  • "Filter by CWE" for vunerabilities(#163)
  • Updated security model to allow for fine-grained user permissions (#56) (this has been a huge priority for the larger enterprises deploying ThreadFix)
  • Updated Snort rule generation (#113)
  • Updated license from MPL 1.1 to MPL 2.0 (#181)
  • Various updates and bug fixes and enhancements (#159, #168, #176, #196)

You can see the full list of features and defects addressed during the 1.1 development cycle in the issue tracker. We've posted information on the ThreadFix wiki about how to upgrade your ThreadFix 1.0.1 install to 1.1 and would love to hear any feedback from people going through that process. So take a look and please post any thoughts or bugs either on the ThreadFix issue tracker or join the ThreadFix Google Group and let us know there.

Contact us for help managing your software security program with ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

January 29, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

November 06, 2012

Come See Denim Group at OWASP BeNeLux 2012 in Leuven, Belgium

Fileowaspbnl12header
I'll be headed to OWASP BeNeLux 2012 in Leuven, Belgium to do a day of training and give a presentation. Looking forward to catching up with OWASP folks, eating some Belgian chocolate and drinking some Belgian beer.
Thursday November 29th, 2012 I'll be giving a one-day version of our "Running a Software Security Program on Open Source Tools" course. This is usually a two-day course so it will be a pretty hectic day but it should be fun. The course description is:

Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on exposure to a variety of freely-available tools that they can use to implement portions of these programs.

 

On Friday I'll be giving a presentation titled "Streamlining Application Vulnerability Management: Communication Between Development and Security Teams" The abstract is:

Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.

 

I've never been to Belgium before so I'm looking forward to the trip. Contact us if you want to meet up in Leuven!

--Dan
dan _at_ denimgroup.com

Posted via email from Denim Group's Posterous

November 06, 2012 in Conferences, OWASP | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

Next »