LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

April 07, 2013

OWASP Dallas: Implementation Patterns for Software Security Programs

By Dan Cornell

Ologo

I will be in Dallas on May 8th to speak to the OWASP Dallas chapter. The meeting runs from 11:30am through 1:00pm and is located at Richland College, 12800 Abrams Road, Dallas, TX 75243 at Sabine Hall in room SH117.

I will be giving an updated version of my talk titled "Implementation Patterns for Software Security Programs." (See my writeup of BSides Austin 2013 for some more background) The abstract for the presentation is:

Most organizations have finally realized that the software applications they are developing and deploying exposes them to significant risks. Organizations that are serious about this issue have started rolling out software security programs to address these risks in a structured manner. The challenge for these organizations is to determine what measures to put in place and how to implement those measures to best reduce their exposure. Efforts such as BISMM, OpenSAMM and Microsoft's SDL have shown that there are a number of components of software security programs that are reasonably standard, but there are different ways of implementing tools and deploying processes so what was successful for one organization does not guarantee success in others. Matching implementation strategies to the specific capabilities, limitations, strengths and weaknesses of the organizations is critical to a successful program roll-out.

This presentation relates several example case studies for organizations rolling out different portions of their software security programs. Although every organization is different, looking across multiple program implementations allows patterns to emerge and these patterns can provide guidance to other organizations looking to organize plans for their software security programs.

Several aspects of program rollout and the associated program are covered. Firstly, the presentation provides a discussion of selecting the organizational "owner" of the software security program. Although many parts of the organization must be involved, one group must be ultimately responsible for the security state of software developed and deployed. Then the presentation looks into three specific software security activities: static code analysis, dynamic application testing and developer security education. Several implementation patterns for each of these activity rollouts are outlined along with factors organizations can use to decide if a particular approach is well suited to their needs. These patterns help to provide templates that minimize the requirement of an organization to experiment and break new, risky ground by allowing them to benefit from lessons learned from previous efforts.

The presentation is vendor-neutral and based on experiences working with several organizations creating software security programs.

I always enjoy speaking to OWASP groups and I'm thrilled to have the opportunity to come back and talk to the folks in Dallas. Looking forward to seeing everyone there!

Contact us for help building a software security program that works for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 07, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, OWASP, Scanners, Security, Speaking Events, Static Analysis, ThreadStrong e-Learning, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , ,

March 26, 2013

BSides Austin Recap: Implementation Patterns for Software Security Programs

By Dan Cornell

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a talk about different patterns we've seen as we've helped firms put together their software security programs. Slides are online:

The abstract for the talk was:

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

Contact us for help building a software security program that works for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 26, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Scanners, Security, Speaking Events, Static Analysis, ThreadStrong e-Learning, Threat Modeling, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , ,

BSides Austin Recap: Developing Secure Mobile Applications

By Dan Cornell

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a short, two hour training session titled "Developing Secure Mobile Applications" This is a (very) cut down version of some of the instructor-led training classes we give on developing secure mobile applications and testing the security of mobile applications. Slides are online:

The abstract for the training was:

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

Contact us for help building secure mobile applications and testing the security of mobile applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 26, 2013 in Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Security, Speaking Events, ThreadStrong e-Learning, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , ,

May 18, 2012

Upcoming Webinar: Keeping Your Data Safe

By John Dickson

We’ve got a great webinar coming up later this month. We’re partnering with Inspired eLearning, a web-based training solutions provider, to put on this webinar about protecting sensitive credit card data. If you work with customer credit card data and are struggling with PCI DSS compliance, this webinar can help your organization.

Keeping Your Data Safe: Protecting Your Organization from Web Hackers

Tuesday, June 12

12 p.m. CT

Businesses store and process sensitive credit card information today more than ever before. Yet companies don’t always protect that data well, leading to expensive public breaches that cost the organization both money and customer trust. It is vital that businesses keep consumer credit card information safe from malicious users. Join us to learn how to identify technology and process vulnerabilities that pose a risk to the security of cardholder data, and how your software developers and IT department can help keep your organization safe. Join Denim Group and Inspired eLearning to find out what your organization needs to know about application security.

Register now!

 

Contact us for help with PCI DSS compliance.

--John

john_atdenimgroup.com

@johnbdickson

May 18, 2012 in ThreadStrong e-Learning | | Comments (2) | TrackBack (0)

Technorati Tags: , , , , , , , ,

April 10, 2012

Denim Group Donates E-Learning Courses to Higher Education

By John Dickson

For nearly two years, I’ve been intrigued by the idea of what industry types like myself can do to better introduce secure coding techniques to students in college. The thinking was this – if we can expose them to these techniques earlier in their coding careers, we will all be better served when they enter the workforce. If, for example, we can introduce future coders to security concepts, like least privilege or defense in depth, they are less likely to make design or coding mistakes that put software – and sensitive customer data – at risk.  Given that our mantra at Denim Group is to build a world where software is trusted, we are constantly looking for ways to encourage software developers to embrace the fundamentals of secure software.

Attempts to force universities to teach these concepts have fallen on deaf ears. As Mary Ann Davidson from Oracle has spoken about in the past, attempts to force university professors to teach secure coding techniques produces mixed results. There are many reasons for this, including the snail’s pace of curriculum changes, limited electives dealing with secure software development, and the need to teach a broader set of computer science concepts in a core curriculum. The gist of the story is this: computer science departments across the country are not educating their students on how to build more secure software. 

So what should we do, as an industry?  In a blog post last year I argued that there are many things industry can do to encourage academia to include defensive programming techniques and to further the concepts of secure software in general. At Denim Group, we are taking this a step further, and today we are announcing that we’re donating our ThreadStrong e-Learning courses on secure development to universities nationwide. We developed these courses to help software developers, and now we’re using them to help future software developers be better at their jobs. With influential universities like Purdue University and Rutgers University already signed up, and more interested every day, we’ll hopefully see the fruits of these efforts in future coders.  We hope this makes it easier for professors in computer science departments across the land to include some of these e-Learning courseware into a lecture or lab.  

If you have a favorite computer science professor or university that might be interested in taking advantage of the donation, please point them to www.threadstrong.com/educational_partners.html for more information.

--John

john _at_ denimgroup.com

@johnbdickson

April 10, 2012 in ThreadStrong e-Learning | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , , , ,