LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

March 26, 2013

BSides Austin Recap: Implementation Patterns for Software Security Programs

By Dan Cornell

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a talk about different patterns we've seen as we've helped firms put together their software security programs. Slides are online:

The abstract for the talk was:

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

Contact us for help building a software security program that works for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 26, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Scanners, Security, Speaking Events, Static Analysis, ThreadStrong e-Learning, Threat Modeling, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , ,

March 13, 2013

Denim Group at InnoTech San Antonio 2013: Smart Phones Dumb Apps

By Dan Cornell

SA-Header
Folks headed to InnoTech San Antonio on Wednesday April 17th, 2013 should stop by the Denim Group booth and say howdy. Also, I'll be giving an updated version of my Smart Phones Dumb Apps talk at 1:00pm. The abstract for that talk is:

Enterprises are targeting both internal users and customers with smartphone applications for platforms such as Apple iPhone and Google Android.  Many of these applications are constructed without fully considering the associated security implications of their deployment.  Breaches can impact both users as well as the enterprise distributing the application as attackers take advantage of expanded access to sensitive data and network services.  This talk discusses emerging threats associated with deploying  smartphone applications  and provides an overview of the threat modeling process.  The presentation then walks example applications from an attacker’s perspective demonstrating the sort of information they are able to extract allowing for more advanced attacks.

So if your organization is building - or using - mobile applications on platforms like Android and iOS (iPhone/iPad) you probably want to drop by. This is a fun, interactive presentation with a lot of examples that helps demonstrate why mobile security isn't just about MDM and dealing with BYOD. You also need to pay attention to the applications getting deployed on these mobile operating systems if you want to protect both your organization's and your customers' data.

Also if you want a FREE admission to InnoTech San Antonio 2013, head to www.innotechsan.com and use the code SPK13C to register.

 Contact us if you want to meet up at InnoTech San Antonio 2013 and talk about mobile application security.

--Dan

dan _at_ denimgroup.com

@danielcornell

Related articles
Denim Group at BSides Austin 2013: Building Secure Mobile Apps and Software Security Implementation Patterns
Search Software Quality: Understanding Mobile, Web and Cloud Apps and System Architecture
Smart Phones Dumb Apps Scripts Updated

March 13, 2013 in Conferences, Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Security, Speaking Events, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

March 10, 2013

Denim Group at BSides Austin 2013: Building Secure Mobile Apps and Software Security Implementation Patterns

By Dan Cornell

 

BSides Texas Logo w color hat
I will be up at BSides Austin 2013 in a couple of weeks. Thursday March 21st I will be giving a short training class from 4:00pm through 6:00pm titled "Developing Secure Mobile Applications." The brief abstract is:

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

We've only got two hours so I can't teach you everything about building and testing secure mobile apps (assuming I even knew everything about the subject...) but I can help make you smarter. Should be a good time.

Also on Friday March 22nd from 1:00pm to 2:00pm I will be giving a talk titled "Implementation Patterns for Software Security Programs" The abstract for this talk is:

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

This should be a fun one because we talk through war stories of things we've seen be successful as well as things we've seen go horribly wrong.

Contact us if you want to meet up at BSides Austin 2013. The last time I checked there were still tickets available.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 10, 2013 in Application Security Remediation, Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Mobile, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, Static Analysis, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

February 18, 2013

Search Software Quality: Requirements Management Process - Security and Application Performance

By Dan Cornell

Search_software_quality_logo

Search Software Quality published another of my answers to reader questions:

Why is it important for organizations to include security and application performance considerations in the requirements management process, and how can they most effectively do this?

You can see my full answer online where I talk about the importance of capturing these critical requirements early to save time and money later on (sorry - registration required). For those looking for a quick preview, I talk about the cost savings associated with laying out these important classes of requirements early. The focus is on coming to an understanding and making this understanding explicit so that all interested parties can agree up front on the requirements and tradeoffs that must be made in order to meet them.

Contact us for help building mobile, web and cloud application with critical security and performance requirements.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 18, 2013 in Cloud, Dan Cornell, Denim Group, Information Security, Performance Testing, Remediation, Security, Software Security Remediation, Threat Modeling, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

February 13, 2013

Search Software Quality: Understanding Mobile, Web and Cloud Apps and System Architecture

By Dan Cornell

Search_software_quality_logo

Search Software Quality published another of my answers to reader questions:

Can you explain the differences between mobile apps, cloud apps and web apps?

You can see my full answer online where I talk about the importance of understanding how these apps often work together (sorry - registration required). For those looking for a quick preview, I try to move beyond the obvious "mobile apps run on mobile devices" answer and look into the complexity of many modern applications - how they combine aspects of mobile, web and cloud to produce the ultimate user experience. The end result is that system designers - and system testers - need to understand the overall application architecture if they want to have better insight into what parts of their apps are mobile, web-based or cloudy.

Contact us for help building mobile, web and cloud applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

February 13, 2013 in AJAX, Cloud, Dan Cornell, Denim Group, Information Security, Mobile, Security, Threat Modeling, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 28, 2009

Dan Cornell Presenting at OWASP Houston: Conducting Application Assessments

TOPIC: "Conducting Application Assessments"

SPEAKER(S): Dan Cornell, OWASP, Denim Group

ABSTRACT: This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.

Date: Wednesday, September 9th

Time: 6:00 - 7:30pm

Location: HCC
1010 West Sam Houston Parkway North
Spring Branch Campus Commons
Houston, TX 77043

Directions: Physically it is Beltway 8 and I-10 -- Take the Gesner Exit of I-10 from downtown. It is next door to Murphy's Deli.

Contact me for a parking pass: dan _at_ denimgroup.com / @danielcornell

Posted via web from denimgroup's posterous

August 28, 2009 in Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 08, 2009

Slide Decks from Last Week's OWASP Presentations Online

By Dan Cornell

IMG_0215

I wanted to thank the OWASP Washington DC and Northern Virginia chapters for their hospitality last week.  John Dickson and I had a great trip through the DC area.

The slide decks from the talks are online on the Denim Group website.  We also started something new and put them up on the Denim Group SlideShare site:


Vulnerability Management In An Application Security World
View more documents from Denim Group.

Application Assessment Techniques
View more documents from Denim Group.


--Dan
dan _at_ denimgroup.com
@danielcornell

August 08, 2009 in Application Security Tools, Dan Cornell, Denim Group, Information Security, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 29, 2009

Upcoming Virginia OWASP Talk: Conducting Application Assessments

By Dan Cornell

I will be presenting to the Virginia OWASP chapter on Thursday August 6th at 6pm.  The location is 13200 Woodland Park Road in Herndon, VA.  For more info check here.  The presentation abstract is:

This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.


The talk will be followed by a panel discussion, which should be a good one.  As always, OWASP meetings are free and open to all.  Hope to see folks there.

--Dan
dan _at_ denimgroup.com
@danielcornell

July 29, 2009 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 07, 2009

Denim Group Launches ThreadStrong

By Dan Cornell

This has been in the works for quite a while, but the actual public release came out today - Denim Group has released our new application security e-Learning program called ThreadStrong.

We have a brief video online here:

ThreadStrong is a great way for organizations to provide a base-level of application security knowledge for developers and other personnel involved in the software development process.  A number of organizations have also used it to address aspects of compliance requirements such as PCI.

The available courses include:

  • Introduction to Application Security Concepts (1 hour, for Developers, QA, Managers and Security Professionals)
  • Application Security for Java (4 hours, for Developers)
  • Application Security for .NET (4 hours, for Developers
  • Threat Modeling (1 hour, for Security Professionals and Developers)

Give us a call or drop us an email if you'd like a demo.


--Dan
dan _at_ denimgroup.com

July 07, 2009 in Application Security Tools, Dan Cornell, Denim Group, Information Security, Java, Microsoft, Security, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

June 24, 2009

Denim Group Teams with Rackspace Hosting

By Dan Cornell

I'm thrilled to announce Denim Group working with Rackspace Hosting (NYSE: RAX) customers to help them secure their applications via conducting code reviews, delivering secure software development training, and evaluating software development strategies for Rackspace clients.  We've known folks at Rackspace for years and had the opportunity to work with them in a variety of capacities so this is pretty exciting for us: BusinessWire release: Denim Group Teams with Rackspace Hosting

Whether you're hosting your applications in "the cloud" or on good old-fashioned servers, they're still targets for attack.  We're glad to have the opportunity to work with Rackspace and their clients to help reduce their risks.

John put together a brief video about the release:

This has also been picked up by a bunch of other folks:

--Dan
dan _at_ denimgroup.com
Twitter: @danielcornell

June 24, 2009 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, Pro Services Life, Security, Static Analysis, Threat Modeling, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (1) | TrackBack (0)

Next »