LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad

Recent Posts

Categories

Subscribe to this blog's feed

Archives

Add me to your TypePad People list
Denim Group



Programming Blogs - Blog Catalog Blog Directory

August 28, 2009

Dan Cornell Presenting at OWASP Houston: Conducting Application Assessments

TOPIC: "Conducting Application Assessments"

SPEAKER(S): Dan Cornell, OWASP, Denim Group

ABSTRACT: This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.

Date: Wednesday, September 9th

Time: 6:00 - 7:30pm

Location: HCC
1010 West Sam Houston Parkway North
Spring Branch Campus Commons
Houston, TX 77043

Directions: Physically it is Beltway 8 and I-10 -- Take the Gesner Exit of I-10 from downtown. It is next door to Murphy's Deli.

Contact me for a parking pass: dan _at_ denimgroup.com / @danielcornell

Posted via web from denimgroup's posterous

August 28, 2009 in Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

August 08, 2009

Slide Decks from Last Week's OWASP Presentations Online

By Dan Cornell

IMG_0215

I wanted to thank the OWASP Washington DC and Northern Virginia chapters for their hospitality last week.  John Dickson and I had a great trip through the DC area.

The slide decks from the talks are online on the Denim Group website.  We also started something new and put them up on the Denim Group SlideShare site:


Vulnerability Management In An Application Security World
View more documents from Denim Group.

Application Assessment Techniques
View more documents from Denim Group.


--Dan
dan _at_ denimgroup.com
@danielcornell

August 08, 2009 in Application Security Tools, Dan Cornell, Denim Group, Information Security, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 29, 2009

Upcoming Virginia OWASP Talk: Conducting Application Assessments

By Dan Cornell

I will be presenting to the Virginia OWASP chapter on Thursday August 6th at 6pm.  The location is 13200 Woodland Park Road in Herndon, VA.  For more info check here.  The presentation abstract is:

This talk will review a number of application assessment techniques and discuss the types of security vulnerabilities they are best suited to identify as well as how the different approaches can be used in combination to produce more thorough and insightful results. Code review will be compared to penetration testing and the capabilities of automated tools will be compared to manual techniques. In addition, the role of threat modeling and architecture analysis will be examined. The goal is to illuminate assessment techniques that go beyond commodity point-and-click approaches to web application or code scanning.


The talk will be followed by a panel discussion, which should be a good one.  As always, OWASP meetings are free and open to all.  Hope to see folks there.

--Dan
dan _at_ denimgroup.com
@danielcornell

July 29, 2009 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, OWASP, Security, Speaking Events, Static Analysis, Threat Modeling, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 07, 2009

Denim Group Launches ThreadStrong

By Dan Cornell

This has been in the works for quite a while, but the actual public release came out today - Denim Group has released our new application security e-Learning program called ThreadStrong.

We have a brief video online here:

ThreadStrong is a great way for organizations to provide a base-level of application security knowledge for developers and other personnel involved in the software development process.  A number of organizations have also used it to address aspects of compliance requirements such as PCI.

The available courses include:

  • Introduction to Application Security Concepts (1 hour, for Developers, QA, Managers and Security Professionals)
  • Application Security for Java (4 hours, for Developers)
  • Application Security for .NET (4 hours, for Developers
  • Threat Modeling (1 hour, for Security Professionals and Developers)

Give us a call or drop us an email if you'd like a demo.


--Dan
dan _at_ denimgroup.com

July 07, 2009 in Application Security Tools, Dan Cornell, Denim Group, Information Security, Java, Microsoft, Security, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

June 24, 2009

Denim Group Teams with Rackspace Hosting

By Dan Cornell

I'm thrilled to announce Denim Group working with Rackspace Hosting (NYSE: RAX) customers to help them secure their applications via conducting code reviews, delivering secure software development training, and evaluating software development strategies for Rackspace clients.  We've known folks at Rackspace for years and had the opportunity to work with them in a variety of capacities so this is pretty exciting for us: BusinessWire release: Denim Group Teams with Rackspace Hosting

Whether you're hosting your applications in "the cloud" or on good old-fashioned servers, they're still targets for attack.  We're glad to have the opportunity to work with Rackspace and their clients to help reduce their risks.

John put together a brief video about the release:

This has also been picked up by a bunch of other folks:

--Dan
dan _at_ denimgroup.com
Twitter: @danielcornell

June 24, 2009 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, Pro Services Life, Security, Static Analysis, Threat Modeling, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (1) | TrackBack (0)

April 09, 2009

John Dickson at RSA: What You Don’t Know Can Hurt You: Security Professionals and Custom Apps

By Dan Cornell

John Dickson will be presenting at RSA this year about "What You Don’t Know Can Hurt You: Security Professionals and Custom Apps"  The abstract for the talk is:

Security managers rarely have software backgrounds. However, they get the blame when unsecure software is exploited and a breach occurs. This session will help security managers better characterize different software development approaches and identify risks associated with building custom applications. Software assessment strategies and secure SDLC improvements will be discussed in depth.

The session is PROF-402 and the talk is scheduled for:

Friday, April 24 10:10 AM
Purple 3

More info can be found on the RSA 2009 conference website.  Also - follow John on Twitter @johnbdickson for updates about RSA and more.

--Dan
dan _at_ denimgroup.com

April 09, 2009 in Conferences, Dan Cornell, Denim Group, Information Security, John Dickson, Pro Services Life, Security, Speaking Events, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Dan Cornell at RSA: Building an Organizational Application Security Competency

By Dan Cornell

I will be presenting at RSA this year about "Building an Organizational Application Security Competency"

We have a video abstract online:

The talk is scheduled to be held:

Friday, April 24 09:00 AM
Purple 305

And the session code is: PROF-401

Hope to see folks there!  I'll be in San Francisco and at RSA all week.  Follow me on Twitter @danielcornell for more updates.  If you are going to be in San Francisco and/or at RSA I'd love to meet up.

--Dan
dan _at_ denimgroup.com

April 09, 2009 in Conferences, Dan Cornell, Denim Group, Information Security, OWASP, Pro Services Life, Security, Speaking Events, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

January 30, 2009

Quoted In Express News Coverage of Security and Obama's Blackberry

By Dan Cornell

IMG_2275

Roy Bragg from the Express News quoted me in an article on email security and President Obama's BlackBerry.

--Dan
dan _at_ denimgroup.com

(photo is from my trip to Tangier, Morocco after the OWASP EU Summit 2008)

January 30, 2009 in Blogs, Dan Cornell, Denim Group, Information Security, Pro Services Life, Security, Threat Modeling, Web/Tech | | Comments (0) | TrackBack (0)

November 12, 2008

OWASP EU Summit in Portugal: Tuesday

By Dan Cornell

[Running a little behind, as usual.  Over the course of today I'll be putting up a series of posts to finish out my OWASP EU Summit notes.]

First of all, my favorite part of Tuesday was that I won a t-shirt at the Sensepost training class on offensive web application hacking.  H4x0r skillz!

IMG_0130
 

In addition to that, Tuesday was a really productive day.  I had the opportunity to attend a number of sessions where folks presented their Summer of Code projects and OWASP projects in general:

  • Jason Li - JSP Testing Tool - This tools tests JSP tag libraries to determine which attributes are properly escaped when they are written out to the HTML stream.  It does this by generating a large number of JSP/HTML examples with various payloads placed into the tags' attributes.  When the page renders, unescaped payloads change colors of parts of the DOM so you can see which attributes are "dangerous"  This is a very cool approach and it would be interesting to see how it applied to ASP.NET web controls as well.
  • Paolo Perego - Orizon - Orizon is a framework for code analysis that can apply various rules to look for security defects.  It currently supports Java and there are plans to make it support .NET.  Source code files are broken down into a number of XML representations and then those XML representations are run through a rules engine to identify potential security issues.
  • Alex Smolen - ESAPI.NET - This is the .NET version of the ESAPI.  Currently it is basically a word-for-word port of the Java ESAPI into C#, but the plan is to update the .NET version to accomodate existing security capabilities of the .NET platform such as the Membership API and the AntiXSS library.

I also had an opportunity to attend a number of working groups:

The energy and enthusiasm at this event was incredible.  As you'll see from the following posts we covered a lot of ground during the week and a lot got accomplished.

--Dan
dan _at_ denimgroup.com

November 12, 2008 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Threat Modeling, Training, Travel, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

November 05, 2008

OWASP EU Summit in Portugal: Monday

By Dan Cornell

OWASPBoard

This week I'm in Portugal at the OWASP EU Summit '08.

Just after I arrived on Monday I had the opportunity to talk about AJAX security and sprajax to a group of students at the 1 day OWASP event at the University of Algarve.  The slide deck was a shortened version of the one from when I presented at OWASP Montgomery.  I always enjoy speaking to University students because you have to work hard to frame the material in the appropriate context.  For example - how do you explain SQL injection to someone who has never written a database application?  How to explain PCI compliance to someone who has never worked inside an enterprise that takes credit cards?

I finally got some sleep Monday night after a day and a half of flights, airport wait time, presentations to University students and the conference kickoff.  This is shaping up to be a great event.  More to come.

--Dan
dan _at_ denimgroup.com

November 05, 2008 in AJAX, Application Security Tools, Conferences, Dan Cornell, Denim Group, Fortify, Information Security, Java, Open Source, OWASP, Pro Services Life, Science, Security, Static Analysis, Threat Modeling, Training, Travel, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Next »