LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad

Recent Posts

Categories

Subscribe to this blog's feed

Archives

Add me to your TypePad People list
Denim Group



Programming Blogs - Blog Catalog Blog Directory

November 08, 2011

New Application Security Webinar Series

By Dan Cornell

We've got some great webinars coming up, starting next week. John Dickson be explaining how to rank inherited applications according to the amount of risk they present to an organization, and how you can begin to assess those risks in "Securing Inherited Applications," which will be given in two parts. I'll be talking about automated virtual patching and how it can be successfully employed in "The Self-Healing Cloud."

These should be some great webinars. You can sign up for each below. If you're interested in the topic but can't attend the webinar, sign up to receive information after the webinar.

 

Monday, November 14, 11am (CST)
Securing Inherited Applications: Phase 1 - Gathering Information
Presented by John Dickson, CISSP

Security officers worry about the security of new applications being built, but what really keeps them up at night is the security of hundreds of applications they've inherited. This webinar will help participants understand how to begin assessing applications that are already build and are likely in production. The first phase of risk assessment is gathering information - Where did this application come from? Who uses the application? Does it fulfill any compliance requirements? What kind of technology does the application use? Attendees will learn what they need to know about inherited applications before they can assess their risks.

 Register Now Button

Thursday, November 17, 11am (CST)
The Self-Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching
Presented by Dan Cornell

Organizations sometimes deploy applications on their infrastructure without thorough security testing, putting the applications and the infrastructure they are deployed on at risk of exploitation. Application-level vulnerabilities often require coding changes to be fully addressed. Virtual patching is a technique where targeted rules are created for web application firewalls or other IDS/IPS technologies to help mitigate specific known application vulnerabilities. Attendees will learn how to create virtual patches and the nuances of using virtual patches.

 Register Now Button

Friday, December 2, 11am (CST)
Securing Inherited Applications: Phase 2 - Risk Ranking
Presented by John Dickson, CISSP

Many security officers worry less about the security of new applications being built and more about the security of hundreds of applications they inherited. What applications represent the biggest risk? What attributes make them more or less risky? What are the most cost-effective courses of action given budget constraints in today's business environment? In a webinar on Monday, November 14, John Dickson explained how and what kind of information to gather about inherited applications. This webinar will help participants create a risk-based approach to managing the security of an existing application portfolio using tools like the OWASP ASVS model. Attendees will get a basic understanding of the risk-ranking process that they can immediately apply to their work environment.

 Register Now Button

Contact us for if you are interested in talking more about virtual patching or application portfolio risk ranking.

--Dan

dan _at_ denimgroup.com

@danielcornell

November 08, 2011 in Training | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

September 02, 2009

Work Hard, Play Hard, and e-Learn

We have our share of characters here at Denim Group – brilliant folks who like to work hard and play hard.  Lately we have been putting a lot of work into the upcoming quarterly update of our ThreadStrong application security e-Learning product.  This is a pretty major revision with audio, demonstrations and interactive exercises.  I got a kick out of this email exchange and thought I would post it online.

-----Original Message-----

From: Michael

Sent: ...

To: ...

Subject: e-Learning - Meeting notes - storyboard planning

 

> All:

>

> Here is what we came up with during our storyboard meeting:

>

> -New order for the sections will be:

> 1. Breaches

> 2. Attack demonstration

> 3. What/Why

> 4. SQL injection

> 5. HTTP Basics

> 6. XSS

> 7. Quiz

>

I believe that covers it. I took this picture from the meeting.

-----Original Message-----

From: Bryan

Sent: ...

To: ...

Subject: e-Learning - Meeting notes - storyboard planning

Wow, you know, I'd noticed during today's meeting that we had a lot more productive and intelligent discussion. I was looking back at notes from the last meeting and I think I figured out what our problem was.

Like I said – a real cast of characters.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from denimgroup's posterous

September 02, 2009 in Dan Cornell, Denim Group, Information Security, Pro Services Life, Security, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 07, 2009

Denim Group Launches ThreadStrong

By Dan Cornell

This has been in the works for quite a while, but the actual public release came out today - Denim Group has released our new application security e-Learning program called ThreadStrong.

We have a brief video online here:

ThreadStrong is a great way for organizations to provide a base-level of application security knowledge for developers and other personnel involved in the software development process.  A number of organizations have also used it to address aspects of compliance requirements such as PCI.

The available courses include:

  • Introduction to Application Security Concepts (1 hour, for Developers, QA, Managers and Security Professionals)
  • Application Security for Java (4 hours, for Developers)
  • Application Security for .NET (4 hours, for Developers
  • Threat Modeling (1 hour, for Security Professionals and Developers)

Give us a call or drop us an email if you'd like a demo.


--Dan
dan _at_ denimgroup.com

July 07, 2009 in Application Security Tools, Dan Cornell, Denim Group, Information Security, Java, Microsoft, Security, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

June 24, 2009

Denim Group Teams with Rackspace Hosting

By Dan Cornell

I'm thrilled to announce Denim Group working with Rackspace Hosting (NYSE: RAX) customers to help them secure their applications via conducting code reviews, delivering secure software development training, and evaluating software development strategies for Rackspace clients.  We've known folks at Rackspace for years and had the opportunity to work with them in a variety of capacities so this is pretty exciting for us: BusinessWire release: Denim Group Teams with Rackspace Hosting

Whether you're hosting your applications in "the cloud" or on good old-fashioned servers, they're still targets for attack.  We're glad to have the opportunity to work with Rackspace and their clients to help reduce their risks.

John put together a brief video about the release:

This has also been picked up by a bunch of other folks:

--Dan
dan _at_ denimgroup.com
Twitter: @danielcornell

June 24, 2009 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, Pro Services Life, Security, Static Analysis, Threat Modeling, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (1) | TrackBack (0)

June 23, 2009

Why Do Vulnerable Applications Take So Long To Fix? - Webinar Follow-Up

By Dan Cornell

I realize I did a crappy job of promoting this webinar via the blog (most promotion was done via Twitter - follow me @danielcornell), but I wanted to get links to the recording and associated resources up online.

I recently did a webinar with Jeremiah Grossman from WhiteHat Security titled "Vulnerable Applications - Why Do They Take So Long To Fix?"  Online resources for the webinar are available here:

Also, we discussed several other online resources during the webinar:

And here is something we neglected to mention during the webinar, but is worth a glance:

We had great attendance, great questions and a lot of great follow-up after the webinar.  Hopefully these resources are useful to folks trying to spur their organizations to take action against application security vulnerabilities.

--Dan
dan _at_ denimgroup.com

June 23, 2009 in Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Pro Services Life, Security, Speaking Events, Static Analysis, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

April 22, 2009

Denim Group Mention in InformIT Article on Software Security Industry Trends

By Dan Cornell

Denim Group was mentioned in a recent article on the Software Security industry trends by Gary McGraw.  It highlights how we grew last year - even in a tough economy.

We see similar trends to those mentioned in the article in organizations we work with - penetration testing is still important, but many groups are also starting to put material resources toward source code analysis.  Now that most folks have been through the first rounds of assessments or penetration tests folks are putting more thought into the organizational changes they need to make in order to address software security risks.  Overall this is very healthy as we move into the post-scanner world.

--Dan
dan _at_ denimgroup.com

April 22, 2009 in Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Pro Services Life, Security, Static Analysis, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

April 09, 2009

John Dickson at RSA: What You Don’t Know Can Hurt You: Security Professionals and Custom Apps

By Dan Cornell

John Dickson will be presenting at RSA this year about "What You Don’t Know Can Hurt You: Security Professionals and Custom Apps"  The abstract for the talk is:

Security managers rarely have software backgrounds. However, they get the blame when unsecure software is exploited and a breach occurs. This session will help security managers better characterize different software development approaches and identify risks associated with building custom applications. Software assessment strategies and secure SDLC improvements will be discussed in depth.

The session is PROF-402 and the talk is scheduled for:

Friday, April 24 10:10 AM
Purple 3

More info can be found on the RSA 2009 conference website.  Also - follow John on Twitter @johnbdickson for updates about RSA and more.

--Dan
dan _at_ denimgroup.com

April 09, 2009 in Conferences, Dan Cornell, Denim Group, Information Security, John Dickson, Pro Services Life, Security, Speaking Events, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Dan Cornell at RSA: Building an Organizational Application Security Competency

By Dan Cornell

I will be presenting at RSA this year about "Building an Organizational Application Security Competency"

We have a video abstract online:

The talk is scheduled to be held:

Friday, April 24 09:00 AM
Purple 305

And the session code is: PROF-401

Hope to see folks there!  I'll be in San Francisco and at RSA all week.  Follow me on Twitter @danielcornell for more updates.  If you are going to be in San Francisco and/or at RSA I'd love to meet up.

--Dan
dan _at_ denimgroup.com

April 09, 2009 in Conferences, Dan Cornell, Denim Group, Information Security, OWASP, Pro Services Life, Security, Speaking Events, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

November 12, 2008

OWASP EU Summit in Portugal: Thursday

By Dan Cornell

IMG_2162

I must admit - by Thursday I was feeling a little rough.  Mostly because of the two evening soccer (football?) games.  That's far too much running in too short a period of time for me.  Regardless, Thursday shaped up to be another great day with some great project presentations and working groups.  Projects I saw Thursday included:

  • James Walden - Source Code Review Project - The Open Review Project (ORPRO) has been working with James Walden and his folks to get all OWASP projects run through at least an automated security source code review.  James presented on his work over the summer getting workflows set up and working with the automated review platform.
  • Stephan Evans - Securing WebGoat with mod_security - This was a very interesting presentation on how to address the security vulnerabilities in WebGoat using mod_security rules.  It was cool to see how Lua scripting can be used to address issues that go beyond the typical technical vulnerabilities like SQL injection and cross site scripting (XSS).
  • Arturo Busleiman - Enigform and mod_OpenPGP Project - This is an interesting approach to securing web communications that leverages the PGP infrastructure rather than relying on SSL.
  • Marcin Wielgoszewski - AntiSamy.NET Project - This is a port of the AntiSamy project to work for .NET environments.

Working groups I attended were:

  • Intra-Government Working Group - Lots of great ideas here in two areas.  First - how to get OWASP involved with governmental standards bodies so that we can act as a resource as well as influence standards and practices.  Second - how to better communicate with government consumers on how to best use OWASP resources to make their infrastructures safer.
  • OWASP Strategic Planning -  Too many topics to mention here - the results should be coming out in a press release and a summary of the event.
  • Chapter Leaders Working Group - It was great to have an opportunity to interact with chapter leaders running chapters in a variety of state of maturity.  Certainly lots of good suggestions that I can bring back to use for the San Antonio chapter.

Mercifully, the Chapter Leaders session ran all the way until our late dinner time so we couldn't play another game of soccer.

--Dan
dan _at_ denimgroup.com

November 12, 2008 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Fortify, Information Security, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Training, Travel, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

OWASP EU Summit in Portugal: Wednesday

By Dan Cornell

IMG_0138

Wednesday was another day packed full of project presentations and working group sessions.  The project presentations I attended included:

  • Eduardo Neves - Positive Security Project - Many security programs are focused solely on the negative - what should not be done and so on.  This project is intended to create awareness of the "good" activities teams can perform to build security in.
  • Martin Knobloch - Education Project - This goal of this project is to organize OWASP materials so that they can be used in programs to educate developers about application security.  So far they have put together two full training classes with slide decks.
  • Juan Carlos Calderon - Internationalization - This project aims to get OWASP materials translated into a variety of languages to as to better distribute them to the developers that need them.
  • Lucilla Mancini - PASSWD - The PASSWD project aims to use modeling to predict the security state of applications.
  • Me (Dan Cornell) - Open Review Project (ORPRO) - This is a project I have been working with Mario deBoer and the folks from Fortify with for the past couple of months.  The goal is to make security code review services - both automated and manual - available to open source projects.  We are currently working with the folks from Moodle and will be looking to expand that involvement to other projects in the future.  (We're always looking for volunteers, so if you are interesting in performing security reviews for open source code please let me know!)

The working group I attended was:

  • Education Project Working Group - Lots of great discussions in this group including how to best structure the courses of instruction as well as thoughts about using the LiveCD Project as a distribution mechanism for courseware.

--Dan
dan _at_ denimgroup.com

November 12, 2008 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Fortify, Information Security, Open Source, OWASP, Pro Services Life, Security, Speaking Events, Static Analysis, Training, Travel, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Next »