LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

April 08, 2013

Webinar: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

By Dan Cornell

Zap128x128ThreadFix_72

Simon Bennetts (@psiinon) and I will be doing a webinar Wednesday April 24th, 2013 at 10:30am Central Daylight Time to talk about how organizations can set up a web security testing program using the freely available tools OWASP Zed Attack Proxy (ZAP) and ThreadFix.

You can register online here: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

Abstract:

OWASP's Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. ThreadFix is a software vulnerability management platform that allows organizations to track the results of testing and communicate vulnerabilities to software development teams. Used together, these open source tools allow organizations to build a comprehensive program of web application security testing and vulnerability management. Security analysts can perform automated and manual testing of critical applications, track the results of their testing and report metrics on their program's effectiveness. This webinar walks through the basics of using OWASP ZAP for web application scanning and testing. It then demonstrates storing and managing these results inside of ThreadFix and communicating them to development teams for resolution. Developers and security professionals alike will benefit from seeing how these two tools used in combination can allow any organization to start taking control of the security of their web applications.

Contact us if you woud like to talk more about getting the most out of great tools like OWASP ZAP and ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 08, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, ThreadFix Application Vulnerability Management, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

April 07, 2013

OWASP Dallas: Implementation Patterns for Software Security Programs

By Dan Cornell

Ologo

I will be in Dallas on May 8th to speak to the OWASP Dallas chapter. The meeting runs from 11:30am through 1:00pm and is located at Richland College, 12800 Abrams Road, Dallas, TX 75243 at Sabine Hall in room SH117.

I will be giving an updated version of my talk titled "Implementation Patterns for Software Security Programs." (See my writeup of BSides Austin 2013 for some more background) The abstract for the presentation is:

Most organizations have finally realized that the software applications they are developing and deploying exposes them to significant risks. Organizations that are serious about this issue have started rolling out software security programs to address these risks in a structured manner. The challenge for these organizations is to determine what measures to put in place and how to implement those measures to best reduce their exposure. Efforts such as BISMM, OpenSAMM and Microsoft's SDL have shown that there are a number of components of software security programs that are reasonably standard, but there are different ways of implementing tools and deploying processes so what was successful for one organization does not guarantee success in others. Matching implementation strategies to the specific capabilities, limitations, strengths and weaknesses of the organizations is critical to a successful program roll-out.

This presentation relates several example case studies for organizations rolling out different portions of their software security programs. Although every organization is different, looking across multiple program implementations allows patterns to emerge and these patterns can provide guidance to other organizations looking to organize plans for their software security programs.

Several aspects of program rollout and the associated program are covered. Firstly, the presentation provides a discussion of selecting the organizational "owner" of the software security program. Although many parts of the organization must be involved, one group must be ultimately responsible for the security state of software developed and deployed. Then the presentation looks into three specific software security activities: static code analysis, dynamic application testing and developer security education. Several implementation patterns for each of these activity rollouts are outlined along with factors organizations can use to decide if a particular approach is well suited to their needs. These patterns help to provide templates that minimize the requirement of an organization to experiment and break new, risky ground by allowing them to benefit from lessons learned from previous efforts.

The presentation is vendor-neutral and based on experiences working with several organizations creating software security programs.

I always enjoy speaking to OWASP groups and I'm thrilled to have the opportunity to come back and talk to the folks in Dallas. Looking forward to seeing everyone there!

Contact us for help building a software security program that works for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 07, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, OWASP, Scanners, Security, Speaking Events, Static Analysis, ThreadStrong e-Learning, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , ,

March 26, 2013

BSides Austin Recap: Implementation Patterns for Software Security Programs

By Dan Cornell

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a talk about different patterns we've seen as we've helped firms put together their software security programs. Slides are online:

The abstract for the talk was:

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

Contact us for help building a software security program that works for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 26, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Scanners, Security, Speaking Events, Static Analysis, ThreadStrong e-Learning, Threat Modeling, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , ,

BSides Austin Recap: Developing Secure Mobile Applications

By Dan Cornell

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a short, two hour training session titled "Developing Secure Mobile Applications" This is a (very) cut down version of some of the instructor-led training classes we give on developing secure mobile applications and testing the security of mobile applications. Slides are online:

The abstract for the training was:

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

Contact us for help building secure mobile applications and testing the security of mobile applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 26, 2013 in Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Security, Speaking Events, ThreadStrong e-Learning, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , ,

March 18, 2013

Developers and QA Doing Security Testing: I've Got Management Buy-In, Now What?

By Dan Cornell

One of the things I do is answers questions as an "expert" for the web site SearchSoftwareQuality.com and they recently posted an answer I gave to a question about how to get developers and quality assurance folks to do security testing. You can see my blog post about this here as well as the original question and answer here. After I posted this online, Aaron Weaver on Twitter asked a great question: "What else beside management buy-in?"

Screen Shot 2013-03-18 at 2.14.55 PM
I had to admit - this was a great question and my original response did kind of boil down to:

  • Decide if you really want developers and QA to be performing security testing
  • If so, you have to get management support to make it happen

That's all well and good, but doesn't really address the whole issue which could be summed up in the question "Assuming I want developers and QA to be performing security testing AND I have management buy in how do I do this successfully?" So I figured I would provide some more thoughts based on our experience working to get developers and QA folks to help out with security testing.

In short:

  1. Understand your goals for dev/QA security testing and let the involved parties know what the goals are
  2. Learn about what they are currently doing so you can set proper expectations
  3. Provide them context-specific training and support so they can be successful
  4. Follow up later to see if you are getting what you wanted

Let's look at each of these in a little more detail:

1 - Know and Communicate Your Goals

What exactly is it that you want to get from having developers or QA folks perform security testing? If you're hoping that providing them some testing tools will magically solve your software security problem you are in for a rude awakening so it is important to be realistic. Are you hoping that developers can catch certain types of security bugs early so you don't have to deal with them later? Is your security group understaffed and you're hoping that QA can help shore you up with some manual application penetration testing? You need to know your goals up-front, be realistic about what you can achieve and make sure that the developers and QA testers know their role in the process. If you can't tell these folks what you want them to do - management buy-in or not - they aren't going to be successful in doing it. Also it is probably a good idea at this point to take some measurements of the current state of affairs - how many security bugs are making it past development and QA? How long - calendar time and level of effort - does it take to fix vulnerabilities once they're identified? This will be important later.

2 - Learn About Current Development and QA Processses

Once you know the outcomes you want to see, it is really important to understand what practices, tools and processes developers are QA already have in place for development and testing. Is the team doing Test-Driven Development (TDD)? Are they using a Contininuous Integration (CI) environment with an existing set of unit and functional tests? Or is the situation, candidly, a mess with no processes, little or not automation and no real framework for making changes. Our sample size isn't really big enough yet to state this quantitatively, but one of the things we found doing some stastistics on software security remediation projects was that teams that had good, "modern" development practices in place were able to fix vulnerabilities with less disruption and effort. The same goes for integrating security testing into the activities of development and QA teams - the maturity of their overall environment is going to be an indicator of what you can expect these folks to be able to do on the security front.

3 - Provide Context-Specific Training and Support

After you know what you want developers and testers to do and have reality-checked these goals against the ground truth of what the teams are capable of, you need to show them what you want them to do and the more specific and context-relevant you can make this education, the more successful you are going to be. I used to think that teaching the principles of secure development was sufficient - if developers know they need to do input validation and contextual encoding they'll go out and find the appropriate resources for their particular environment, right? I also used to think that all developers loved to spend their free time looking at different tools and figuring out how they could be useful in their environment. In short, I was an idiot. (Arguably I'm still an idiot, but that is probably something to explore in other blog posts...) Developers and testers already have jobs to do and, prior to your current initiative, those jobs probably didn't require them to do security testing. Management buy-in is helpful to spur actions, but development and non-security testing still has to get done. Assuming you want to developers and testers to adopt new practices and new tools at any sort of scale you need to show them what they need to do and be as specific and prescriptive as possible so that you minimize the impact on ... all the other stuff the developers and QA testers are supposed to do.

4 - Follow Up

If you've crafted your developer and QA security testing program along these lines so far hopefully you're in a position where you can see some results. So next you need to check and see if you're actually getting the results you want. If you wanted developers to start running a static analysis tool and catching things like SQL injection and cross-site scripting (XSS) before it got to pre-deployment testing you should check to see if that is actually happening (you did remember to check and see how many SQLi and XSS you were finding before you made this change, right?) If it is - fantastic! If not - why not? This post is predicated on the assumption that you have enough management buy-in to get these teams to change their behavior. If you like having management buy-in and want to continue to have it in the future you'd best have answers to questions like "I authorized you to spend $X on application security testing - what did we get from that?"

Watching This In Action

I had the opportunity to run through this process with a group who was rolling out a static analysis tool to their developers recently. They had purchased enough licenses for the majority of their developers and wanted to use the static analysis tool to decrease PCI-relevant findings before applications got in front of PCI auditors. We worked with them to understand their development environment and how code was developed, tested and ultimately deployed to production. Based on this we crafted a very specific rollout and training plan. Part of this program development was a conversation like this:

Me: "... and we can show them the different types of analysis the tool can perform - it has some really cool capabilities"

Security Rep: "Don't care"

Me: "... and we can show them how to write their own custom rules - that can be really helpful tuning the tool to work for applications in your environment"

Security Rep: "Don't care"

Me: "... and ..."

Security Rep: "I just want you to show them how to install the IDE plugin, how to click the button to run a scan, and how to interpret and address the results the scan kicks out. Any other problems - they can come to me for help."

And that's exactly what we did. Did we strike a "grand bargain" to radically change the way this organization develops software? No. Did we turn all of their developers into secure software development gurus? No. But what we did accomplish was:

  • Took an investment of money and staff time
  • Acquired a new technology and rolled it out by changing the organization's processes and training the relevant staff on what they need to do to be successful
  • Put the developers in a position to find and address important vulnerabilities earlier in their development process
  • Reduced the vulnerability count in their software and made their PCI audits less painful (with graphs to prove it!)

Was this a "home run" for the cause of software security in this organization? No. Was it a solid single or double? Yeah I think it was. And, possibly more important, it provides a track record of success that can be used to make further advancements. I'll take it.

Contact us to talk about the roles development and QA can play in building secure software.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 18, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Scanners, Security, Static Analysis, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

March 12, 2013

Search Software Quality: Stamping Out Cross-Site Scripting and SQL Injection

By Dan Cornell

Search_software_quality_logo

Search Software Quality published another of my answers to reader questions:

Why are SQL injections or XSS (cross-site scripting) errors still the biggest problem in application security, particularly web application security? What tests or processes can we use to reduce this problem?

You can see my full answer online where I talk about taking a multi-pronged approach to addressing these issues (sorry - registration required). For those looking for a quick preview, I talk about:

  • Knowing you application attack surface (you can't defend what you don't know about)
  • Training developers to build applications that aren't susceptible to common attacks
  • Verifying that training was effective by implementing a testing program

It is certainly possible to build applications that don't contain these errors, but few organizations have been successful implementing a comprehensive approach for dealing with these issues. However, by understanding the scope of the problem and the steps required to get it under control, organizations can make significant progress.

Contact us for help finding and eliminating common errors like SQL injection and cross-site scripting (XSS) from your applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

Related articles
Search Software Quality: Expanding Cloud-Based Technologies - Application Performance Issues
Search Software Quality: Data Security in a SaaS World

March 12, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

March 10, 2013

Denim Group at BSides Austin 2013: Building Secure Mobile Apps and Software Security Implementation Patterns

By Dan Cornell

 

BSides Texas Logo w color hat
I will be up at BSides Austin 2013 in a couple of weeks. Thursday March 21st I will be giving a short training class from 4:00pm through 6:00pm titled "Developing Secure Mobile Applications." The brief abstract is:

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

We've only got two hours so I can't teach you everything about building and testing secure mobile apps (assuming I even knew everything about the subject...) but I can help make you smarter. Should be a good time.

Also on Friday March 22nd from 1:00pm to 2:00pm I will be giving a talk titled "Implementation Patterns for Software Security Programs" The abstract for this talk is:

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

This should be a fun one because we talk through war stories of things we've seen be successful as well as things we've seen go horribly wrong.

Contact us if you want to meet up at BSides Austin 2013. The last time I checked there were still tickets available.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 10, 2013 in Application Security Remediation, Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Mobile, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, Static Analysis, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

November 08, 2011

New Application Security Webinar Series

By Dan Cornell

We've got some great webinars coming up, starting next week. John Dickson be explaining how to rank inherited applications according to the amount of risk they present to an organization, and how you can begin to assess those risks in "Securing Inherited Applications," which will be given in two parts. I'll be talking about automated virtual patching and how it can be successfully employed in "The Self-Healing Cloud."

These should be some great webinars. You can sign up for each below. If you're interested in the topic but can't attend the webinar, sign up to receive information after the webinar.

 

Monday, November 14, 11am (CST)
Securing Inherited Applications: Phase 1 - Gathering Information
Presented by John Dickson, CISSP

Security officers worry about the security of new applications being built, but what really keeps them up at night is the security of hundreds of applications they've inherited. This webinar will help participants understand how to begin assessing applications that are already build and are likely in production. The first phase of risk assessment is gathering information - Where did this application come from? Who uses the application? Does it fulfill any compliance requirements? What kind of technology does the application use? Attendees will learn what they need to know about inherited applications before they can assess their risks.

 Register Now Button

Thursday, November 17, 11am (CST)
The Self-Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching
Presented by Dan Cornell

Organizations sometimes deploy applications on their infrastructure without thorough security testing, putting the applications and the infrastructure they are deployed on at risk of exploitation. Application-level vulnerabilities often require coding changes to be fully addressed. Virtual patching is a technique where targeted rules are created for web application firewalls or other IDS/IPS technologies to help mitigate specific known application vulnerabilities. Attendees will learn how to create virtual patches and the nuances of using virtual patches.

 Register Now Button

Friday, December 2, 11am (CST)
Securing Inherited Applications: Phase 2 - Risk Ranking
Presented by John Dickson, CISSP

Many security officers worry less about the security of new applications being built and more about the security of hundreds of applications they inherited. What applications represent the biggest risk? What attributes make them more or less risky? What are the most cost-effective courses of action given budget constraints in today's business environment? In a webinar on Monday, November 14, John Dickson explained how and what kind of information to gather about inherited applications. This webinar will help participants create a risk-based approach to managing the security of an existing application portfolio using tools like the OWASP ASVS model. Attendees will get a basic understanding of the risk-ranking process that they can immediately apply to their work environment.

 Register Now Button

Contact us for if you are interested in talking more about virtual patching or application portfolio risk ranking.

--Dan

dan _at_ denimgroup.com

@danielcornell

November 08, 2011 in Training | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

September 02, 2009

Work Hard, Play Hard, and e-Learn

We have our share of characters here at Denim Group – brilliant folks who like to work hard and play hard.  Lately we have been putting a lot of work into the upcoming quarterly update of our ThreadStrong application security e-Learning product.  This is a pretty major revision with audio, demonstrations and interactive exercises.  I got a kick out of this email exchange and thought I would post it online.

-----Original Message-----

From: Michael

Sent: ...

To: ...

Subject: e-Learning - Meeting notes - storyboard planning

 

> All:

>

> Here is what we came up with during our storyboard meeting:

>

> -New order for the sections will be:

> 1. Breaches

> 2. Attack demonstration

> 3. What/Why

> 4. SQL injection

> 5. HTTP Basics

> 6. XSS

> 7. Quiz

>

I believe that covers it. I took this picture from the meeting.

-----Original Message-----

From: Bryan

Sent: ...

To: ...

Subject: e-Learning - Meeting notes - storyboard planning

Wow, you know, I'd noticed during today's meeting that we had a lot more productive and intelligent discussion. I was looking back at notes from the last meeting and I think I figured out what our problem was.

Like I said – a real cast of characters.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from denimgroup's posterous

September 02, 2009 in Dan Cornell, Denim Group, Information Security, Pro Services Life, Security, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

July 07, 2009

Denim Group Launches ThreadStrong

By Dan Cornell

This has been in the works for quite a while, but the actual public release came out today - Denim Group has released our new application security e-Learning program called ThreadStrong.

We have a brief video online here:

ThreadStrong is a great way for organizations to provide a base-level of application security knowledge for developers and other personnel involved in the software development process.  A number of organizations have also used it to address aspects of compliance requirements such as PCI.

The available courses include:

  • Introduction to Application Security Concepts (1 hour, for Developers, QA, Managers and Security Professionals)
  • Application Security for Java (4 hours, for Developers)
  • Application Security for .NET (4 hours, for Developers
  • Threat Modeling (1 hour, for Security Professionals and Developers)

Give us a call or drop us an email if you'd like a demo.


--Dan
dan _at_ denimgroup.com

July 07, 2009 in Application Security Tools, Dan Cornell, Denim Group, Information Security, Java, Microsoft, Security, Threat Modeling, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Next »