By Dan Cornell
I'll be headed to Hamburg, Germany this year for AppSec Research 2013 on August 22nd and 23rd. In addition to enjoying the conference, I'll be doing two things while I'm there:
- Thursday August 22nd, 2013 from 2:00pm - 6:00pm I'll be demonstrating ThreadFix at the Open Source Security Showcase. I always enjoy these Showcase/Arsenal-type events because it is a great way to have a conversation with current and potential users to find out their problems and how they would like to see them solved. We have a number of EU-based ThreadFix users and I'm hoping to catch up with them while also making some new friends. We have some exciting things going on in the world of ThreadFix right now (including an expanded integration with OWASP ZAP) so I'll be demonstrating the new capabilities and looking for feedback.
- Friday August 23rd, 2013 from 2:05 - 2:35 I'll be giving a talk titled "Do you Have a Scanner or a Scanning Program?" The full abstract for the talk is below, but the main issue I want to talk about it what organizations need to do to move from a tactical approach to a strategic and portfolio-based approach in their application testing.
Oh and here's that abstract:
By this point, most organizations have acquired at least one code or application scanning technology to incorporate into their software security program. Unfortunately, for many organizations the scanner represents the entirety of that so-called “program” and often the scanners are not used correctly or on a consistent basis.
This presentation looks at the components of a comprehensive software security program, the role that automation plays in these programs and tools and techniques that can be used to help increase the value an organization receives from its application scanning activities. It starts by examining common traps organizations fall into where they fail to address coverage concerns – either breadth of scanning coverage across the application portfolio or depth of coverage issues where application scans do not provide sufficient insight into the security state of target applications. After discussing approaches to address these coverage issues, the presentation walks through metrics organizations can use to keep tabs on their scanning progress to better understand what is being scanned, how frequently and at what depth.
The presentation also contains a demonstration of how freely available tools such as the open source ThreadFix application vulnerability management platform and the OWASP Zed Attack Proxy (ZAP) scanner can be combined to create a baseline scanning program for an organization and how this approach can be generalized to use any scanning technology.
dan _at_ denimgroup.com