LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad
Subscribe to this blog's feed

Recent Posts

Categories

Archives

Add me to your TypePad People list


Programming Blogs - Blog Catalog Blog Directory

Denim Group

April 26, 2013

Webinar Recording Online: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

By Dan Cornell

Simon Bennetts (@psiinon) and I did a webinar last Wednesday talking about how to set up web application testing programs witih the freely-available tools OWASP Zed Attack Proxy (ZAP) and ThreadFix. The webinar was titled "Running a Web Security Testing Program with OWASP ZAP and ThreadFix" You can see the recorded webinar here:

(fullscreen video came out remarkably sharp!)

For more infomation about the tools and techniques we discussed, check out:

I wanted to personally thank Simon for taking the time to put on this webinar with us. I'm a huge fan of ZAP and I was really excited to get the opportunity to talk with folks about how ZAP and ThreadFix can be used together.

Contact us to talk about ways you can automate parts of your web application testing program with freely-available tools.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 26, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

April 09, 2013

Denim Group at SANS AppSec 2013 in Austin

By Dan Cornell

Appsec-2013

SANS AppSec 2013 will be held from April 22nd through April 27th in Austin, TX. Monday April 22nd, John Dickson will be moderating a panel titled "AppSec 2.0: Strategies for Moving the Needle on Application Security" The panel abstract is:

Thousands of applications, millions of lines of code, numerous development teams spread across the planet. You thought your application security program had it bad! The participants in this panel discussion have been tackling the issue of software security in their large corporate environments for years, helping thousands of software developers improve how they build software and helping identify software vulnerabilities before attackers do. They will discuss how they have built large-scale vulnerability scanning programs, how they interact with their respective business units and how they get executive buypin to further the case of application security. Come join this interactive session with application security industry leaders who will discuss practical approaches to securing software.

Panel participants include:

  • John Dickson, CISSP, Principal, Denim Group (Moderator)
  • Chris Haggard, Manager of eCommerce/Application Security, FedEx
  • John Heimann, Senior Director-Security Programs, Oracle
  • Jim Apple, Senior Manager, Applications, Bank of America

Tuesday I will be giving a lunchtime presentation titled "Do You Have a Scanner or a Scanning Program?" and the abstract is:

By this point, most organizations have purchased at least one code or application scanning technology to incorporate into their software security program. Unfortunately, for many organizations the scanner represents the entirety of that so-called “program” and often the scanners are not used correctly or on a consistent basis.

This presentation looks at the components of a comprehensive software security program and the role that automation plays in these programs. It also looks at common pitfalls organizations encounter when trying to deploy scanning technologies as well as ways to address these issues. Finally it walks through metrics organizations can use to keep tabs on their scanning progress so they can identify and address issues such as portfolio and scanner coverage. Demonstrations using freely available tools are provided as well as discussion of how these approaches can be applied for both commercial and free static and dynamic scanning technologies.

We are looking forward to catching up with folks at SANS AppSec in Austin. Contact us if you would like a special discount code for the event.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 09, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, Open Source, Scanners, Security, Speaking Events, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

April 08, 2013

Webinar: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

By Dan Cornell

Zap128x128ThreadFix_72

Simon Bennetts (@psiinon) and I will be doing a webinar Wednesday April 24th, 2013 at 10:30am Central Daylight Time to talk about how organizations can set up a web security testing program using the freely available tools OWASP Zed Attack Proxy (ZAP) and ThreadFix.

You can register online here: Running a Web Security Testing Program with OWASP ZAP and ThreadFix

Abstract:

OWASP's Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. ThreadFix is a software vulnerability management platform that allows organizations to track the results of testing and communicate vulnerabilities to software development teams. Used together, these open source tools allow organizations to build a comprehensive program of web application security testing and vulnerability management. Security analysts can perform automated and manual testing of critical applications, track the results of their testing and report metrics on their program's effectiveness. This webinar walks through the basics of using OWASP ZAP for web application scanning and testing. It then demonstrates storing and managing these results inside of ThreadFix and communicating them to development teams for resolution. Developers and security professionals alike will benefit from seeing how these two tools used in combination can allow any organization to start taking control of the security of their web applications.

Contact us if you woud like to talk more about getting the most out of great tools like OWASP ZAP and ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 08, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, OWASP, Remediation, Scanners, Security, Software Security Remediation, Speaking Events, ThreadFix Application Vulnerability Management, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

April 07, 2013

OWASP Dallas: Implementation Patterns for Software Security Programs

By Dan Cornell

Ologo

I will be in Dallas on May 8th to speak to the OWASP Dallas chapter. The meeting runs from 11:30am through 1:00pm and is located at Richland College, 12800 Abrams Road, Dallas, TX 75243 at Sabine Hall in room SH117.

I will be giving an updated version of my talk titled "Implementation Patterns for Software Security Programs." (See my writeup of BSides Austin 2013 for some more background) The abstract for the presentation is:

Most organizations have finally realized that the software applications they are developing and deploying exposes them to significant risks. Organizations that are serious about this issue have started rolling out software security programs to address these risks in a structured manner. The challenge for these organizations is to determine what measures to put in place and how to implement those measures to best reduce their exposure. Efforts such as BISMM, OpenSAMM and Microsoft's SDL have shown that there are a number of components of software security programs that are reasonably standard, but there are different ways of implementing tools and deploying processes so what was successful for one organization does not guarantee success in others. Matching implementation strategies to the specific capabilities, limitations, strengths and weaknesses of the organizations is critical to a successful program roll-out.

This presentation relates several example case studies for organizations rolling out different portions of their software security programs. Although every organization is different, looking across multiple program implementations allows patterns to emerge and these patterns can provide guidance to other organizations looking to organize plans for their software security programs.

Several aspects of program rollout and the associated program are covered. Firstly, the presentation provides a discussion of selecting the organizational "owner" of the software security program. Although many parts of the organization must be involved, one group must be ultimately responsible for the security state of software developed and deployed. Then the presentation looks into three specific software security activities: static code analysis, dynamic application testing and developer security education. Several implementation patterns for each of these activity rollouts are outlined along with factors organizations can use to decide if a particular approach is well suited to their needs. These patterns help to provide templates that minimize the requirement of an organization to experiment and break new, risky ground by allowing them to benefit from lessons learned from previous efforts.

The presentation is vendor-neutral and based on experiences working with several organizations creating software security programs.

I always enjoy speaking to OWASP groups and I'm thrilled to have the opportunity to come back and talk to the folks in Dallas. Looking forward to seeing everyone there!

Contact us for help building a software security program that works for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

April 07, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, OWASP, Scanners, Security, Speaking Events, Static Analysis, ThreadStrong e-Learning, Training, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , ,

April 02, 2013

A Glimpse Into Federal Cyber Security Policy with Rep. Mike McCaul

By John Dickson

Uschamber_cybersecurity
I recently had the opportunity to participate in a US Chamber of Commerce public policy discussion in Washington DC with Representative Michael McCaul (Twitter: @McCaulPressShop) who is a Congressman from Central Texas and is Chairman of the House Homeland Security Committee.  This committee, along with its counterpart in the Senate, helps develop cyber security legislation in the U.S.  Although the event occurred the week after RSA, this group of security industry leaders could not have been more different than the typical RSA attendee.  For starters, everyone wore suits…

Some additional background is of value here...  Rep. McCaul is a cyber security policy veteran in Washington DC.  In his new position as the House Homeland Security Committee Chairman, McCaul is now also the House of Representatives point person for any proposed cyber security Federal legislation coming out of the House.  As such, he has a lot of power to affect the future of our country, and although he’s not a technology guy per se (he’s an attorney), he has a solid grasp of the critical high-level cyber security and privacy public policy issues that most of us are comfortable letting others handle.  

In last month’s policy meeting, Congressman McCaul’s remarks probed many cyber security public policy “touch points” that are frequently covered in the popular press such as:

  • In spite of deep cultural issues, can the Federal government do a better job of sharing time-sanitized threat information to commercial companies in a timely manner?
  • What can companies do better in order to share this critical information amongst themselves and with the Federal government?
  • If companies do share threat and vulnerability information with the government or industry players, can they do so with better liability protections?
  • What security standard – if any – should companies be held to?

The well-dressed audience (it was the Chamber after all) listened intently while Congressman McCaul provided key updates regarding the Congress legislative environment in this Congress.   His characterization of the last Congress on cyber security legislation (“universes apart”) was probably overly kind.  Given the political log-jam leading up to last fall’s election, absolutely nothing was going to get done prior to the election since both parties were reluctant to give the other party a “win” in the run-up to November.  However, according to McCaul, things might be different this time. 

Also discussed were the realities that much of the nation’s infrastructure, as well its security expertise, resides in the private sector.  Couple that with the reality that any legislation passed by Congress may very well be obsolete by the time it reaches the President’s desk for signing and you get a gist of the challenge here. 

In spite of the acrimonious political environment surrounding the sequestration, McCaul shared with the audience that cyber security legislation was an area that both parties might just be able to reach consensus.  He cited the efforts of Michael Daniel, White House Cyber Security Coordinator, to reach out to certain Congressional Leaders to review the recent White House Executive Order issued by President Obama on February 13th of this year.  Certainly the headlines involving nation state threats to our critical infrastructure and the recent Mandiant white paper highlighting China’s activities in this arena have helped drive some consensus on this issue.  Perhaps many of our Congressional leaders are looking for an issue – any issue – in which they can find a modest level of agreement..  Rep McCaul’s initial analysis of the Executive Order was it:

Strengths:

  • Get solid feedback from the private sector
  • Better defines the role of the Department of Homeland Security

Gaps

  • Voluntary standards need further definition
  • It leaves open the door to future industry regulation

Rep. McCaul insisted that two things most likely will not happen this session:

  • Anything involving the “R Word,” i.e. regulation.  There seems to be zero political appetite for turning the screws on American businesses to tighten security standards especially during these uncertain economic times.  This was welcome news to everyone in the room.
  • Ambitious legislation that helps to define all aspects of information sharing and standards that would have a profound impact across industry.  Instead, look for our elected officials to nibble around the edges of these issues and perhaps make incremental gains around information sharing.

However, one of the more interesting moments of the sessions came during the Q&A.  A representative of the electrical provider in the DC area posed an intriguing question.  When, not if, a sophisticated attacker breaches their utility, which Federal agency should they respond to first, and in what order?  When they show up on their doorstep, should they respond to the DoD (Department of Defense), the DHS (Department of Homeland Security), the FBI, NERC (the North American Electrical Reliability Corporation), FERC (the Federal Energy Regulatory Commission), or who else first?  McCaul responded that they should speak to DHS first although many members of the audience probably thought the reality would be slightly more complicated.

So, if you are interested in cyber security issues, you should probably spend some small percentage of your time keeping track of the cyber security legislative efforts and policy issues occurring at the national and state levels.  It was an eye opening experience for me and I learned a tremendous amount about how large enterprises are approaching this issue after just one session at the US Chamber.  The bottom line is that you may not care about policy and politics on a day-to-day basis, but somebody within your organization does -likely someone higher up the food chain than yourself - and some day they might ask you about your interpretation of these efforts.  It would be good for yourself and your organization to have an answer ready.

For some more information on budding Federal cybersecurity policy, check out:

Contact us if you have any stories you want to share about how cybersecurity legislation might impact your business.

--John

john _at_ denimgroup.com

@johnbdickson

April 02, 2013 in Conferences, Current Affairs, Denim Group, Information Security, John Dickson, Security, Web Application Security, Web/Tech | | Comments (3) | TrackBack (0)

Technorati Tags: , , , , , ,

March 31, 2013

Search Software Quality: Framework Support for Building Secure Applications

By Dan Cornell

Search_software_quality_logo

Search Software Quality published another of my answers to reader questions:

How effective are the application frameworks that offer security support for developers?

You can see my full answer online where I talk about which vulnerabilities frameworks can help guard against (sorry - registration required). For those looking for a quick preview, I talk about:

  • Supporting the creation of secure code versus preventing the creation of bad code
  • Examples of frameworks helping with vulnerabilities like SQL injection, cross-site scripting (XSS) and cross-site request forgery (CSRF)
  • Mozilla's playdoh framework and its security features

Frameworks definitely have a role to play for teams looking to build secure applications, but they aren't a cure-all. You have to know what you can expect and plan to take advantage of available features but also understand the limits of what a framework is going to be able to provide.

Contact us for help getting the most out of your development platforms' security capabilities.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 31, 2013 in ASP.NET 2.0, Dan Cornell, Denim Group, Information Security, Security, Spring, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

March 26, 2013

BSides Austin Recap: Implementation Patterns for Software Security Programs

By Dan Cornell

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a talk about different patterns we've seen as we've helped firms put together their software security programs. Slides are online:

The abstract for the talk was:

Every organization’s software security program implementation is different, but patterns exist providing guidance to those looking to plan for their program rollouts. This presentation covers several aspects of this process including the “ownership” of the software security program as well as implementation of static code analysis, dynamic application testing and developer security education.

Contact us for help building a software security program that works for your organization.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 26, 2013 in Application Security Tools, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Scanners, Security, Speaking Events, Static Analysis, ThreadStrong e-Learning, Threat Modeling, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , ,

BSides Austin Recap: Developing Secure Mobile Applications

By Dan Cornell

BSides Austin 2013 was at the end of last week and one of the things I did while I was there was give a short, two hour training session titled "Developing Secure Mobile Applications" This is a (very) cut down version of some of the instructor-led training classes we give on developing secure mobile applications and testing the security of mobile applications. Slides are online:

The abstract for the training was:

This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.

Contact us for help building secure mobile applications and testing the security of mobile applications.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 26, 2013 in Dan Cornell, Denim Group, Information Security, iPhone, Mobile, Security, Speaking Events, ThreadStrong e-Learning, Training, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , , , , ,

March 25, 2013

ThreadFix 1.1 Released

By Dan Cornell

ThreadFix_72
ThreadFix 1.1 (final) is now available for download! You can pick up the ZIP (demonstration) install from the Google Code downloads site or you can pick up the VM image (for production use).

There were a whole lot of new features added and bugs updated during the 1.1 development cycle. You can see a full list of the Release 1.1 changes in the Google Code issue tracker. Some highlights include:

I wanted to extend a personal thanks to the invidivuals and organizations who have helped ThreadFix get to this point by providing funding, sending feedback, submitting bugs and otherwise just being a part of the growing ThreadFix community. Hearing from ThreadFix users is thrilling, occasionally humbling and always valuable for us. Feedback is the breakfast of champions, so we really appreciate hearing the good, bad and the ugly.

Looking to keep track of ThreadFix? Here are some resources:

We also sent out a press release for the occasion and the text of that release is:

Denim Group releases Vulnerability Management Platform ThreadFix 1.1 With More Enterprise-Class Features to Meet Customer Demand

ThreadFix Aggregates Disparate Vulnerability Test Results And Delivers A Prioritized List of Software Defects To The Development Team To Secure Applications Faster & More Easily

SAN ANTONIO, TX – March 25, 2013 - Denim Group, the leading secure software development company, today announced ThreadFix 1.1, an intelligent open-source application management platform that imports test results from a variety of testing tools to present a centralized view of the security status of corporate applications throughout the organization.  ThreadFix 1.1 has been upgraded with a variety of enterprise-class capabilities, all sponsored by large organizations eager to adopt this innovative platform into their organization to speed up the securing of their customer-facing and internal applications.  

“Large organizations are seeing the value of consolidating duplicate vulnerability information generated by overlapping reports into a centralized dashboard, enabling their teams to release applications into the marketplace that are not only feature-rich but resilient and secure,” said Dan Cornell, Denim Group CTO.  “Having access to all the available information about a given vulnerability in one spot improves the communications conduit between the developers and security team to such a level that productivity is increased without sacrificing quality, and that’s a win-win for the whole industry.”

ThreadFix imports dynamic, static and manual testing results into a centralized console that removes duplicate findings across multiple testing platforms to provide a prioritized list of the security vulnerabilities for each corporate application.  These results can be quickly exported into defect trackers used by the company’s software developers, injecting these security tasks into their regular work flow.  ThreadFix also uses this vulnerability data to automatically generate web application firewall and IDS/IPS rules that ensure sensitive corporate data is protected during the application repair process. Based on alerts from these virtual patch rules, ThreadFix also tracks current attack attempts, enabling the system to provide a real-world view of the criticality of individual vulnerabilities. Finally, ThreadFix provides trending reports, enabling team members as well as management to track and improve productivity over time. 

The new version of ThreadFix is now compatible with several sophisticated tools to better fulfill the needs of enterprise-wide application development teams.  For example, in addition to the Bugzilla and JIRA bug trackers, ThreadFix’s prioritized and aggregated results can now also be exported into Microsoft Team Foundation Server, the collaboration platform at the core of Microsoft's application lifecycle management used in many enterprises.  As a result of this integration, it is much easier to work with both the developers and the security analysts as both teams continue to use tools they already know.  The integration of both the NTOSpider and IBM Security AppScan Enterprise dynamic analysis testing platforms as well as the static analysis IBM Security AppScan Source tool enables ThreadFix to now import testing results from more than 20 software security testing tools and services, making ThreadFix useable to a wider number of organizations. 

ThreadFix 1.1 also offers a tighter integration with Lightweight Directory Access Protocol (LDAP) and Microsoft Active Directory (AD) authentication protocols enabling ThreadFix to be better integrated inside of the enterprise workflow. As a result, ThreadFix users can now be included in the centralized enterprise management system provided by LDAP and AD to manage user accounts.  The corporation’s software developers and security experts that use ThreadFix across the enterprise will no longer need to manage multiple users IDs and passwords.  The integration also allows access rules to be applied based on a “need-to-know” basis to better reflect real-world team roles to further improve the organization’s overall security posture. 

ThreadFix also now allows security and development teams to add comments and context to individual vulnerability content, enabling meaningful two-way communications that enhance the quality of remediation efforts.  The individualized notes decrease team distractions while improving internal communication about the code’s content.  The result is shorter development and test cycles, once again, accelerating the application vulnerability resolution process.

With these multi-tool and multi-team capabilities, ThreadFix is setting the standard for application security management within organizations of all sizes.  Initially released in September of 2012, the open-source application has been downloaded over two thousand times and has been used to successfully reduce the time required to fix critical application software vulnerabilities. The product’s growing momentum with several Fortune 500 and government organizations demonstrates how large enterprises are embracing ThreadFix as a critical enabling platform to more effectively manage application software security programs.

Immediately available, ThreadFix 1.1 can be downloaded through the following link:  http://www.denimgroup.com/threadfix.  Denim Group also offers additional commercial support and implementation services for organizations deploying ThreadFix. To learn more, contact Denim Group at sales@denimgroup.com or (210) 572-4400.

About Denim Group

Denim Group is the leading secure software development firm. The company builds custom large-scale software development projects across multiple platforms, languages and applications. What makes Denim Group unique is that the company brings significant core competencies in software security to the table, offering an innovative blend of secure software development, testing and training capabilities that protect a company's biggest asset, its data.

Denim Group customers span an international client base of commercial and public sector organizations across the financial services, banking, insurance, healthcare and defense industries. Its depth of experience building large-scale software development systems in a secure fashion has made the company’s leaders recognized experts in their fields. Denim Group has been recognized as one of the 5,000 Fastest Growing Company’s by Inc. Magazine five years in a row, and has won multiple awards including its recent accolades as one of the best places to work in San Antonio. For more information about Denim Group visit http://www.denimgroup.com.

###

Denim Group is a registered service mark of Denim Group, Ltd. Other names and brands may be claimed as the property of others.

Contact us for help managing your software security program with ThreadFix.

--Dan

dan _at_ denimgroup.com

@danielcornell

March 25, 2013 in Application Security Remediation, Application Security Tools, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, Open Source, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , ,

March 19, 2013

Uncommon Sense Security Looks at ThreadFix

By Dan Cornell

Uncommon_sense_security

John Dickson and I had a chance to catch up with Jack Daniel from the Uncommon Sense Security blog while we were at RSA a couple of weeks ago to talk about what we've been doing with ThreadFix. Jack took the time to write up a blog post about what we talked about (thanks!) and I wanted to highlight some points he made:

  • When Jack mentions how he imagines organizations handling their application vulnerability management he uses phrases like "kludge" and "few spreadsheets tossed in" and that lines up exactly with our experience. Developers don't speak "PDF" and Microsoft Excel is a horrible tool for managing vulnerabilities but that doesn't mean organizations don't try really hard to use those tools to manage their application-level vulns. A big driver behind us creating and releasing ThreadFix was trying to get organizations to do better managing application vulnerabilities by providing them the capability to get a handle on all of the vulnerability data coming from the variety of different sources - dynamic testing, code scanning, penetration tests and threat modeling. If you can't even manage the inputs you are not going to be able to actually get the vulnerabilities resolved.
  • Jack also highlights what we think is one of the great strengths of ThreadFix which is that it can be deployed in a way that fits pretty much any organization. It is freely-available under an open source license, but also has commercial support options available. No budget for licensing? Not a problem - pull down a VM image, fire it up and post to the Google Group or the bug tracker if you have questions. Need more help or want to customize it to for your environment? Great we can help you do that too.

Again - many thanks to Jack for sitting down with us and for taking the time to look at ThreadFix and write up some thoughts. We've accomplished quite a bit with it so far and we're really excited about some of the things we have coming up. Most organizations are still getting their minds wrapped around managing application-level vulnerabilities and we're thrilled that ThreadFix is a tool many organizations are finding valuable to help get this critical process under control.

Contact us to talk about how ThreadFix can help get your application vulnerability management under control.

--Dan

dan _at_ denimgroup.com

@danielcornell

PS - Jack made another solid point about scheduling time to sit down at RSA. The big conferences are great because they attract so many folks, but schedules can get so crazy it really helped to get the important people we wanted to talk with actually on the calendar. That worked a lot better than leaving it up to chance.

Related articles
ThreadFix, an Open Source tool for software vulnerability management
OWASP Phoenix Slides: Using ThreadFix to Manage Application Vulnerabilities
Security Snafu on ThreadFix: Don't Code Your Own Vulnerability Management System

March 19, 2013 in Application Security Remediation, Application Security Tools, Blogs, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Information Security, John Dickson, Open Source, Remediation, Scanners, Security, Software Security Remediation, Static Analysis, ThreadFix Application Vulnerability Management, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Next »