John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd, the parent company of ThreadFix. He has more than 20 years' hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO's) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.
More Posts by John Dickson
June 30, 2020
This blog has been updated with new information for 2020. If you haven’t seen it yet, Gartner just published its “Hype Cycle for Application Security, 2016” written by Gartner Analyst Ayal Tirosh with support from colleague Lawrence Pingree (Gartner clients...
Read more…October 23, 2019
How to Identify that you have a Problem In spite of the fact that automation and application vulnerability resolution platforms like ThreadFix have existed for a decent length of time, we continue to see organizations that try to muscle ahead...
Read more…March 16, 2016
I had the opportunity to lead a Peer2Peer session at RSA 2016 that asked attendees to talk about how they do vulnerability management for different types of vulnerabilities. In particular, what I wanted to discuss were the similarities and differences...
Read more…January 6, 2016
The members of the ThreadFix team have often found themselves face-to-face with a fairly universal need across software groups: to quickly access running application instances. This need applies to groups from developers to support engineers to quality assurance personnel. It...
Read more…November 4, 2015
Many applications have some form of external API that allows users to call actions or return information from outside of the UI. As the functionality of an application grows, the number of available API calls will likely (and will hopefully)...
Read more…November 4, 2015
The Task ThreadFix offers a command line interface jar to create teams, add applications, assign tags, search for vulnerabilities, and much, much more from the shell or command prompt. The number of actions available in the CLI has grown over...
Read more…November 4, 2015
Automation is a big theme of ThreadFix’s QA strategy, and almost nowhere is that more apparent than in our workflow for SCM (“source code management” for the purposes of this post). Background ThreadFix has three repositories that comprise the application...
Read more…November 3, 2015
ThreadFix has several modules, including one for Hybrid Analysis Mapping. Using HAM as a module provides us a good degree of flexibility in several areas: 1. Decoupling data types from ThreadFix allows database-free unit testing 2. The module can be...
Read more…August 31, 2015
As part 2 of the Analyzing HAM series, this week I’ll try to summarize the main strategy behind HAM. Or, as one ThreadFix developer once referred to the HAM system, the Matrix. [caption id="attachment_2591" align="aligncenter" width="570"] Wake up, HAM data.[/caption] The...
Read more…August 28, 2015
This post will start a new series on ThreadFix’s Hybrid Analysis Mapping (HAM) library. Today I’ll cover the background on the SBIR contract, why ThreadFix was a good candidate for the program, and why HAM tastes so good in sandwiches....
Read more…June 9, 2015
The ThreadFix team is thrilled to recognize different organizations and individuals who contribute their time, effort and knowhow to improving the features of ThreadFix for themselves and others. Pearson, the world's leading learning company, with 40,000 employees proudly uses ThreadFix...
Read more…November 19, 2014
This is the first in a series of blog posts discussing how Denim Group has integrated software security into the ThreadFix development lifecycle and, specifically, how we use ThreadFix in this process. The goal is to shine a light on...
Read more…