AppSecEU 2013: Do You Have a Scanner or a Scanning Program?


I just got back from OWASP AppSecEU in Hamburg, Germany and I have to say I had a great time. The conference was very well run, the talks were very interesting and I had the opportunity to both reconnect with and meet a lot of great folks.

While I was there, I gave a talk titled “Do You Have a Scanner or a Scanning Program?” Here is the video from the presentation:

The slides are also online:

The abstract for the talk is:

By this point, most organizations have acquired at least one code or application scanning technology to incorporate into their software security program. Unfortunately, for many organizations the scanner represents the entirety of that so-called “program” and often the scanners are not used correctly or on a consistent basis.

This presentation looks at the components of a comprehensive software security program, the role that automation plays in these programs and tools and techniques that can be used to help increase the value an organization receives from its application scanning activities. It starts by examining common traps organizations fall into where they fail to address coverage concerns – either breadth of scanning coverage across the application portfolio or depth of coverage issues where application scans do not provide sufficient insight into the security state of target applications. After discussing approaches to address these coverage issues, the presentation walks through metrics organizations can use to keep tabs on their scanning progress to better understand what is being scanned, how frequently and at what depth.

The presentation also contains a demonstration of how freely available tools such as the open source ThreadFix application vulnerability management platform and the OWASP Zed Attack Proxy (ZAP) scanner can be combined to create a baseline scanning program for an organization and how this approach can be generalized to use any scanning technology.

I also spent an afternoon giving demos of ThreadFix and talking to a bunch of current – and hopefully future – ThreadFix users at the Open Source (Security) Showcase. I really enjoy events like the OS(S)S and the BlackHat Arsenal because of the opportunity to talk with both users and prospective users in-depth about their challenges and how ThreadFix can help them address those challenges.

Contact us for more information about how organizations are using ThreadFix to make the most of their investments in app and code scanners.


dan _at_


About John Dickson

John Dickson web resolution

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd, the parent company of ThreadFix. He has more than 20 years' hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO's) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.