Come See Denim Group at AppSecUS in Austin, TX

Austin AppSec
Here at Denim Group we love Texas and we’re thrilled that this year’s OWASP AppSecUS conference is being held in Austin, TX. We’re sponsoring and will be there with a booth in the Expo area, but you can also find us in quite a few other places.
Firstly, I’ll be giving a two-day training class Tuesday (10/23) and Wednesday (10/24) titled “Building a Software Security Program on Open Source Tools” The class description is:

Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program.

The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP.

Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.

ThreadFix will be featured at the Open Source Showcase from 2pm to 5pm on Thursday 10/25. We had a great time talking to users at the BlackHat Arsenal this year, and we’re really looking forward to hearing from the community at the AppSec Showcase since the 1.0 release on September 17th.
Also on Thursday, John Dickson will be giving a presentation at 4:00pm titled “Top Strategies to Capture Security Intelligence for Applications” The abstract for that talk is:
Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today’s attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.
Friday morning I’ll be running in the 5k Charity Run to help benefit the OWASP Projects Reboot Initiative. I had a blast running the 10k last year the first time this event was held at an OWASP conference – this year should be a great time as well.
Finally Friday Josh Sokol and I will be reprising our talk from BSidesLV this year “The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems” That talk abstract is:
Throw out everything that you know about security tools today. No more six-figure appliances that only do one thing marginally well. No more proprietary protocols. We deserve better and we demand better. Envision a world where your security tools talk with eachother. They communicate and share data in order to leverage eachothers strengths and and help compensate for their weaknesses. They work together to solve problems. Envision “Symbiotic Security.”

Symbiotic Security is a new term that was coined to describe the ability of a tool to consume data from other tools or provide data to other tools. As part of our research, we have examined various classes of tools on the market and identified these abilities in each of them resulting in a label of “Consumer”, “Provider”, or “Symbiotic”. As a consumer of security tools, this completely revolutionizes the way that we make purchases. 

As an example, let’s pretend that you are purchasing a new Intrusion Prevention System for your enterprise. As you begin to evaluate the various tools from the Gartner Magic Quadrant, you quickly realize that they almost all have the same primary feature set. The key differentiator at this point aren’t the rules or the hardware, but rather, the ability for the system to send and receive data with other systems. The IPS itself has some signatures and blocking abilities, but has zero relevancy data. Now, we give the IPS the ability to pull in vulnerability data and system configuration information from network and host scans and we gain relevancy. Add in some additional data on where the potential threat is coming from and now you have the data necessary to take a decisive action on threats. This new system is a “Consumer”. Now, if you give the IPS the ability to send information to other devices on things like the source of relevant threats, those devices, like a firewall or HIPS, can now make intelligent blocking decisions as well. Our IPS now has “Provider” abilities. Since our IPS is labeled as both a “Provider” and “Consumer” it is deemed “Symbiotic”. This convention can now be used both by the manufacturer to market the value-add of the device as well as a way for the purchasers to differentiate between otherwise similar devices. 

In order to demonstrate the true powers of being symbiotic, we are releasing a free tool that epitomizes this concept. The tool, named ThreadFix, has been labeled as a “Consumer” because of it’s abilities to pull vulnerability data from static and dynamic scanning tools, threat modeling, and manual penetration tests as well as alert logs and vulnerability details from IDS, IPS, and WAF products. ThreadFix has also been labeled as a “Provider” because of it’s abilities to normalize the data consumed and pass it along to IDS, IPS, and WAF for action as well as to your bug tracking system for remediation tracking. Because it can serve both a consumer and provider role, we designate it as a “Symbiotic” tool, thus indicating that it can provide the utmost value to it’s users. 
We recognize that like any new concept it can take some time to embrace, but we feel certain that labeling tools according to their abilities as “Consumers” and “Providers” can help to facilitate a much needed turn towards openness in our industry. Vendors will get the message that consumers want to select tools that work together in order to achieve their maximum effectiveness. Consumers will get the added value of having tools that work outside of their silos to make their jobs more efficient and maximize their ROI. Please join us in embracing this bold new concept.
So if you’re thinking about heading to Austin for AppSecUS we’d love to see you there. Be sure to register soon, and contact us if you want to meet up at AppSecUS.
dan _at_

Posted via email from Denim Group’s Posterous

About John Dickson

John Dickson web resolution

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd, the parent company of ThreadFix. He has more than 20 years' hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO's) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.