Webinar: ThreadFix 2.4 Maximizing the Impact of Your Application Security Resources

We ran a webinar for the upcoming ThreadFix 2.4 Enterprise release. Slides and a video recording of the webinar are available here: ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources from Denim Group There were a couple of items that came up during the presentation where I wanted to provide some additional detail and links to resources: For folks that…
Read the full post >>

Cybersecurity: It’s All About the Coders (Thoughts on My TEDx Talk)

I recently gave a presentation at the TEDx San Antonio conference on March 5th, 2016 held at Rackspace Global Headquarters. This was a tremendous experience and I got to meet and share ideas with a bunch of great folks. Here’s a video of the talk: And here’s an interview I did with Jennifer Navarrete afterward where I got to expand…
Read the full post >>

ThreadFix In Action: Discovering Your Organization’s Software Attack Surface (Web App Edition)

Many organizations use ThreadFix as the platform for running application security program – tracking their application portfolio and getting their applications under a cycle of regular security testing. But before you can start getting applications under security management, you have to know about them and get them installed in the system. In this post, we look at some technical means to…
Read the full post >>

Having Trouble Starting Your Application Security Program? Beat Up Your Vendors!

Starting an application security program can be very challenging. If you don’t know how to get started – or if you can’t seem to get any traction getting your organization to change its ways – consider changing your focus and instead beat up on your vendors. Why Is Application Security Hard? Creating an internal application security program is hard. You…
Read the full post >>

ThreadFix In Action: Tracking Threats and Threat Models

ThreadFix is currently optimized to help with vulnerability management – importing vulnerability data from various sources, performing triage on the imported vulnerabilities, and then communicating the triaged vulnerabilities to the tools that developers use for resolution. Some organizations have also been using ThreadFix to help track their threat modeling programs. By using some of ThreadFix’s capabilities in a slightly different…
Read the full post >>

RSA 2016 “Application, Network, and Infrastructure Vulnerability Management” Peer2Peer Recap

I had the opportunity to lead a Peer2Peer session at RSA 2016 that asked attendees to talk about how they do vulnerability management for different types of vulnerabilities. In particular, what I wanted to discuss were the similarities and differences in how organizations deal with network and infrastructure vulnerabilities versus application-level vulnerabilities. Who Attended? We had a capacity crowd at…
Read the full post >>

Webinar: How iOS and Android Handle Security

Today I delivered a webinar on mobile application security and, specifically, on how the iOS and Android platforms handle security. Slides and audio are online here: How iOS and Android Handle Security Webinar from Denim Group The goal of the webinar was twofold: Educate developers on the security characteristics and capabilities of their chosen development platform so that they can…
Read the full post >>

ThreadFix 2.3RC1 Now Available

We’re excited to have the first Release Candidate for the ThreadFix 2.3 development cycle now available. The team has been hard at work since the 2.2 release and we’re also thrilled to announce contributions from great organizations such as Samsung, Pearson Education, and VirtualForge. The ThreadFix Community has been a great force driving the product’s development and we wouldn’t be where…
Read the full post >>

HouSecCon Presentation – SecDevOps: Development Tools for Security Pros

HouSecCon 2015 has wrapped up and the team did a great job putting on a first-rate event. I had the opportunity to give a talk about the tools that development teams use with the goal of educating security professionals and giving them ideas of how to better work together with dev teams to get issues resolved more quickly. Slides and…
Read the full post >>

The ThreadFix Ecosystem: Vendors, Volunteers, and Versions – LASCON 2015

LASCON 2015 was last week and, as always, it was a great conference. Friday I had the opportunity to give a talk about the ThreadFix Ecosystem. It looks through a number of organizations we’ve had the opportunity to work with as we’ve developed ThreadFix and highlights the contributions of a number of the firms and individuals who have helped make…
Read the full post >>

Blending Automated and Manual Testing – AppSec USA 2015

DevOps puts an intense focus on automation – taking humans out of the loop whenever possible to allow frequent, incremental updates to production systems. However, thorough application testing often has multiple components – much of this can be automated, but manual testing is also required. This is inconvenient and not “DevOps-y,” but is unfortunately an unavoidable requirement in the real…
Read the full post >>

Secure DevOps with ThreadFix 2.3

Thanks to everyone who attended our Secure DevOps with ThreadFix 2.3 webinar today and thanks to all the great ThreadFix contributors who help make it possible. Hopefully folks enjoyed the presentation, and I certainly enjoyed all the Q&A. An expanded set of slides and a recording of the presentation can be found here: Secure DevOps with ThreadFix 2.3 from Denim…
Read the full post >>