Once again it is time for Colorado’s premiere application security conference: Front Range OWASP Conference 2010. Denim Group will be sponsoring. We will also be giving two presentations and John Dickson will be moderating a panel including Brian Chess and Jeremiah Grossman.
John Dickson will be giving the presentation: The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise where he discusses strategies for getting upper management support for software security initiatives.
The abstract is:
The majority of information that exists about software security either focuses on technical means to build secure applications, or strategies to put controls in a software development process. There is a dearth of information regarding how managers should push secure initiatives forward, convincing executives that software security is critical to trusted business operations. This presentation focuses on how security officers or development leaders can apply a disciplined approach to building internal consensus to build secure software. A five-step process will be laid out that will enable a manager to characterize the landscape, secure management buy-in, baseline the existing risks, set modest goals and attempt to achieve them, and sustain the initiative. Emphasis will be on actionable steps that successful managers have used to drive the adoption of secure software strategies in large organizations.
Also Bryan Beverly will be giving the presentation: Application Security Program Management with Vulnerability Manager where he will demonstrate our open source Vulnerability Manager application and talking about how it can be used to centrally manage an organization’s application security efforts.
The abstract is:
Using free Java-based software, application security managers can now have increased visibility into and control of enterprise security programs as well as the data that can be used to support sophisticated conversations with their managers and executives. Denim Group‘s Vulnerability Manager works through a centralized system to allow security teams to import and consolidate application-level vulnerabilities, automatically generate virtual patches, monitor attack attempts, communicate with defect tracking systems, and evaluate team maturity. Vulnerability Manager is a Java-based web application available for free under the Mozilla Public License.
This demonstration will cover the major functional areas of the Vulnerability Manager:
• Application portfolio management – Creating a portfolio of application under management and tracking critical information about those applications such as associated technologies and sensitivity of data under management.
• Vulnerability import and merging – Importing results of both static and dynamic scans of code, de-duplicating results and merging the output from multiple tools into a unified view of the security state of an application.
• Automated virtual patch generation – Automatically creating IDS/IPS and WAF rules to provide real-time protection for certain classes of vulnerabilities as well as consuming log results from WAF/IDS/IPS in order to identify which vulnerabilities are under active attack.
• Defect tracker integration – Bundling multiple vulnerabilities into packages, sending them to software defect tracking systems, and monitoring the defects to identify when software developers have closed them out.
• Team maturity evaluation – Tracking interviews with development teams related to the security practices they have adopted based on maturity models such as OpenSAMM.
In addition, the presentation will explain the internals of the Vulnerability Manager software – the design decisions made as well as opportunities to extend the system to support additional technologies.
Registration for FROC 2010 is now open. This has always been a great conference and we hope to see folks there.
Contact us for information about driving secure software initiatives in your enterprise and centrally managing your application security program.
dan _at_ denimgroup.com