Denim Group has been acquired by Coalfire. Learn More>>

Denim Group Provides Guidance on Application Security Trends for 2011

We recently provided some guidane on what we believe will be important trends in application security in 2011.  2010 was a transformative year for the application security market and for the practice of application security in general and we think 2011 is going to keep building momentum.  The press release is available online here.

Contact us for help making the most out of your application security efforts in 2011.


dan _at_



Agency Contact:                                                                                                               Denim Group Contact:

Alan Weinkrantz                                                                                                               John Dickson

210.820.3070                                                                                      210.572.4400                                                                                                   


Denim Group Provides Guidance on

Application Security Trends for 2011

Mobile Applications, Shifting to The Cloud, Malware on the iTunes / Droid Stores, The Smart Grid and More, Give Rise to New Forms of Application Security Threats in the New Year to Come

San Antonio, TX – January 4, 2011 –Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risk with their existing software, announced today that they foresee shifts in the application security landscape in the coming year.  As a trusted advisor to many Fortune 500 and large public sector organizations, the firm has just announced its guidance on the top application security trends for 2011: 

  1. Mobile application security concerns will dominate headlines.

Enterprise organizations will face greater challenges deploying mobile applications, as they realize most mobile development is not up the rigorous standards of enterprise software security and industry compliance .  As such, more headlines will dominate that catalog loss of customer data involving smartphone and tablet devices that are connected to the Internet.  


  1. Moving to the Cloud places enterprises at the mercy of corporate terms of service rather than the Constitution and Bill of Rights.

As illustrated by the problems WikiLeaks had when evicted them after public pressure, organizations that rely on the cloud are at the mercy of their hosts’ terms of service and do not have the same protections that can be expected from the government if they were to run their own infrastructure. 

Relying on vendors’ contracts of compliance and possible government regulation is far riskier than relying on 4th Amendment and other protections of due process.  This places enterprises at greater risk from malicious overtures from corporate and government antagonists.

  1. Developing applications for the Cloud will present new security threats previously not considered.

Enterprise software development will start to shift to extending and customizing SaaS applications rather than writing custom software from the ground up. and other B2B providers will lead the way, but extensions to consumer-oriented applications such as Facebook will increase as well.  As with all new programming models, software developed as extensions to SaaS, will have new types of vulnerabilities dealing with trust and dataflow as well as new instances of well-known vulnerabilities like cross-site scripting (XSS) and SQL injection.


  1. The Payment Card Industry will continue to drive application security investment.

This will drive more software security initiatives, as the Payment Card Industry’s Data Security Standard (PCI-DSS), despite criticism, is ultimately regarded as one of the few compliance frameworks with technical “teeth.”

  1. Introduction of malware into iTunes Droid Apps stores.

Applications submitted to the Apple iTunes AppStore and the Google Android store do not undergo rigorous security testing as traditional enterprise applications. 

Both application stores do not do “white listing,” per se.  As a result, users that download and use applications from either source are implicitly trusting that malicious application developers are not loading software that can do steal information from their handheld / smartphone device.  Look for a serious instance of malware being uploaded and propagated in 2011.

  1. Demand for application security talent will jump dramatically; the supply for said talent will grow at a slower rate.

More organizations will start application security initiatives, and existing programs will become more organized and expand in size. 

This will create a strong demand for experienced professionals but the supply will not grow at the desired rate.  The overall average experience level of industry practitioners will decrease.  Look for colleges and universities to being partnering with private industry to create programming and professional accreditation in this emerging field.

  1. Utility systems will accelerate Smart Grid adoption with little or no attention paid to security.

Federal funding and clean energy initiatives will continue to move utility providers toward upgrading its production, distribution, and corporate networks to include “smart grid” technologies. 

Most of these upgrades will be done with little, or no attention paid to security.  At particular risk are those providers relying on wireless technologies for their underlying infrastructure because this puts the confidentiality and integrity of data transmissions – in both directions – at risk.

  1. Candidates for the next big application breach? The mid-size enterprise.

Mid-size enterprise organizations will be at particular risk.  These will be organizations large enough to have custom software deployed, but not large enough to have a mature application security initiatives in place. 

In 2010, attackers used the Zeus botnet to target mid-sized organizations for quick “hit and run” thefts.  Even before that, phishers targeted the regional and mid-sized banks as the larger financials learned to detect and respond to their attacks.  Most of these mid-size organizations lack mature security practices across the board and have virtually non-existent IDS/IPS and incident response capabilities.  Those with custom applications deployed in 2011 will be particularly at risk.

Application architectures are getting increasingly complex as they integrate web applications, web services, mobile applications and “the cloud” (whatever that means).  This makes automated tools even less of a solution that before for “automatically” finding vulnerabilities.  An advantage of this is that it will be harder for attackers to automatically find exploitable vulnerabilities (as it was with untargeted SQL injecting attacks sending stored XSS payloads).  A disadvantage of this is that successful attacks will likely be very targeted, deadly and will impact on a “cloud” scale.          


About Denim Group

Denim Group develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security. Denim Group has worked with a range of Fortune 500 companies and public sector organizations, bringing a focused software development approach to the world of software security. Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception. Additionally, Denim Group was ranked 1,751 in Inc. Magazine’s 5000 Fastest-Growing Private Companies in America in 2009. For more information about Denim Group, visit

Reader Contact Information:
Denim Group, 3463 Magic Drive, Suite 315; San Antonio, TX 78229, Tel: 210-572-4400, Fax: 210-572-4401,,


Posted via email from Denim Group’s Posterous

About Dan Cornell

Dan Cornell Web Resolution

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

2 Responses to “Denim Group Provides Guidance on Application Security Trends for 2011”

  1. visit us

    Greetings from California! I’m bored to death at work so I decided to browse your site on my iphone during lunch break. I enjoy the info you provide here and can’t wait to take a look when I get home. I’m surprised at how fast your blog loaded on my phone .. I’m not even using WIFI, just 3G .. Anyways, wonderful blog!

  2. florist putrajaya

    This is my first time pay a quick visit at here and i am truly pleassant to read all at one place.

Leave a Reply

Your email address will not be published. Required fields are marked *