Denim Group at OWASP AppSecEU 2012

banner.png.scaled.500Banner
I’ll be headed to Athens, Greece for AppSecEU this year doing both a training class as well as a conference presentation.
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, FxCop, CAT.NET, Brakeman, Agnitio, Arachini, w3af, ZAProxy, ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of acomprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.

And the course outline is:

·         So You Want To Roll Out A Software Security Program?

·         The Software Assurance Maturity Model (OpenSAMM)

·         ThreadFix: Overview

·         Governance: Strategy and Metrics

·         ThreadFix: Reporting

·          Governance: Policy and Compliance

·          Governance: Education and Guidance

·         OWASP Development Guide

·         OWASP Cheat Sheets

·         OWASP Secure Coding Practices

·          Construction: Threat Assessment

·          Construction: Security Requirements

·          Construction: Secure Architecture

·         ESAPI overview

·         Microsoft Web Protection Library (Anti-XSS) overview

·          Verification: Design Review

·         Microsoft Threat Analysis and Modeling Tool

·          Verification: Code Review

·         FindBugs

·         FxCop

·         CAT.NET

·         Brakeman

·         Agnitio

·          Verification: Security Testing

·         Arachni

·         w3af

·         ZAProxy

·          Deployment: Vulnerability Management

·         ThreadFix: Defect Tracker Integration

·          Deployment: Environment Hardening

·         Microsoft Baseline Security Analyzer (MBSA)

·          Deployment: Operational Enablement

·         mod_security

I will also be giving a presentation titled “Benchmarking Web Application Scanners for YOUR Organization” The abstract for the presentation is:
Web applications pose significant risks for organizations. The selection of an appropriate scanning product or service can be challenging because every organization develops their web applications differently and decisions made by developers can cause wide swings in the value of different scanning technologies. To make a solid, informed decision, organizations need to create development team- and organization-specific benchmarks for the effectiveness of potential scanning technologies. This involves creating a comprehensive model of false positives, false negatives and other factors prior to mandating analysis technologies and making decisions about application risk management. This presentation provides a model for evaluating application analysis technologies, introduces an open source tool for benchmarking and comparing tool effectiveness, and outlines a process for making organization-specific decisions about analysis technology selection.
Click here to register for the conference and the training and please contact us if you’d like to meet up in Athens.
–Dan
dan _atdenimgroup.com

Posted via email from Denim Group’s Posterous

·         So You Want To Roll Out A Software Security Program?

·         The Software Assurance Maturity Model (OpenSAMM)

·         ThreadFix: Overview

·         Governance: Strategy and Metrics

·         ThreadFix: Reporting

·          Governance: Policy and Compliance

·          Governance: Education and Guidance

·         OWASP Development Guide

·         OWASP Cheat Sheets

·         OWASP Secure Coding Practices

·          Construction: Threat Assessment

·          Construction: Security Requirements

·          Construction: Secure Architecture

·         ESAPI overview

·         Microsoft Web Protection Library (Anti-XSS) overview

·          Verification: Design Review

·         Microsoft Threat Analysis and Modeling Tool

·          Verification: Code Review

·         FindBugs

·         FxCop

·         CAT.NET

·         Brakeman

·         Agnitio

·          Verification: Security Testing

·         Arachni

·         w3af

·         ZAProxy

·          Deployment: Vulnerability Management

·         ThreadFix: Defect Tracker Integration

·          Deployment: Environment Hardening

·         Microsoft Baseline Security Analyzer (MBSA)

·          Deployment: Operational Enablement

·         mod_security

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *