Information Security

Post: Hacker Or Military? Best Of Both In Cyber Security

How radically different approaches play out across the security industry. Three things happened to me before BlackHat 2014 to bring the entire NSA / Edward Snowden drama back to the forefront. The media reminded us of the one-year anniversary of the original Snowden leaks. At the same time, I saw newly retired General Keith Alexander deliver a […]

Post: Mobile Application Security – Don’t Cheat Yourself

I recently did a webinar on mobile application security where we looked at some statistics pulled from a subset of our mobile security assessments to look at a couple of important issues: Where do the most serious vulnerabilities exist in mobile applications (mobile code, enterprise web services, or 3rd party web services)? What types of […]

Post: Threat Modeling for System Builders and System Breakers

Dan Cornell of Denim Group’s presentation to Los Alamos National Labs entitled Threat Modeling for System Builders and System Breakers.

Post: Mobile Application Security Assessment By the Numbers – a Whole-Istic View

In addition to exposure from their web applications, organizations are realizing  their expanding portfolio of mobile applications also provides avenue of attack for malicious actors. The challenge is that mobile applications are often more complicated than their web-based counterparts – they have code that runs on untrusted user devices, code running on corporate web services, […]

Post: Getting Your Security Budget Approved without FUD

Security teams need resources if they are going to be successful protecting an organization’s information assets. However in most organizations it is challenging to get even the resources needed to fulfill compliance requirements – to say nothing of those needed to actually run a successful security program. A common tactic is to resort to fear, […]

Post: Security Training: Necessary Evil, a Waste of Time or a Genius Move?

Denim Group has been doing some research looking at the effectiveness of training developers on security via e-Learning and instructor-led training and John Dickson presented the initial results of this research at OWASP AppSecUSA 2013 and Security BSides San Francisco 2014. You can see a video of his AppSecUSA 2013 presentation here: ) And see […]