Post: Austin ISSA Slides: Structuring and Scaling an Application Security Program

The slides from my talk at Austin ISSA yesterday are online here: Structuring and Scaling an Application Security Program from Denim Group The title of the talk was: Structuring and Scaling an Application Security Program And the abstract  was: Most organizations understand that the software they develop and deploy exposes them to risk from attackers. […]

Post: Upcoming Webinar on Mobile Application Security Assessments

I’ll be doing a webinar on mobile application security assessments on Wednesday October 22nd. We’ll be talking about how security issues can exist in code deployed on a mobile device, in corporate web services backing the device, in any third party supporting services as well as in the interactions between any of these components. The […]

Post: Limitations of Automated Tools for Dynamic Web Application Security Scanning

They can only find technical flaws in applications, not logical flaws. Application security scanners identify only around 30% of the most serious flaws that exist in large-scale web software systems. They cannot find the more serious vulnerabilities that are potentially painful to mitigate, such as architectural or design flaws that were introduced before coding or […]

Post: How Do I Fix Application Security Vulnerabilities?

The security industry often pays a tremendous amount of attention to finding security vulnerabilities – via code review, penetration testing and other assessment methods. Unfortunately, finding vulnerabilities is only the first step toward actually addressing the associated risks, and addressing these risks is arguably the most critical step in the vulnerability management process. Complicating matters […]

Post: How much time does application security remediation take?

This is almost entirely dependent on an organization’s staff availability and the severity and scope of the vulnerabilities identified. Depending on the organization, remediation efforts can take anywhere from one to two months to over a year. Denim Group typically recommends a phased, risk-based approach to remediation where serious vulnerabilities that are comparatively easy to […]

Post: The PHP Protocol, Filters and Local File Inclusion

Andrew wrote up some notes for our internal blog about an experience he had on a recent Capture the Flag (CTF) event. I thought they were interesting so we talked and decided to republish them here. <Andrew> I came across an interesting twist on exploiting a PHP local file inclusion vulnerability while participating in a CTF. […]