Denim Group has been acquired by Coalfire. Learn More>>

Web Application Security

Post: Webinar: How iOS and Android Handle Security

Today I delivered a webinar on mobile application security and, specifically, on how the iOS and Android platforms handle security. Slides and audio are online here: How iOS and Android Handle Security Webinar from Denim Group The goal of the webinar was twofold: Educate developers on the security characteristics and capabilities of their chosen development […]

Post: Austin ISSA Slides: Structuring and Scaling an Application Security Program

The slides from my talk at Austin ISSA yesterday are online here: Structuring and Scaling an Application Security Program from Denim Group The title of the talk was: Structuring and Scaling an Application Security Program And the abstract  was: Most organizations understand that the software they develop and deploy exposes them to risk from attackers. […]

Post: Mobile Application Security – Don’t Cheat Yourself

I recently did a webinar on mobile application security where we looked at some statistics pulled from a subset of our mobile security assessments to look at a couple of important issues: Where do the most serious vulnerabilities exist in mobile applications (mobile code, enterprise web services, or 3rd party web services)? What types of […]

Post: What is Code Signing?

Code signing is the process of attaching a digital signature to application binaries. Cryptographic functions are used to identify a specific application binary and associate that binary with a specific developer or organization. This allows other systems to understand several things about an application: The source of the application based on who signed the application […]

Post: Limitations of Automated Tools for Dynamic Web Application Security Scanning

They can only find technical flaws in applications, not logical flaws. Application security scanners identify only around 30% of the most serious flaws that exist in large-scale web software systems. They cannot find the more serious vulnerabilities that are potentially painful to mitigate, such as architectural or design flaws that were introduced before coding or […]

Post: Mobile Application Security Assessment By the Numbers – a Whole-Istic View

In addition to exposure from their web applications, organizations are realizing  their expanding portfolio of mobile applications also provides avenue of attack for malicious actors. The challenge is that mobile applications are often more complicated than their web-based counterparts – they have code that runs on untrusted user devices, code running on corporate web services, […]