State-wide PBS Stations to Broadcast Texas Lyceum’s Recent Great Debate - “Our Growing Lives Online; Safe or Not”
February 15, 2010
Last weekend, John Dickson, Denim Group Principal and Conference Chair of the Texas Lyceum - #TexasLyceumSA acted as Conference Chair for the Texas Lyceum’s first quarterly meeting of 2010.
Starting this Thursday, regional PBS stations in Texas will air the Great Debate. It’s great to see the issue of Cyber Security being brought to the mainstream and out of the techie world. Thought leaders like John Dickson are contributing to conversation. You can follow John on Twitter.
Air times for the broadcast are as follows:
Amarillo > KACV > Thursday, February 18 at 8:00 p.m.
Austin > KLRU > Thursday, February 18 at 8:00 p.m.
Corpus Christi > KEDT > Thursday, February 18 at 7:00 p.m.
El Paso > KCOS > Sunday, February 21 at 1:00 p.m.
Killeen > KNCT > will air it in April
Houston > KUHT > Sunday, February 21 at 4:00 p.m.
Lubbock > KTXT > Sunday, February 21 at 1:00 p.m.
Midland/Odessa > KPBT > Thursday, February 18 at 8 p.m.
San Antonio > KLRN > Thursday, Feb. 18 at 8:00 p.m.
Waco > KWBU > Sunday, February 21 at 1:30 p.m.
Technology Preview of Denim Group’s Vulnerability Manager now available
January 15, 2010
San Antonio’s Denim Group just made the “technology preview” release of their Vulnerability Manager application available. This is an internal Denim Group project they’ve been working on for a number of months. It has been through a number of private and semi-public demonstrations, so they are really excited to make it available to a broader audience.
Vulnerability Manager is a Java/Spring/Hibernate-based web application allowing organizations to automate and centrally manage administration of many of the functions of an application security program:
· Create and maintain a portfolio of applications
· Import and merge vulnerability results from a variety of free and commercial static and dynamic scanning tools
· Automatically generate WAF and IDS/IPS rules for identified vulnerabilities (virtual patching)
· Track attack statistics for vulnerabilities based on WAF and IDS/IPS logs
· Bundle vulnerabilities and send them to defect tracking systems
· Track team maturity practices according to standards such as OpenSAMM
There is an online screencast demo here:
Vulnerability Manager sprung from a number of conversations and engagements we had with clients discussing the problems they faced getting application security programs working in their organizations. At Denim Group we have been fortunate to have the opportunity to work with folks across the spectrum of application security maturity and we think we have assembled some capabilities that will be compelling to many organizations.
Please remember, this is a “technology preview” release of the application. What this means is:
· In short – it still needs serious work before I would put it in production. Please be kind and constructive in your feedback
· It works well for our example files under controlled conditions. Outside of those circumstances… good luck (please let us know about any issues)
· The application has not been through a proper security review and has, in fact, been built in an ad hoc manner that we are aggressively working to correct (please do as we say, not as we’ve done thusfar)
· A number of must-have features surrounding configuration and workflow have not yet been completed. Those are in progress
· “Vulnerability Manager” is a terrible name for an application and we promise to come up with something cooler
If you explore the Vulnerability Manager site you can see a demonstration video showing how this works as well as some screenshots. You can also download a running Tomcat-hosted version of the code. We welcome feedback – especially constructive feedback. Please submit feedback here.
Contact Denim Group for more information about Vulnerability Manager and how you can use it to improve your application security program.
San Antonio’s Denim Group Advising Utility Companies of Significant Security and Privacy Risks as they Transition to Smart Grid Technologies
November 19, 2009
San Antonio-based Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risks with their existing software, is advising utility companies of significant security and privacy risks as they transition to smart grid technologies. With advanced meters and smart grid technologies being deployed, Internet attacks, malware, and privacy breaches have become a bigger risk if the appropriate
“It will be difficult to put the genii back in the bottle when smart grid technologies are deployed,” said John Dickson, Principal of Denim Group. “Advanced meters are Internet-based network computing devices, with many of the inherent security challenges of traditional network security. There are significant security and privacy implications that we hope are being taken into consideration - protecting these systems shouldn’t be an afterthought. While the cost of prevention is low, the cost of remediation can be extraordinary. The principles we’ve learned from designing and building secure systems and software apply to these smart grid technologies as well and should be rigorously followed.”
“Public Utility Commissions have the unique opportunity to determine the security and integrity of the security metering system,” added Ravi Sandhu, Executive Director of The University of Texas at San Antonio’s Institute for Cyber Security. “Historically, the stand-alone, proprietary nature of the mechanical metering system provided a level of security but limited options for expanded utility and flexibility.
Networking these systems requires all parties to re-think the security impact on closed networks and their ecosystems. The integrity of the system network must be maintained and the privacy of the consumers’ data must remain confidential.”
Dickson advises utility companies to consider the following key strategies when deploying smart grid technologies. Dickson has also testified at the Texas Public Utilities Commission on public grid policies.
- - Don’t take on blind faith what hardware vendors communicate about the security of their devices. Ask smart grid technologies suppliers rigorous questions about what 3 rd party testing they’ve done.
- Build an architecture that implements a defense in depth strategy.
Avoid classic single point of failure design flaws that create a “crunchy on the outside, chewy on the inside” security model.
- Trust, but verify. Conduct rigorous, recurring 3rd party audits. These audits should follow an agreed-upon format, and focus on the smart grid system from the perspective of an attacker. Testing should be driven for purely compliance purposes, and should emphasize technical aspects throughout. Finally, as technology evolves, ensure that auditing evolves with it.
-
- Conduct detailed threat modeling when new functionality is added to the system. Threat models should provide system designers feedback to build more secure systems.
- Understand the impact of who can access these systems, such as administrators, auditors, producers, and customers and precisely what access they have. Put technical controls in place to ensure that these different players cannot access each other’s private data.
Denim Group is currently working with several public and private initiatives to help certain utility companies address, and mitigate vulnerability issues associated with smart grid and other technologies and have performed assessments of numerous public utilities. Service providers are encouraged to implement the recommendations as earlier in the design process as possible to have a great affect on the security of the smart grid.
San Antonio’s Denim Group featured in (San Antonio’s) Building43 / Rackspace Blog
October 1, 2009
San Antonio’s Security Community Opens New Opportunities for Startups
September 19, 2009
Denim Group’s John Dickson’s presentation to ISSA San Antonio last week on the San Antonio Security Community is now online. Take a look for more information on the cluster of information security firms and organizations based here in San Antonio.
Denim Group’s John Dickson salutes San Antonio getting the Air Force’s Cyber Command to move here
September 11, 2009
Last week at the San Antonio Tech Mixer, Denim Group’s John Dickson, was the featured speaker, talking about the importance of San Antonio getting the Air Force’s Cyber Command to move to our city. Here’s John’s remarks.
SA-based Denim Group’s John Dickson Reflects on Black Hat 2009
August 5, 2009
John Dickson, Principal at San Antonio-based Denim Group, reflects on his recent travels to Black Hat 2009. John talks about smart metering technology, the electric smart grid, security breaches, application security strategies, and the landscape of the security industry.
Disclosure: I am a PR / Social Media Consultant to Denim Group
Denim Group Teams Up with WhiteHat Security
July 28, 2009
Today at Black Hat USA 2009, San Antonio-based Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risks with their existing software, announced today that it has teamed with WhiteHat Security, the leading provider of website risk management solutions. The partnership enables Denim Group to expand its portfolio of services by offering WhiteHat Sentinel for ongoing website vulnerability management to quickly and accurately identify security defects in Web applications. A related video to this announcement may be viewed at: http://tinyurl.com/nzkrcy.
“Today, more than 70 percent of hacker attacks worldwide are actively targeting websites, and 80% of sites have a serious vulnerability, so the importance of website security cannot be overstated,” said Jeremiah Grossman, founder and CTO of WhiteHat Security. “We’re pleased to partner with an experienced application security provider like Denim Group to ensure that companies have ongoing website vulnerability management oversight which enables them to protect critical data, ensure compliance, and narrow the window of risk.”
The WhiteHat Sentinel family of website security solutions delivers the visibility, flexibility and control that enables companies to secure their websites, regardless of company size or volume of applications. WhiteHat Sentinel delivers accurate, and verified results via an on-demand, SaaS-based subscription service, combining advanced proprietary automated scanning technology with expert analysis. Once software vulnerabilities are identified, Denim Group’s seasoned development team can prioritize risks and quickly remediate security defects found in its customers’ applications. In addition, Denim Group offers website security training, providing everything from individual courses to entire training and process improvement initiatives targeted at those building, testing, and managing custom software.
“This partnership allows Denim Group to use White Hat’s technology to provide its clients with ongoing vulnerability assessment for their Web application portfolio,” said Dan Cornell, principal of Denim Group. “In addition, we can accelerate remediation times for WhiteHat’s customers and offer targeted education services on Web application security so that the same vulnerabilities don’t get reintroduced.”
About Denim Group
Denim Group develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security. Denim Group has worked with a range of Fortune 500 companies and public sector organizations, bringing a focused software development approach to the world of software security. The Company provides clients with secure .NET and Java development services and remediates serious software flaws in existing application portfolios. Denim Group also identifies vulnerabilities and quantifies risks that vulnerable applications represent through assessments, code reviews, and application-focused penetration testing. Training complements Denim Group’s development and testing services by helping organizations build an internal competency in secure software development and testing through a combined classroom instruction and e-Learning approach.
Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception. Additionally, Denim Group was ranked 1101 in Inc. Magazine’s 5000 Fastest-Growing Private Companies in America in 2008.
For more information about Denim Group, visit www.denimgroup.com.
About WhiteHat Security, Inc.
Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of website risk management solutions that protect critical data, ensure compliance and narrow the window of risk. WhiteHat Sentinel, the company’s flagship product family, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the visibility, flexibility, and control that organizations need to prevent Web attacks. Furthermore, WhiteHat Sentinel enables automated mitigation of website vulnerabilities via integration with Web application firewalls. To learn more about WhiteHat Security, please visit our website at www.whitehatsec.com
Denim Group Launches ThreadStrong
July 7, 2009
San Antonio’s Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risks with their existing software, announced today that it has launched ThreadStrong, a self-paced online training curriculum to teach developers how to build security into their applications. ThreadStrong also helps satisfy compliance regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), which require developers be provided secure development training.
ThreadStrong’s curriculum is generated by senior software security consultants from Denim Group. This core team spends a significant amount of their time actually building software, so examples and other content are pulled from real world experience conducting code reviews and secure software initiatives.
ThreadStrong’s courses include Introduction to Application Security Concepts, Application Security for Java, Application Security for .NET, and Threat Modeling. The courses range in length from
1 to 4 hours and are based on the e-Learning model, which allows team members to learn at their own pace and avoids the added expense and logistics of employing trainers to visit multiple locations. In addition, testing and reporting features enable managers to measure, monitor and report to auditors on employee progress.
“There’s a growing need for application security training and our experts who created ThreadStrong have trained thousands of developers worldwide,” said Dan Cornell, Principal of Denim Group. “ThreadStrong also ensures that team members know about new threats and attack techniques by providing regular updates to course content to keep employees current on industry issues.”
Denim Group’s eLearning Content Available for Industry Partnerships
Denim Group designed its content strategy so that industry partners could license specific learning modules, using their brand and tailoring it specific to their customer needs. “In developing the courseware strategy for ThreadStrong, our goal was to also help our partners develop new market opportunities for compliance and on-going training,” added Cornell.
ThreadStrong’s courses feature:
· Detailed Examples
· Multi-Media and Text Lessons
· Interactive Quizzes with Review Questions
· Certificates Upon Successful Course Completion
· Quarterly Updates
· SCORM-Compliant Content
· User-Friendly Interface
Disclosure: Denim Group is a client, of Alan Weinkrantz, who authors this blog
Denim Group Innovates with Unique Expertise in Software Security
April 6, 2009
I recently had the opportunity to visit with San Antonio-based Denim Group’s Director of Operations, Aaron Copeland. The company on the bleeding edge in doing some very cool things in the area of software security.