“Technology Preview” Release of Vulnerability Manager Now Available

Today we made the “technology preview” release of our Vulnerability Manager application available.  This is an internal Denim Group project we have been working on for a number of months.  It has been through a number of private and semi-public demonstrations, so we are really excited to make it available to a broader audience.

Vulnerability Manager is a Java/Spring/Hibernate-based web application allowing organizations to automate and centrally manage administration of many of the functions of an application security program:

·Create and maintain a portfolio of applications

·Import and merge vulnerability results from a variety of free and commercial static and dynamic scanning tools

·Automatically generate WAF and IDS/IPS rules for identified vulnerabilities (virtual patching)

·Track attack statistics for vulnerabilities based on WAF and IDS/IPS logs

·Bundle vulnerabilities and send them to defect tracking systems

·Track team maturity practices according to standards such as OpenSAMM

There is an online screencast demo here:

Vulnerability Manager sprung from a number of conversations and engagements we had with clients discussing the problems they faced getting application security programs working in their organizations.  At Denim Group we have been fortunate to have the opportunity to work with folks across the spectrum of application security maturity and we think we have assembled some capabilities that will be compelling to many organizations.

Please remember, this is a “technology preview” release of the application.  What this means is:

·In short – it still needs serious work before I would put it in production.  Please be kind and constructive in your feedback

·It works well for our example files under controlled conditions.  Outside of those circumstances…  good luck (please let us know about any issues)

·The application has not been through a proper security review and has, in fact, been built in an ad hoc manner that we are aggressively working to correct (please do as we say, not as we’ve done thusfar)

·A number of must-have features surrounding configuration and workflow have not yet been completed.  Those are in progress

·Vulnerability Manager” is a terrible name for an application and we promise to come up with something cooler

If you explore the Vulnerability Manager site you can see a demonstration video showing how this works as well as some screenshots.  You can also download a running Tomcat-hosted version of the code.  We welcome feedback – especially constructive feedback.  Please submit feedback here.

Contact us for more information about Vulnerability Manager and how you can use it to improve your application security program.


dan _at_ denimgroup.com


Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *