Come See Denim Group at OWASP BeNeLux 2012 in Leuven, Belgium

I’ll be headed to OWASP BeNeLux 2012 in Leuven, Belgium to do a day of training and give a presentation. Looking forward to catching up with OWASP folks, eating some Belgian chocolate and drinking some Belgian beer.
Thursday November 29th, 2012 I’ll be giving a one-day version of our “Running a Software Security Program on Open Source Tools” course. This is usually a two-day course so it will be a pretty hectic day but it should be fun. The course description is:

Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on exposure to a variety of freely-available tools that they can use to implement portions of these programs.


On Friday I’ll be giving a presentation titled “Streamlining Application Vulnerability Management: Communication Between Development and Security Teams” The abstract is:

Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.


I’ve never been to Belgium before so I’m looking forward to the trip. Contact us if you want to meet up in Leuven!
dan _at_

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *