FROC2010 Abstract Cornell
The Presentation: "Application Security Program Management with Vulnerability Manager"
Using free Java-based software, application security managers can now have increased visibility into and control of enterprise security programs as well as the data that can be used to support sophisticated conversations with their managers and executives. Denim Group's Vulnerability Manager works through a centralized system to allow security teams to import and consolidate application-level vulnerabilities, automatically generate virtual patches, monitor attack attempts, communicate with defect tracking systems, and evaluate team maturity. Vulnerability Manager is a Java-based web application available for free under the Mozilla Public License.
This demonstration will cover the major functional areas of the Vulnerability Manager: • Application portfolio management – Creating a portfolio of application under management and tracking critical information about those applications such as associated technologies and sensitivity of data under management. • Vulnerability import and merging – Importing results of both static and dynamic scans of code, de-duplicating results and merging the output from multiple tools into a unified view of the security state of an application. • Automated virtual patch generation – Automatically creating IDS/IPS and WAF rules to provide real-time protection for certain classes of vulnerabilities as well as consuming log results from WAF/IDS/IPS in order to identify which vulnerabilities are under active attack. • Defect tracker integration – Bundling multiple vulnerabilities into packages, sending them to software defect tracking systems, and monitoring the defects to identify when software developers have closed them out. • Team maturity evaluation – Tracking interviews with development teams related to the security practices they have adopted based on maturity models such as OpenSAMM.
In addition, the presentation will explain the internals of the Vulnerability Manager software – the design decisions made as well as opportunities to extend the system to support additional technologies.
The Speaker: Bryan Beverly
Bryan Beverly is Lead Consultant at Denim Group with thirteen years of business application development experience. At Denim Group, Bryan is responsible for defining and enforcing development processes and for performing black box and white box scans for clients in the public and private sectors. An on-site trainer for secure development best practices, Bryan has trained internal development teams for the military, commercial software developers, and financial institutions. Bryan is a co-developer and provides technical leadership on the Open Source Denim Group Vulnerability Manager project.