FROC2010 Abstract Cornell
The Presentation: "Application Security Program Management with Vulnerability Manager"
Using free Java-based software, application security managers can now have increased visibility into and control of enterprise security programs as well as the data that can be used to support sophisticated conversations with their managers and executives. Denim Group's Vulnerability Manager works through a centralized system to allow security teams to import and consolidate application-level vulnerabilities, automatically generate virtual patches, monitor attack attempts, communicate with defect tracking systems, and evaluate team maturity. Vulnerability Manager is a Java-based web application available for free under the Mozilla Public License.
This demonstration will cover the major functional areas of the Vulnerability Manager: • Application portfolio management – Creating a portfolio of application under management and tracking critical information about those applications such as associated technologies and sensitivity of data under management. • Vulnerability import and merging – Importing results of both static and dynamic scans of code, de-duplicating results and merging the output from multiple tools into a unified view of the security state of an application. • Automated virtual patch generation – Automatically creating IDS/IPS and WAF rules to provide real-time protection for certain classes of vulnerabilities as well as consuming log results from WAF/IDS/IPS in order to identify which vulnerabilities are under active attack. • Defect tracker integration – Bundling multiple vulnerabilities into packages, sending them to software defect tracking systems, and monitoring the defects to identify when software developers have closed them out. • Team maturity evaluation – Tracking interviews with development teams related to the security practices they have adopted based on maturity models such as OpenSAMM.
In addition, the presentation will explain the internals of the Vulnerability Manager software – the design decisions made as well as opportunities to extend the system to support additional technologies.
The Speaker: Dan Cornell
Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway, RSA Conference and OWASP EU Summit in Portugal.