Request for Information (RFI) Department of Management ......Our application security services run the entire range of the secure software development lifecycle (SDLC) from initial

Response For:

Request for Information (RFI)

Department of Management Services

Cyber-Security Assessment, Remediation, and Identity Protection,

Monitoring and Restoration Services

Response Due

September 3, 2015

12PM ET

Attention:

Joel Atkinson

Associate Category Manager

4050 Esplanade Way, Suite 360

Tallahassee, FL 32399-0950

Phone: (850) 488-1985

Email: [email protected]

Respectfully Submitted By:

Jan Harris

Denim Group, Ltd.

2700 W. Anderson Lane, Suite 301

Austin, Texas 78751

Direct phone: (210) 237-9262

General Office: (210) 572-4400

[email protected]

mailto:[email protected]


Department of Management Services RFI Response

Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services

2 of 20

For State of Florida Department of Management Services RFI

© Denim Group, Ltd., 2015. All Rights Reserved.

Table of Contents

Introduction ...................................................................................................................................... 3

Background ...................................................................................................................................... 5

Denim Group Contact and Organization Information........................................................................ 9

Response to RFI Section IV ........................................................................................................... 10

Addendum A: Denim Group Public Sector Experience Highlights ................................................ 11

Addendum B: Denim Group Security Assessment Methodologies ............................................... 15

Addendum C: ThreadFix™ .......................................................................................................... 18



3 of 20



Introduction We at Denim Group are pleased to make our services available to help agencies in the State of Florida improve the security state of sensitive data. We are available on the GSA Schedule 70, Contract #GS35F117BA, as well as via the Texas Department of Information Resources Cooperative Purchasing Program DIR-SDD-1850. Denim Group’s core business is cyber security as it applies to the preparation and defense of software and

systems.

Software Security and Mobile Application Security

We build, integrate, and secure enterprise-class software. Denim Group helps clients develop secure web

applications for Internet-facing, mission-critical systems by assisting them throughout the software development

lifecycle. We provide web application security assessments and training, source code remediation, and process

improvement consulting for secure application design.

Our application security services run the entire range of the secure software development lifecycle (SDLC) from initial design to application retirement. We specialize in secure application development services, application security testing, threat modeling to identify potential vulnerabilities and software vulnerability remediation. Our approach includes software assurance program development and implementation. We understand the criticality of a developer’s understanding of secure coding practices. We help organizations coordinate and bridge security activities between the security departments that identify issues and the development teams that must fix issues. We are nationally recognized because our employees understand cyber security from a software centric perspective. Our consultants are specially trained to find and remediate vulnerabilities. We have established methodologies for the correct use of software vulnerability identification tools, software security assessments, and for managing application security projects and reporting. We focus on manual testing to identify issues in the authentication and business logic of an application, as tools will identify only a percent of known vulnerabilities. We are also leaders in mobile application vulnerability testing and remediation and we have produced a guide specific to Android versus iPhone mobile security issues and approaches. We are trusted by leading financial institutions to assess security for multiple mobile banking application releases month to month during each year. Our Core Software Security Services:

• Secure software development

• Application security assessment

• Software vulnerability remediation

• Secure SDLC policy and planning

• Secure architecture consulting

• Secure systems migration, integration, and consolidation solutions

• Mobile and cloud application security testing and remediation

• Application Security training

• Secure mobile application development

Information Security

We complement our extensive web application security competencies with an experienced information security

practice which includes services ranging from network penetration testing to IT risk assessments and cyber security

remediation.

http://www.denimgroup.com/service.html

http://www.denimgroup.com/service.html

http://www.denimgroup.com/service_secure.html












http://www.denimgroup.com/service_integrate.html







4 of 20



We help plan and prepare and document security policies and procedures for compliance and to mitigate an organizations’ risk exposure in information technology environments, as well as provide leadership to the teams in the remediation efforts. Our information security gap analysis and security roadmap services can help the organization create a realistic baseline for their current state of risk and map out the logical steps to improving cyber security maturity in the following areas:

Risk Management

Countermeasure Principles

Patch Management, Vulnerabilities and Threats (e.g. cloud computing, aggregation, data flow control)

Incident Response and Disaster Recovery

Certification and Accreditation

Application Environment and Security Controls

Network Protection

Network Architecture and Design

Threats and Vulnerabilities

Access Control Planning

Educating and Protecting the User

Operating Systems and Application Security

Physical and Hardware-Based Security

Building Security Policies and Procedures

Security Administration (Education, Training and Awareness)

System Development Life Cycle (SDLC)

Our State Agency Experience For eight years, Denim Group has worked closely with Texas state agencies to address software security, cyber

security and remediation. Our public sector engagements have supported application remediation, migration and

modernization to help transition systems in association with the statewide data center consolidation. We also built

a secure eligibility system for the Texas Department of State Health Services replacing two legacy systems for the

Purchased Health Services Unit.

Our most recent highlights include our work with the Texas Health and Human Services Commission (HHSC)

achieve immediate security planning goals in association with Centers for Medicare and Medicaid (CMS)

requirements and the official authority to connect to federal systems during the subsequent operational phase of

the HHSC Texas Integrated Eligibility Redesign System (TIERS) Security Project (2013 and on-going). As a part of

this project we have performed application security assessments on eight major TIERS applications and we are

advising and coordinating remediation efforts on these systems as well as mobile applications in development. The

cyber security project included an information security gap analysis and establishing a controls workbook using

NIST 800.53 standards. We are currently in the operational phase leading the remediation efforts for TIERS. During

our work on the TIERS Security Project we have demonstrated our effectiveness in working in the HHSC

environment, with its stakeholders and with the HHSC major vendor partners. In addition, we are currently engaged

in the Security Monitoring And Remediation Taskforce, assisting the Texas Health And Human Services (HHS)

Enterprise (5 agencies) baseline software security and establish a long term software assurance program.



5 of 20



Background

About Denim Group, Ltd.

Denim Group is a top-3 national consultancy in the field of software security as recognized by Gartner, 451

Group, and other national analyst firms. We have successfully delivered large-scale software security projects in

Fortune 500, public sector, and Department of Defense environments. Denim Group’s national leadership has

focused on contributions to the Open Web Application Security Project (OWASP) and thought leadership and

contributions around application security, mobile application security, and software remediation. The release of

Denim Group’s Open Source software project, ThreadFix™, in September 2012 (see also Appendix A) garnered

industry recognition and ThreadFix™ is rapidly becoming the industry standard for application security remediation

activities. Our focus is to contribute actionable tools and resources rather than to produce high level concepts and

academic offerings.

Denim Group has been recognized as one of the 5,000 Fastest Growing Company’s by Inc. Magazine several years

in a row, and has won multiple awards including recent accolades from regional press organizations as one of the

best places to work in San Antonio.

Denim Group combines experience in custom large-scale software development projects across multiple platforms,

languages and applications with significant core competencies in software and information security. We offer an

innovative blend of secure software development, testing, remediation and training capabilities that protect an

organization’s most valuable asset: its data.

Denim Group employs full-time, trained and experienced developers who are security experts. Our consultants

understand both the IT Security world and the Application integrated development environments (IDE), and can

help organizations build programs to bridge the gap between identifying security issues and fixing them. Our

experts’ working knowledge of the threats and countermeasures encountered in the application security arena, as

well as development strategies that fit into the software development lifecycle, provide the level of expertise needed

to develop, assess and remediate application source code. This is why a federal organization such as the Defense

Advanced Research Project Agency (DARPA) engaged Denim Group in 2011 to test the security of a new national

test range developed in Orlando, Florida by Lockheed Martin.

Denim Group Principals: Recognized Industry Leaders Denim Group is particularly skilled in cyber security given the specialized combination of our secure software development and system security experience. Our experience on large-scale projects provides project management and best practices methodology for successful completion of client projects within timeline and budget constraints.

Denim Group, Ltd. is completely self-financed and profitable since its inception. The management team at Denim

Group has over forty years’ experience in large-scale software development projects and information security for

Fortune 500, government and international clients. This depth and breadth of experience has allowed Denim Group

to successfully provide solutions for a variety of enterprise clients.

Sheridan Chambers was recognized as the 2011 Best CFO at a small private company from the San Antonio

Business Journal. Due in large part to Sheridan's careful attention to operations and finances, Denim Group has

celebrated 14 years as a successful business. Sheridan helps the company continuously improve processes to

make sure projects stay on time and on budget. He has twice been recognized by the San Antonio Business

Journal as a top entrepreneur.

http://www.inc.com/profile/denim-group

http://www.inc.com/profile/denim-group

http://www.inc.com/inc5000/2010/index.html

http://www.inc.com/inc5000/2010/index.html



6 of 20



Dan Cornell is a recognized expert in application security for SearchSoftwareQuality.com, has been quoted as an

expert in SC Magazine and speaks at top national and international IT security conferences on web application

security. Dan is currently the Membership Chair on the board of OWASP (Open Web Application Security Project)

Global Membership Committee and co-lead of the OWASP Open Review Project as well as the OWASP San

Antonio Chapter President. As Denim Group’s Chief Technology Officer, he leads the company’s security research

team in investigating the application of secure coding and development techniques to improve web-based software

development methodologies.

John Dickson is a Principal at Denim Group, Ltd. and a Certified Information Systems Security Professional

(CISSP), whose technical background includes network security, intrusion detection systems, and software

security. Dickson is a former U.S. Air Force officer who specialized in network defense and command and control.

He is a Distinguished Fellow of the Information Systems Security Association (ISSA), serves on the Founders

Board for the Institute for Cyber Security at the University of Texas at San Antonio, and the Texas Business

Leadership Council for which he was Chair in 2013.

Security Community Open Source Contribution

ThreadFix™

In 2012, Denim Group released “ThreadFix™”, a freely-available application vulnerability management platform

that aggregates data from both commercial and open source application security scanners.

In 2014, we launched a supported commercial version of ThreadFix.

“ThreadFix™” will allow an organization to:

• Import and consolidate application-level vulnerabilities

• Automatically generate virtual patches

• Monitor software attack attempts

• Communicate with defect tracking systems

• Evaluate software development team maturity

• Discuss software security trends with executives and management

The release of ThreadFix™ is the third in a line of tools developed and released to the IT security community at

large to benefit software security goals. (See also: Sprajax and Pandemobium.)

Freely Available Resources

Denim Group produces helpful resources, guides, and articles which we make freely available on our web site at

www.denimgroup.com.

Some examples include:

• Remediation Resource Center: www.denimgroup.com/remediation

• Denim Group Blogposts: http://blog.denimgroup.com/

https://code.google.com/p/threadfix/






http://ajaxian.com/archives/sprajax-an-ajax-security-scanner

http://ajaxian.com/archives/sprajax-an-ajax-security-scanner

http://code.google.com/p/pandemobium/



http://www.denimgroup.com/

http://www.denimgroup.com/

http://www.denimgroup.com/remediation



http://blog.denimgroup.com/

http://blog.denimgroup.com/



7 of 20



• Secure Mobile Development Reference:

http://www.denimgroup.com/media/pdfs/MobileDevReference.pdf

• How To Guide for Software Security Vulnerability Remediation:

http://www.denimgroup.com/howtoguide_download_register.html

• 6 Critical Questions to Ask Vendors to Ensure IT Project Success:

http://www.denimgroup.com/know_artic_dickson3.html

• An Introduction to ASP.Net 2.0 Security: http://www.denimgroup.com/know_artic_cornell1.html

Public Speaking and Community Representation

Denim Group Principals and Directors are in demand to speak at important State, local, and national conferences.

We present current topics supporting leadership in software security, secure software architecture, Payment Card

Industry (PCI) issues, and secure application modernization and transformation topics. Members of Denim Group’s

Management Team actively participate in the Texas Chief Information Security Officer Council, the San Antonio

Security Leaders’ Forum and the National Collegiate Cyber Defense Competition.

OpenSAMM Benchmarking Improvement Project

Denim Group is a contributing member of the Open Software Assurance Maturity Model (OpenSAMM) consortium

and active in preparing the industry’s first publicly available, anonymized software security benchmarking data that

enables organizations to steadily improve their software security posture over time. The easy-to-use assessment

provides flexible datasets that can be customized by organization demographics, including sector, development

and cultural profile, resulting in pragmatic milestones towards reducing overall security risk. The expanded access

to these datasets makes OpenSAMM available to a larger number of organizations, who previously weren’t able to

apply valuable benchmarking data to their particular case. Each of the practical, constructive benchmarks within

the framework was derived from best practices of leading application security firms.

Denim Group Clients

Denim Group has broad industry expertise. Our customers span an international client base of commercial and

public sector organizations across the financial services, banking, insurance, state and local government,

education, healthcare and defense industries to name a few. Denim Group also has strong competencies working

with other industries including entertainment, retail and online commerce, construction, energy, high tech, and

marketing/creative. We are able to expose our public service clients to innovations stemming from the commercial

sector and share our extensive background and experience solving some of today’s most complex security

challenges. Denim Group’s public sector experience includes state and local organizations, particularly in

healthcare, and educational institutions for both university and K-12.

A Trained and Trusted Workforce

Unlike many IT security and secure development services companies who regularly use contract labor, Denim

Group teams are W2 employees. Having a tight core team allows Denim Group to invest in training and certifications resulting in unparalleled performance and consistency of execution. Additionally, every employee of Denim Group undergoes thorough background checks that cover criminal, lawsuit and credit history. Some of our employees are also military veterans who have held the highest government security clearances. Denim Group consultants provide a valuable perspective through their working knowledge of the threats and countermeasures encountered in the application security and information security (cyber security) arena. Delivering software maturity assessments and







http://www.denimgroup.com/know_artic_cornell1.html





8 of 20



system information security assessments demands mature consultants with extensive knowledge in risk areas of information systems. Denim Group’s team excels in these areas from their years of experience.

Mature Project Methodologies

Denim Group has rigorously developed its project methodologies and internal training programs. This enables us

to deliver a high degree of accuracy in our ability to scope, propose, and deliver projects, and meet or reduce

projected timelines.



9 of 20



Denim Group Contact and Contract Information Organization Name: Denim Group, Ltd.

Corporate Address: 1354 North Loop 1604 E, Suite 110, San Antonio, Texas 78232

Type of ownership: Limited Partnership

Federal Tax Identification Number: 26-0014383

DUNS: 141935457

Contract Signatory: Sheridan Chambers, Manager of the General Partner

[email protected]

Office: (210) 572-4400

RFP / RFI Contact: Jan Harris, Business Development Manager (Public Sector)

[email protected]

Direct: (210) 237-9262

FAX: (210) 572-4401

GSA Schedule 70: GSA Schedule 70 Contract #GS35F117BA

Texas Department of Information

Resources (DIR)

Cooperative Purchasing Program: DIR-SDD-1850





10 of 20



Response to RFI Section IV

Denim Group can make the following services available to the State of Florida:

Pre-Incident Services:

a) Incident Response Agreements – Terms and conditions in place ahead of time to allow for quicker

response in the event of a cyber-security incident.

b) Assessments – Evaluate a State Agency’s current state of information security and cyber-security

incident response capability.

c) Preparation – Provide guidance on requirements and best practices.

d) Developing Cyber-Security Incident Response Plans – Develop or assist in development of written

State Agency plans for incident response in the event of a cyber-security incident.

e) Training – Provide training for State Agency staff from basic user awareness to technical education.

Post-Incident Services:

d) Mitigation Plans – Assist State Agency staff in development of mitigation plans based on investigation

and incident response. Assist State Agency staff with incident mitigation activities.

Department of Management Services, State of Florida, RFI Response


11 of 20

RFI Response For Department of Management Services, State of Florida:



Addendum A: Denim Group Public Sector Experience Highlights

Texas Department of State Health Services

2008 CCJ-Vendor Update-USAS-1099 Applications and Databases Secure Application Development and

Data Migration and Remediation

Activities and Tasks included:

• Discovery, project envisioning and migration plan

• Target architecture design

• Data migration and remediation

• Quality assurance for migrated applications

• Federal and State accessibility requirements identification and compliance

• Documentation

2008 IMMSTAT (CHRS) and CSHIP Discovery, Secure Migration and Remediation


• Transition plan


• Application migration services



• Deployment and support services

• Documentation

2009 IMMBILL and RHS / Eshare Discovery, Secure Migration and Remediation


• Transition plan


• Application migration services



• Deployment and support services

• Documentation

2011 Texas Cancer Registry SANDCRAB – CDC RegistryPlus Secure Application Migration


• SANDCRAB application review and gap analysis of CDC RegistryPlus suite

• Review of previous migration plans and information security standards for handling registry

information



12 of 20




• Compilation of migration options to meet available timeline

• Compilation of migration plan for TCR to RegistryPlus which will comply with applicable standards

• Secure migration and deployment support activities

2011 Health Registries Improvement (HRI) Project" Registries: EMS/Trauma, Healthcare Associated

Infections, Birth Defects, Lead, (Maven web applications).

Performed Security Assessments, Documentation, Training, and Managed Security Services.


• Security risk assessments

• Supporting Documentation Development

• Remediation planning and remediation

• Application evaluation

• Description of business function

• System categorization and hardware/software support system identification

• Data classification

• Level of sensitivity and risk for confidentiality

• Evaluate mission criticality risk of data and IT support system

• Interdependencies and interconnections with other systems

• Threats to each registry system

• System specific training for users and application developers

• Identify vulnerabilities & threats to the registry system by conducting a network security assessment

• Review adherence to policies, best practices and standards by conducting an information security

gap analysis and policy review in comparison with:

• DSHS Information Security Standards and Guidelines

• TAC 202

• HHS Enterprise Information Security Policy Standards and Guidelines

• Information Security Assessment, Awareness and Compliance (ISAAC)

• Assess and rate the application security of DSHS registry systems against industry standard

vulnerabilities via a dynamic application security assessment

• Additional Managed Security Services

• Application security assessments

• Application security instructor led training

• Application secure code development training

• Application security architecture and implementation consulting

Secretary of State for the State of Texas

2009 TEAM (Texas Election Administration and Management) – a third party vendor procurement

System Security Remediation and Enhancement Development




13 of 20




• Requirements gathering, analysis, and prioritization

• Architecture design and planning

• Feature development

• Vulnerability remediation

• Documentation and project management

• Knowledge transfer and training

2009 TASP (Texas Academic Skills Program) Secure Application Development and Remediation

Consulting.


• Discovery

• Testing

• Remediation

Office of the Attorney General, Child Support Division

2013 Application Security Instructor Led Training

Six Courses delivered for up to 35 participants between January and May 2013.

Courses Delivered:

1. Introduction to Application Security

2. Advanced Web App Security for Java

3. Software Security Remediation: Managing Vulnerability Remediation

4. Secure SDLC: How to Build Security into your Software Development Lifecycle

5. Designing, Building, and Testing Secure Applications on Mobile Devices

Education Service Center (ESC) Region 20

(Note: Region 20 has employed Denim Group secure development and security consulting services since 2002

across numerous projects. Below is one more recent example.)

2011 TxEIS J2EE Conversion (September 2010 to August 2011)

Assisted with the conversion and secure development work needed for the J2EE TxEIS product and other

projects. Provided secure software development and other consulting services as requested.


• Requirements gathering and analysis for Agile development initiative

• Secure architecture and planning

• Secure application development

• Deployment and support



14 of 20




• Documentation

• Setup of development and test framework

• Project Management

• Knowledge transfer and training

Health And Human Services Commission / Texas Integrated Eligibility Redesign System (TIERS)

2013-16 Health & Human Services TIERS Security Project

Associated with the Health and Human Services Commission (HHSC) Enhanced Eligibility Systems Modernization Program, HHSC and the Centers for Medicare & Medicaid Services (CMS) completed an Architecture Review and Project Baseline Review stage gate on April 25, 2012. During this review, CMS requested a number of security deliverables. In response, HHSC prepared the TIERS Security Controls Catalog and a template for the TIERS System Security Plan. HHSC also committed to perform an application and infrastructure security assessment.

Activities included and include:

• Complete development the TIERS Systems Security Plan and to provide a security assessment by:

o Preparing additional documentation necessary to complete and execute the TIERS System

Security Plan and Controls Catalog.

o Assessing the current status of application and infrastructure security controls against the TIERS

System Security Plan.

o Supporting corrective actions to address any identified gaps in the security controls working

with HHSC stakeholders and vendors.

o Supporting the enhancement of the TIERS Software Development Life Cycle (SDLC) to address

security requirements.

• Address and remediate a majority of open audit findings related to TIERS security and assist HHSC to

re-establish the authority to connect to federal systems.

• Application security testing of the 8 major TIERS applications

• Advise and coordinate remediation efforts for vulnerabilities identified in the TIERS application security

testing results working with TIERS stakeholders and vendors.

• TIERS Security Architecture Review

• Application Security Training (OWASP top ten and advanced secure coding).

• Mobile application security testing as well as advising and coordinating software vulnerability remediation

on the mobile applications.



15 of 20




Addendum B: Denim Group Security Assessment Methodologies

Denim Group Approach to Application Security Assessments

Denim Group combines static and targeted dynamic security assessment services to clients that are interested in

understanding the security state of an application. We use a variety of tools and manual testing approaches to

characterize how the application responds to manual and automated attacks.

Application security assessments commence with a static analysis of the application source code consisting of

automated code scanning and manual review. This portion of the assessment identifies and enumerates coding

flaws in the application and informs application remediation feedback for the development team about where and

how flaws exist in the code as well as development level strategies for remediation.

After the completion of the static portion of the security assessment, Denim Group performs a targeted dynamic

assessment of the application. Dynamic tests help identify flaws in application logic and data flow. The dynamic

portion of the testing requires credentials based on specific roles to the application and includes tests to determine

whether authorized users can elevate access and privileges.

Assessment engagements conclude with a final written report as well as a technical debrief with key stakeholders.

Denim Group’s final written deliverable includes an executive summary, vulnerability observations, and remediation

recommendations to address the security state of the application. Denim Group proposes remediation strategies

to help enable the customer to develop a remediation plan to address vulnerabilities observed during the

assessment.

The emerging industry standard defined by the Open Web Application Security Project (OWASP) provides a base

for Denim Group’s assessment methodology, which captures the major classes of web application vulnerabilities

that might exist in the application. Once identified, vulnerabilities are assigned a classification and rating which

clarifies their respective type and severity for remediation.

Denim Group’s deliverables include an Observations and Recommended Remediation Report to include the

following: risk ranking, explanation of findings, suggested remediation strategies, recommendations addressing

strategies for the execution of secure application development remediation.

Denim Group’s Approach to Project Management

Our team employs a project management approach developed by Denim Group. Our team separates Project

Management into two areas of responsibility. There is a project manager responsible for resourcing, accounting,

time tracking, timeline adherence, client communication, and general business aspects of project success. The

project technical lead works alongside the project manager to maintain a high level of technical quality and provide

technical guidance to our delivery team. In addition to the primary project management team, our methodology

includes the internal support of subject matter experts for application and network security oversight, as well as

technical architecture and scalability oversight.

This layered project management approach allows our team to benefit from the communal expertise of the company

as opposed to relying too heavily on the skills of one or two project team members. It also provides a larger pool

of individuals familiar with the project, which helps to mitigate schedule interruptions.



16 of 20




Using this project methodology, Denim Group has delivered hundreds of successful projects over many years,

ranging from weeks-long application security assessments to enterprise information security assessments to green-

field customer secure application development across multiple years.

Denim Group Approach to Threat Modeling

Denim Group identifies the likely threat agents and vulnerable components associated with the specific application.

Denim Group works with the customer team to produce a holistic view of the system and uses this view to create a

structured approach to enumerating possible areas of weakness. The result is a dataflow diagram, a list of identified

threats, detailed countermeasures for these threats, and any areas where additional security measures should be

considered.

Major tasks include: interviews with client subject-matter experts, reviews of specifications, schemas, and design

documentation, compilation of data flows and attacker profiles, attack planning.

• OWASP Application Security Verification Standard (See also: https://www.owasp.org/images/a/a0/Wichers_-

_About_OWASP_ASVS_Web_Edition_v2.pdf)

• OWASP Testing Guides

• OWASP Web Application Security Testing Cheat Sheet

• OWASP Black Box Testing

• Microsoft STRIDE Rating Model http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx

• DREAD Risk Assessment Model http://en.wikipedia.org/wiki/DREAD:_Risk_assessment_model

• NIST SP800-53 Revision 3 Controls Standards: Guide for Assessing the Security Controls in

Federal Information Systems and Organizations – Building Effective Security Assessment Plans.

Denim Group Use of Standards

OWASP OpenSAMM http://www.opensamm.org

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and

implement a strategy for software security that is tailored to the specific risks facing the organization. The

resources provided by SAMM will aid in:

• Evaluating an organization’s existing software security practices

• Building a balanced software security program in well-defined iterations

• Demonstrating and measuring security-related activities within and organization

SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations

using any style of development. Additionally, this model can be applied organization-wide, for a single line-of

business, or even for an individual project. As an open project, SAMM content shall always remain vendor-neutral

and freely available for all to use.

OWASP Application Security Verification Standard (ASVS) https://www.owasp.org/index.php/ASVS

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing

https://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf

https://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf

https://www.owasp.org/images/a/a0/Wichers_-_About_OWASP_ASVS_Web_Edition_v2.pdf




https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx




http://en.wikipedia.org/wiki/DREAD:_Risk_assessment_model

http://en.wikipedia.org/wiki/DREAD:_Risk_assessment_model

http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf




http://www.opensamm.org/

http://www.opensamm.org/

https://www.owasp.org/index.php/ASVS

https://www.owasp.org/index.php/ASVS



17 of 20




application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: • Use as a metric - Provide application developers and application owners with a yardstick with which to

assess the degree of trust that can be placed in their Web applications,

• Use as guidance - Provide guidance to security control developers as to what to build into security controls

in order to satisfy application security requirements, and

• Use during procurement - Provide a basis for specifying application security verification requirements in

contracts.



18 of 20




Addendum C: ThreadFix™

ThreadFix Community Edition is an open source vulnerability management platform that substantially accelerates

the process of resolving application-level vulnerabilities. ThreadFix aggregates vulnerability test results from

disparate static and dynamic scanning tools as well as the results of manual penetration testing, code review and

threat modeling to create a single comprehensive view of the security status of all applications within an

organization. With ThreadFix, the reporting, prioritization and remediation of an organization’s application security

vulnerabilities are centralized in a single location, significantly easing communications between the application

development and security teams. This centralization enables security analysts and development managers to

make better-informed remediation decisions. ThreadFix is designed to give security practitioners the ability to

understand the security of their applications and efficiently conduct remediation. See also:

http://www.slideshare.net/denimgroup/threadfix-22-preview-webinar-with-dan-cornell

ThreadFix ingests results from multiple automated scanning solutions and third party assessment platforms,

organizes the information, and communicates a clear picture of the security state of your applications to both the

security and the development teams, leveraging the tools they are already using.

ThreadFix is an application vulnerability management platform that provides a window into the state of application

security programs for organizations that build software. The platform helps to bridge the gap between security and

software development teams by aggregating vulnerability test results from static and dynamic application security

scanning tools. ThreadFix also imports the results of manual penetration testing, code reviews and threat modeling

to provide a comprehensive view of software security for an organization. Once a unified list of security

vulnerabilities has been created, ThreadFix allows application security managers to further prioritize discovered

vulnerabilities via a centralized dashboard. As the development team resolves defects, status updates are

synchronized within ThreadFix, enabling the security team to schedule follow-up testing to confirm that security

holes have indeed been closed. ThreadFix also auto-generates application firewall rules to block application

attacks while remediation efforts occur. ThreadFix empowers managers with vulnerability trending reports that

demonstrate software security progress over time.

ThreadFix Features and Benefits

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Simplified View of Application Test Results

Consolidate and de-duplicate imported results from open source, commercial dynamic and static scanning tools,

as well as the results of manual testing and threat modeling to get a complete view of the state of your applications.

Reports

Get the latest security status of your applications while providing an eagle’s-eye view of your organization’s

progress over time to pinpoint any process problems.

Defect Tracker Integration

http://www.slideshare.net/denimgroup/threadfix-22-preview-webinar-with-dan-cornell



19 of 20




Help security professionals translate application vulnerabilities into software defects and push tasks to developers

in the tools and systems they are already using. A list of currently supported defect trackers is available on the

ThreadFix website. http://www.threadfix.org/product-tour/integrations/

Virtual Patching

Create virtual Web Application Firewall (WAF) rules to help block malicious traffic while vulnerabilities are being

resolved. While your organization takes on remediation of your applications, virtual patching helps guard against

common vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injections.

Compatible with Open Source and Commercial Products

ThreadFix is compatible with a number of commercial and freely available dynamic and static scanning

technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers.

Why ThreadFix?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ThreadFix benefits from Denim Group’s extensive secure development background. By leveraging widespread

knowledge of both security and software development, Denim Group has created a product that is accessible to

professionals from both worlds. ThreadFix translates, de-duplicates and consolidates results from multiple sources

(dynamic and static scanning, manual testing and threat modeling), resulting in a simplified and prioritized list of

software defects that accelerate software remediation efforts. By streamlining the workflow between the security

and software development teams, ThreadFix helps you accelerate software vulnerability remediation.

ThreadFix Enterprise Edition Licensing

ThreadFix Enterprise Edition includes enhanced features above and beyond what is available in the Community

Edition. Enterprise Edition features include LDAP (Lightweight Directory Access Protocol) and AD (Active

Directory) integration, and role-based access control to ensure applications under development can only be

accessed by the specific developers assigned to that application. Scan Orchestration enables multiple team

members to test multiple applications on an automated basis. ThreadFix Enterprise also offers enhanced

vulnerability reporting to help corporate applications to remain in compliance. ThreadFix Enterprise also includes

unlimited phone and email product support available Monday through Friday from 8 am CST to 5 pm CST.

ThreadFix Kickstart Plus Integration Program

Finding time and committing resources to learning and implementing a new technology can be challenging. For

this reason, Denim Group has created a ThreadFix Kickstart program.

The ThreadFix Kickstart Plus program expedites the setup and configuration of ThreadFix within your organization.

Kickstart Plus adds additional implementation time to work with your application security team to integrate

additional applications, scan agents and defect trackers. This engagement is customized to meet your needs. At

the end of the engagement, you will be left with a fully functional deployment of ThreadFix.

Typical Kickstart Activities and Deliverables:

Provide ThreadFix questionaire and capture implemtation requirements

Build project schedule and success criteria up to 2 applications

Conduct interviews with SMEs onsite

Prepare ThreadFix for installation in the environment

Onsite kickoff meeting with stakeholders

http://www.threadfix.org/product-tour/integrations/



20 of 20




ThreadFix installation and configuration

LDAP/Active Directory Integration

Configure user roles and responsibilities for up to 10 users

Scan agent configuration for up to 2 scan agents

Test import and integration of app sec tool results between tools and over time (up to 3 supported tools)

Test integration with software defect tracker and WAF (1 supported tracker and 1 supported WAF/IDS/IPS)

Import historical app sec tool output files (Up to 6 historical output files)

Vulnerability lifecycle testing, demonstration and out brief

Deliver report: Summary, vulnerability lifecycle guidance, recommended next steps.

Documents

Request for Information (RFI) Department of Management ......Our application security services run the entire range of the secure software development lifecycle (SDLC) from initial