Alan Weinkrantz’s Stream of Life

The Texas Lyceum convenes its first quarterly meeting of 2010 in San Antonio this weekend to tackle the sensitive topic of risks associated with our connected lives.  If you are attending, please make sure to use #TexasLyceumSA for the Twitter hashtag.

Here's San Antonio Mayor, Julian Castro's commentary...

The Texas Lyceum convenes its first quarterly meeting of 2010 in San Antonio to tackle the sensitive topic of risks associated with our connected lives.

The weekend will explore the risks we incur by having much of our information available and potentially vulnerable on the Internet. Be it social media, online banking or buying something on E-bay, hackers are increasingly able to piece together information from disparate sources to put our reputation, finances, and identities at risk.

The centerpiece for the weekend will be the first public debate of the Lyceum’s 2010 “Great Debate” series. The debate, to be televised statewide via public television, will tackle the thorny issue of whether existing laws and technologies adequately protect our data and identities in an online world.

Panelists will represent opposing viewpoints in this debate – hackers and privacy advocates who will argue these protections are inadequate, and security leaders and government leaders who will argue that laws and technologies are closing the gap.

The weekend will include interactive and team activities to help Lyceum Directors better understand how these privacy and security risks affect their day-to-day lives. An intended goal of the weekend will be to raise the level of awareness for Lyceum Directors regarding public policy involving online security and privacy.

The backdrop of the conference will be San Antonio and its growing cyber security industry. Acknowledging that San Antonio is becoming an emerging center of computer security activity, the United States Air Force is currently locating its 24th Air Force Cyber Command at the city’s Lackland AFB.

Click here for the weekend agenda.

Members of the media, industry analysts and bloggers covering security and privacy issues, please contact me - alan at weinkrantz dot com for more information.

SAN ANTONIO--(BUSINESS WIRE)--Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risks with their existing software, is advising utility companies of significant security and privacy risks as they transition to smart grid technologies. With advanced meters and smart grid technologies being deployed, Internet attacks, malware, and privacy breaches have become a bigger risk if the appropriate defenses are not engineered into the system from inception. Far-reaching scenarios involving power to homes being shut down were once remote but have now become feasible.

 

“It will be difficult to put the genie back in the bottle when smart grid technologies are deployed,” said John Dickson, Principal of Denim Group. “Advanced meters are Internet-based network computing devices, with many of the inherent security challenges of traditional network security. There are significant security and privacy implications that we hope are being taken into consideration - protecting these systems shouldn’t be an afterthought. While the cost of prevention is low, the cost of remediation can be extraordinary. The principles we’ve learned from designing and building secure systems and software apply to these smart grid technologies as well and should be rigorously followed.”

“Public Utility Commissions have the unique opportunity to determine the security and integrity of the security metering system,” added Ravi Sandhu, Executive Director of The University of Texas at San Antonio’s Institute for Cyber Security. “Historically, the stand-alone, proprietary nature of the mechanical metering system provided a level of security but limited options for expanded utility and flexibility. Networking these systems requires all parties to re-think the security impact on closed networks and their ecosystems. The integrity of the system network must be maintained and the privacy of the consumers’ data must remain confidential.”

Dickson advises utility companies to consider the following key strategies when deploying smart grid technologies. Dickson has also testified at the Texas Public Utilities Commission on public grid policies.

 

1. Don’t take on blind faith what hardware vendors communicate about the security of their devices. Ask smart grid technologies suppliers rigorous questions about what 3^rd party testing they’ve done.
2. Build an architecture that implements a defense in depth strategy. Avoid classic single point of failure design flaws that create a “crunchy on the outside, chewy on the inside” security model.
3. Trust, but verify. Conduct rigorous, recurring 3rd party audits. These audits should follow an agreed-upon format, and focus on the smart grid system from the perspective of an attacker. Testing should be driven for purely compliance purposes, and should emphasize technical aspects throughout. Finally, as technology evolves, ensure that auditing evolves with it.
4. Conduct detailed threat modeling when new functionality is added to the system. Threat models should provide system designers feedback to build more secure systems.
5. Understand the impact of who can access these systems, such as administrators, auditors, producers, and customers and precisely what access they have. Put technical controls in place to ensure that these different players cannot access each other's private data.

 

Denim Group is currently working with several public and private initiatives to help certain utility companies address, and mitigate vulnerability issues associated with smart grid and other technologies and have performed assessments of numerous public utilities. Service providers are encouraged to implement the recommendations as earlier in the design process as possible to have a great affect on the security of the smart grid.

About Denim Group

Denim Group develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security. Denim Group has worked with a range of Fortune 500 companies and public sector organizations, bringing a focused software development approach to the world of software security. The Company provides clients with secure .NET and Java development services and remediates serious software flaws in existing application portfolios. Denim Group also identifies vulnerabilities and quantifies risks that vulnerable applications represent through assessments, code reviews, and application-focused penetration testing. Training complements Denim Group’s development and testing services by helping organizations build an internal competency in secure software development and testing through a combined classroom instruction and e-Learning approach.

Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception. Additionally, Denim Group was ranked 1101 in Inc. Magazine's 5000 Fastest-Growing Private Companies in America in 2008.

Reader Contact Information:

Denim Group, 3463 Magic Drive, Suite 315; San Antonio, TX 78229, Tel: 210-572-4400, Fax: 210-572-4401, www.denimgroup.com, john@denimgroup.com.

 

 

Contact:

Agency Contact:
Alan Weinkrantz, 210-820-3070
alan@weinkrantz.com
or
Denim Group Contact:
John Dickson, 210-572-4400
john@denimgroup.com

Send

Share

Print

Share this page

• Delicious
• Twitter
• Myspace
• Digg
• StumbleUpon
• Facebook

Here is client, Denim Group's @danielcornell and @johnbdickson talking about application security and broader security issues at large.

Many thanks to @scobleizer and the whole Rackspace team including @kr8tr and @rjamestaylor for helping to make this happen.

August 19, 2009 09:00 AM Eastern Daylight Time 

 

Denim Group Partners with Fortify Software

Denim Group Uses Fortify’s 360 Suite of Application Security Solutions on Software Development Projects

SAN ANTONIO--(BUSINESS WIRE)--Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risks with their existing software, announced today that it is partnering with Fortify® Software, the market leading provider of Software Security Assurance solutions. Under the agreement, Denim Group can now use Fortify 360, the market leading application for containing, removing and preventing vulnerabilities in software for Denim Group’s secure software development projects. A related video to this announcement may be viewed at: http://tinyurl.com/p3wa9k.

“Fortify’s technology brings together the critical analytic, remediation and management capabilities necessary for an effective Software Security Assurance program,” said Roger Thornton, founder and CTO of Fortify Software, Inc. “We’re pleased that a recognized leader like Denim Group has become a trusted delivery partner.”

Using both static and dynamic analysis methods, Fortify 360 identifies more than 400 types of security vulnerability across 17 different development languages. It provides line-of-code level details for vulnerabilities that are uncovered - a critical capability for organizations that are serious about reducing risk in their software.

“What makes us unique in our software development approach is that we use the Fortify solution for secure software development projects for our clients,” said John Dickson, Principal of Denim Group. “This enables us to build secure applications that our clients trust to protect their most sensitive information.”

About Denim Group

Denim Group develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security. Denim Group has worked with a range of Fortune 500 companies and public sector organizations, bringing a focused software development approach to the world of software security. The Company provides clients with secure .NET and Java development services and remediates serious software flaws in existing application portfolios. Denim Group also identifies vulnerabilities and quantifies risks that vulnerable applications represent through assessments, code reviews, and application-focused penetration testing. Training complements Denim Group’s development and testing services by helping organizations build an internal competency in secure software development and testing through a combined classroom instruction and e-Learning approach.

Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception. Additionally, Denim Group was ranked in Inc. Magazine's 5,000 Fastest-Growing Private Companies in America in 2008 and 2009.

About Fortify Software, Inc.

Fortify's Software Security Assurance products and services protect companies from the threats posed by security flaws in business–critical software applications. Its software security suite–Fortify 360–drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world–class teams of software security experts and partners. More information is available at www.fortify.com or visit our blog.

Reader Contact Information:

Denim Group, 3463 Magic Drive, Suite 315; San Antonio, TX 78229, Tel: 210-572-4400, Fax: 210-572-4401, www.denimgroup.com, john@denimgroup.com.

Fortify Software, Inc., 2215 Bridgepointe Pkwy, Suite 400; San Mateo, CA 94404, Tel: 650-358-5600, Fax: 650-358-4600, www.fortify.com, contact@fortify.com.