Post on 03-Jul-2020
Response For:
Request for Information (RFI)
Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection,
Monitoring and Restoration Services
Response Due
September 3, 2015
12PM ET
Attention:
Joel Atkinson
Associate Category Manager
4050 Esplanade Way, Suite 360
Tallahassee, FL 32399-0950
Phone: (850) 488-1985
Email: joel.atkinson@dms.myflorida.com
Respectfully Submitted By:
Jan Harris
Denim Group, Ltd.
2700 W. Anderson Lane, Suite 301
Austin, Texas 78751
Direct phone: (210) 237-9262
General Office: (210) 572-4400
jharris@denimgroup.com
Department of Management Services RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
2 of 20
For State of Florida Department of Management Services RFI
© Denim Group, Ltd., 2015. All Rights Reserved.
Table of Contents
Introduction ...................................................................................................................................... 3
Background ...................................................................................................................................... 5
Denim Group Contact and Organization Information........................................................................ 9
Response to RFI Section IV ........................................................................................................... 10
Addendum A: Denim Group Public Sector Experience Highlights ................................................ 11
Addendum B: Denim Group Security Assessment Methodologies ............................................... 15
Addendum C: ThreadFix™ .......................................................................................................... 18
Department of Management Services RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
3 of 20
For State of Florida Department of Management Services RFI
© Denim Group, Ltd., 2015. All Rights Reserved.
Introduction We at Denim Group are pleased to make our services available to help agencies in the State of Florida improve the security state of sensitive data. We are available on the GSA Schedule 70, Contract #GS35F117BA, as well as via the Texas Department of Information Resources Cooperative Purchasing Program DIR-SDD-1850. Denim Group’s core business is cyber security as it applies to the preparation and defense of software and
systems.
Software Security and Mobile Application Security
We build, integrate, and secure enterprise-class software. Denim Group helps clients develop secure web
applications for Internet-facing, mission-critical systems by assisting them throughout the software development
lifecycle. We provide web application security assessments and training, source code remediation, and process
improvement consulting for secure application design.
Our application security services run the entire range of the secure software development lifecycle (SDLC) from initial design to application retirement. We specialize in secure application development services, application security testing, threat modeling to identify potential vulnerabilities and software vulnerability remediation. Our approach includes software assurance program development and implementation. We understand the criticality of a developer’s understanding of secure coding practices. We help organizations coordinate and bridge security activities between the security departments that identify issues and the development teams that must fix issues. We are nationally recognized because our employees understand cyber security from a software centric perspective. Our consultants are specially trained to find and remediate vulnerabilities. We have established methodologies for the correct use of software vulnerability identification tools, software security assessments, and for managing application security projects and reporting. We focus on manual testing to identify issues in the authentication and business logic of an application, as tools will identify only a percent of known vulnerabilities. We are also leaders in mobile application vulnerability testing and remediation and we have produced a guide specific to Android versus iPhone mobile security issues and approaches. We are trusted by leading financial institutions to assess security for multiple mobile banking application releases month to month during each year. Our Core Software Security Services:
• Secure software development
• Application security assessment
• Software vulnerability remediation
• Secure SDLC policy and planning
• Secure architecture consulting
• Secure systems migration, integration, and consolidation solutions
• Mobile and cloud application security testing and remediation
• Application Security training
• Secure mobile application development
Information Security
We complement our extensive web application security competencies with an experienced information security
practice which includes services ranging from network penetration testing to IT risk assessments and cyber security
remediation.
Department of Management Services RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
4 of 20
For State of Florida Department of Management Services RFI
© Denim Group, Ltd., 2015. All Rights Reserved.
We help plan and prepare and document security policies and procedures for compliance and to mitigate an organizations’ risk exposure in information technology environments, as well as provide leadership to the teams in the remediation efforts. Our information security gap analysis and security roadmap services can help the organization create a realistic baseline for their current state of risk and map out the logical steps to improving cyber security maturity in the following areas:
Risk Management
Countermeasure Principles
Patch Management, Vulnerabilities and Threats (e.g. cloud computing, aggregation, data flow control)
Incident Response and Disaster Recovery
Certification and Accreditation
Application Environment and Security Controls
Network Protection
Network Architecture and Design
Threats and Vulnerabilities
Access Control Planning
Educating and Protecting the User
Operating Systems and Application Security
Physical and Hardware-Based Security
Building Security Policies and Procedures
Security Administration (Education, Training and Awareness)
System Development Life Cycle (SDLC)
Our State Agency Experience For eight years, Denim Group has worked closely with Texas state agencies to address software security, cyber
security and remediation. Our public sector engagements have supported application remediation, migration and
modernization to help transition systems in association with the statewide data center consolidation. We also built
a secure eligibility system for the Texas Department of State Health Services replacing two legacy systems for the
Purchased Health Services Unit.
Our most recent highlights include our work with the Texas Health and Human Services Commission (HHSC)
achieve immediate security planning goals in association with Centers for Medicare and Medicaid (CMS)
requirements and the official authority to connect to federal systems during the subsequent operational phase of
the HHSC Texas Integrated Eligibility Redesign System (TIERS) Security Project (2013 and on-going). As a part of
this project we have performed application security assessments on eight major TIERS applications and we are
advising and coordinating remediation efforts on these systems as well as mobile applications in development. The
cyber security project included an information security gap analysis and establishing a controls workbook using
NIST 800.53 standards. We are currently in the operational phase leading the remediation efforts for TIERS. During
our work on the TIERS Security Project we have demonstrated our effectiveness in working in the HHSC
environment, with its stakeholders and with the HHSC major vendor partners. In addition, we are currently engaged
in the Security Monitoring And Remediation Taskforce, assisting the Texas Health And Human Services (HHS)
Enterprise (5 agencies) baseline software security and establish a long term software assurance program.
Department of Management Services RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
5 of 20
For State of Florida Department of Management Services RFI
© Denim Group, Ltd., 2015. All Rights Reserved.
Background
About Denim Group, Ltd.
Denim Group is a top-3 national consultancy in the field of software security as recognized by Gartner, 451
Group, and other national analyst firms. We have successfully delivered large-scale software security projects in
Fortune 500, public sector, and Department of Defense environments. Denim Group’s national leadership has
focused on contributions to the Open Web Application Security Project (OWASP) and thought leadership and
contributions around application security, mobile application security, and software remediation. The release of
Denim Group’s Open Source software project, ThreadFix™, in September 2012 (see also Appendix A) garnered
industry recognition and ThreadFix™ is rapidly becoming the industry standard for application security remediation
activities. Our focus is to contribute actionable tools and resources rather than to produce high level concepts and
academic offerings.
Denim Group has been recognized as one of the 5,000 Fastest Growing Company’s by Inc. Magazine several years
in a row, and has won multiple awards including recent accolades from regional press organizations as one of the
best places to work in San Antonio.
Denim Group combines experience in custom large-scale software development projects across multiple platforms,
languages and applications with significant core competencies in software and information security. We offer an
innovative blend of secure software development, testing, remediation and training capabilities that protect an
organization’s most valuable asset: its data.
Denim Group employs full-time, trained and experienced developers who are security experts. Our consultants
understand both the IT Security world and the Application integrated development environments (IDE), and can
help organizations build programs to bridge the gap between identifying security issues and fixing them. Our
experts’ working knowledge of the threats and countermeasures encountered in the application security arena, as
well as development strategies that fit into the software development lifecycle, provide the level of expertise needed
to develop, assess and remediate application source code. This is why a federal organization such as the Defense
Advanced Research Project Agency (DARPA) engaged Denim Group in 2011 to test the security of a new national
test range developed in Orlando, Florida by Lockheed Martin.
Denim Group Principals: Recognized Industry Leaders Denim Group is particularly skilled in cyber security given the specialized combination of our secure software development and system security experience. Our experience on large-scale projects provides project management and best practices methodology for successful completion of client projects within timeline and budget constraints.
Denim Group, Ltd. is completely self-financed and profitable since its inception. The management team at Denim
Group has over forty years’ experience in large-scale software development projects and information security for
Fortune 500, government and international clients. This depth and breadth of experience has allowed Denim Group
to successfully provide solutions for a variety of enterprise clients.
Sheridan Chambers was recognized as the 2011 Best CFO at a small private company from the San Antonio
Business Journal. Due in large part to Sheridan's careful attention to operations and finances, Denim Group has
celebrated 14 years as a successful business. Sheridan helps the company continuously improve processes to
make sure projects stay on time and on budget. He has twice been recognized by the San Antonio Business
Journal as a top entrepreneur.
Department of Management Services RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
6 of 20
For State of Florida Department of Management Services RFI
© Denim Group, Ltd., 2015. All Rights Reserved.
Dan Cornell is a recognized expert in application security for SearchSoftwareQuality.com, has been quoted as an
expert in SC Magazine and speaks at top national and international IT security conferences on web application
security. Dan is currently the Membership Chair on the board of OWASP (Open Web Application Security Project)
Global Membership Committee and co-lead of the OWASP Open Review Project as well as the OWASP San
Antonio Chapter President. As Denim Group’s Chief Technology Officer, he leads the company’s security research
team in investigating the application of secure coding and development techniques to improve web-based software
development methodologies.
John Dickson is a Principal at Denim Group, Ltd. and a Certified Information Systems Security Professional
(CISSP), whose technical background includes network security, intrusion detection systems, and software
security. Dickson is a former U.S. Air Force officer who specialized in network defense and command and control.
He is a Distinguished Fellow of the Information Systems Security Association (ISSA), serves on the Founders
Board for the Institute for Cyber Security at the University of Texas at San Antonio, and the Texas Business
Leadership Council for which he was Chair in 2013.
Security Community Open Source Contribution
ThreadFix™
In 2012, Denim Group released “ThreadFix™”, a freely-available application vulnerability management platform
that aggregates data from both commercial and open source application security scanners.
In 2014, we launched a supported commercial version of ThreadFix.
“ThreadFix™” will allow an organization to:
• Import and consolidate application-level vulnerabilities
• Automatically generate virtual patches
• Monitor software attack attempts
• Communicate with defect tracking systems
• Evaluate software development team maturity
• Discuss software security trends with executives and management
The release of ThreadFix™ is the third in a line of tools developed and released to the IT security community at
large to benefit software security goals. (See also: Sprajax and Pandemobium.)
Freely Available Resources
Denim Group produces helpful resources, guides, and articles which we make freely available on our web site at
www.denimgroup.com.
Some examples include:
• Remediation Resource Center: www.denimgroup.com/remediation
• Denim Group Blogposts: http://blog.denimgroup.com/
Department of Management Services RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
7 of 20
For State of Florida Department of Management Services RFI
© Denim Group, Ltd., 2015. All Rights Reserved.
• Secure Mobile Development Reference:
http://www.denimgroup.com/media/pdfs/MobileDevReference.pdf
• How To Guide for Software Security Vulnerability Remediation:
http://www.denimgroup.com/howtoguide_download_register.html
• 6 Critical Questions to Ask Vendors to Ensure IT Project Success:
http://www.denimgroup.com/know_artic_dickson3.html
• An Introduction to ASP.Net 2.0 Security: http://www.denimgroup.com/know_artic_cornell1.html
Public Speaking and Community Representation
Denim Group Principals and Directors are in demand to speak at important State, local, and national conferences.
We present current topics supporting leadership in software security, secure software architecture, Payment Card
Industry (PCI) issues, and secure application modernization and transformation topics. Members of Denim Group’s
Management Team actively participate in the Texas Chief Information Security Officer Council, the San Antonio
Security Leaders’ Forum and the National Collegiate Cyber Defense Competition.
OpenSAMM Benchmarking Improvement Project
Denim Group is a contributing member of the Open Software Assurance Maturity Model (OpenSAMM) consortium
and active in preparing the industry’s first publicly available, anonymized software security benchmarking data that
enables organizations to steadily improve their software security posture over time. The easy-to-use assessment
provides flexible datasets that can be customized by organization demographics, including sector, development
and cultural profile, resulting in pragmatic milestones towards reducing overall security risk. The expanded access
to these datasets makes OpenSAMM available to a larger number of organizations, who previously weren’t able to
apply valuable benchmarking data to their particular case. Each of the practical, constructive benchmarks within
the framework was derived from best practices of leading application security firms.
Denim Group Clients
Denim Group has broad industry expertise. Our customers span an international client base of commercial and
public sector organizations across the financial services, banking, insurance, state and local government,
education, healthcare and defense industries to name a few. Denim Group also has strong competencies working
with other industries including entertainment, retail and online commerce, construction, energy, high tech, and
marketing/creative. We are able to expose our public service clients to innovations stemming from the commercial
sector and share our extensive background and experience solving some of today’s most complex security
challenges. Denim Group’s public sector experience includes state and local organizations, particularly in
healthcare, and educational institutions for both university and K-12.
A Trained and Trusted Workforce
Unlike many IT security and secure development services companies who regularly use contract labor, Denim
Group teams are W2 employees. Having a tight core team allows Denim Group to invest in training and certifications resulting in unparalleled performance and consistency of execution. Additionally, every employee of Denim Group undergoes thorough background checks that cover criminal, lawsuit and credit history. Some of our employees are also military veterans who have held the highest government security clearances. Denim Group consultants provide a valuable perspective through their working knowledge of the threats and countermeasures encountered in the application security and information security (cyber security) arena. Delivering software maturity assessments and
Department of Management Services RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
8 of 20
For State of Florida Department of Management Services RFI
© Denim Group, Ltd., 2015. All Rights Reserved.
system information security assessments demands mature consultants with extensive knowledge in risk areas of information systems. Denim Group’s team excels in these areas from their years of experience.
Mature Project Methodologies
Denim Group has rigorously developed its project methodologies and internal training programs. This enables us
to deliver a high degree of accuracy in our ability to scope, propose, and deliver projects, and meet or reduce
projected timelines.
Department of Management Services RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
9 of 20
For State of Florida Department of Management Services RFI
© Denim Group, Ltd., 2015. All Rights Reserved.
Denim Group Contact and Contract Information Organization Name: Denim Group, Ltd.
Corporate Address: 1354 North Loop 1604 E, Suite 110, San Antonio, Texas 78232
Type of ownership: Limited Partnership
Federal Tax Identification Number: 26-0014383
DUNS: 141935457
Contract Signatory: Sheridan Chambers, Manager of the General Partner
sheridan@denimgroup.com
Office: (210) 572-4400
RFP / RFI Contact: Jan Harris, Business Development Manager (Public Sector)
jharris@denimgroup.com
Direct: (210) 237-9262
FAX: (210) 572-4401
GSA Schedule 70: GSA Schedule 70 Contract #GS35F117BA
Texas Department of Information
Resources (DIR)
Cooperative Purchasing Program: DIR-SDD-1850
Department of Management Services RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
10 of 20
For State of Florida Department of Management Services RFI
© Denim Group, Ltd., 2015. All Rights Reserved.
Response to RFI Section IV
Denim Group can make the following services available to the State of Florida:
Pre-Incident Services:
a) Incident Response Agreements – Terms and conditions in place ahead of time to allow for quicker
response in the event of a cyber-security incident.
b) Assessments – Evaluate a State Agency’s current state of information security and cyber-security
incident response capability.
c) Preparation – Provide guidance on requirements and best practices.
d) Developing Cyber-Security Incident Response Plans – Develop or assist in development of written
State Agency plans for incident response in the event of a cyber-security incident.
e) Training – Provide training for State Agency staff from basic user awareness to technical education.
Post-Incident Services:
d) Mitigation Plans – Assist State Agency staff in development of mitigation plans based on investigation
and incident response. Assist State Agency staff with incident mitigation activities.
Department of Management Services, State of Florida, RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
11 of 20
RFI Response For Department of Management Services, State of Florida:
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
© Denim Group, Ltd., 2015. All Rights Reserved.
Addendum A: Denim Group Public Sector Experience Highlights
Texas Department of State Health Services
2008 CCJ-Vendor Update-USAS-1099 Applications and Databases Secure Application Development and
Data Migration and Remediation
Activities and Tasks included:
• Discovery, project envisioning and migration plan
• Target architecture design
• Data migration and remediation
• Quality assurance for migrated applications
• Federal and State accessibility requirements identification and compliance
• Documentation
2008 IMMSTAT (CHRS) and CSHIP Discovery, Secure Migration and Remediation
Activities and Tasks included:
• Transition plan
• Target architecture design
• Application migration services
• Quality assurance for migrated applications
• Federal and State accessibility requirements identification and compliance
• Deployment and support services
• Documentation
2009 IMMBILL and RHS / Eshare Discovery, Secure Migration and Remediation
Activities and Tasks included:
• Transition plan
• Target architecture design
• Application migration services
• Quality assurance for migrated applications
• Federal and State accessibility requirements identification and compliance
• Deployment and support services
• Documentation
2011 Texas Cancer Registry SANDCRAB – CDC RegistryPlus Secure Application Migration
Activities and Tasks included:
• SANDCRAB application review and gap analysis of CDC RegistryPlus suite
• Review of previous migration plans and information security standards for handling registry
information
Department of Management Services, State of Florida, RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
12 of 20
RFI Response For Department of Management Services, State of Florida:
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
© Denim Group, Ltd., 2015. All Rights Reserved.
• Compilation of migration options to meet available timeline
• Compilation of migration plan for TCR to RegistryPlus which will comply with applicable standards
• Secure migration and deployment support activities
2011 Health Registries Improvement (HRI) Project" Registries: EMS/Trauma, Healthcare Associated
Infections, Birth Defects, Lead, (Maven web applications).
Performed Security Assessments, Documentation, Training, and Managed Security Services.
Activities and Tasks included:
• Security risk assessments
• Supporting Documentation Development
• Remediation planning and remediation
• Application evaluation
• Description of business function
• System categorization and hardware/software support system identification
• Data classification
• Level of sensitivity and risk for confidentiality
• Evaluate mission criticality risk of data and IT support system
• Interdependencies and interconnections with other systems
• Threats to each registry system
• System specific training for users and application developers
• Identify vulnerabilities & threats to the registry system by conducting a network security assessment
• Review adherence to policies, best practices and standards by conducting an information security
gap analysis and policy review in comparison with:
• DSHS Information Security Standards and Guidelines
• TAC 202
• HHS Enterprise Information Security Policy Standards and Guidelines
• Information Security Assessment, Awareness and Compliance (ISAAC)
• Assess and rate the application security of DSHS registry systems against industry standard
vulnerabilities via a dynamic application security assessment
• Additional Managed Security Services
• Application security assessments
• Application security instructor led training
• Application secure code development training
• Application security architecture and implementation consulting
Secretary of State for the State of Texas
2009 TEAM (Texas Election Administration and Management) – a third party vendor procurement
System Security Remediation and Enhancement Development
Activities and Tasks included:
Department of Management Services, State of Florida, RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
13 of 20
RFI Response For Department of Management Services, State of Florida:
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
© Denim Group, Ltd., 2015. All Rights Reserved.
• Requirements gathering, analysis, and prioritization
• Architecture design and planning
• Feature development
• Vulnerability remediation
• Documentation and project management
• Knowledge transfer and training
2009 TASP (Texas Academic Skills Program) Secure Application Development and Remediation
Consulting.
Activities and Tasks included:
• Discovery
• Testing
• Remediation
Office of the Attorney General, Child Support Division
2013 Application Security Instructor Led Training
Six Courses delivered for up to 35 participants between January and May 2013.
Courses Delivered:
1. Introduction to Application Security
2. Advanced Web App Security for Java
3. Software Security Remediation: Managing Vulnerability Remediation
4. Secure SDLC: How to Build Security into your Software Development Lifecycle
5. Designing, Building, and Testing Secure Applications on Mobile Devices
Education Service Center (ESC) Region 20
(Note: Region 20 has employed Denim Group secure development and security consulting services since 2002
across numerous projects. Below is one more recent example.)
2011 TxEIS J2EE Conversion (September 2010 to August 2011)
Assisted with the conversion and secure development work needed for the J2EE TxEIS product and other
projects. Provided secure software development and other consulting services as requested.
Activities and Tasks included:
• Requirements gathering and analysis for Agile development initiative
• Secure architecture and planning
• Secure application development
• Deployment and support
Department of Management Services, State of Florida, RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
14 of 20
RFI Response For Department of Management Services, State of Florida:
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
© Denim Group, Ltd., 2015. All Rights Reserved.
• Documentation
• Setup of development and test framework
• Project Management
• Knowledge transfer and training
Health And Human Services Commission / Texas Integrated Eligibility Redesign System (TIERS)
2013-16 Health & Human Services TIERS Security Project
Associated with the Health and Human Services Commission (HHSC) Enhanced Eligibility Systems Modernization Program, HHSC and the Centers for Medicare & Medicaid Services (CMS) completed an Architecture Review and Project Baseline Review stage gate on April 25, 2012. During this review, CMS requested a number of security deliverables. In response, HHSC prepared the TIERS Security Controls Catalog and a template for the TIERS System Security Plan. HHSC also committed to perform an application and infrastructure security assessment.
Activities included and include:
• Complete development the TIERS Systems Security Plan and to provide a security assessment by:
o Preparing additional documentation necessary to complete and execute the TIERS System
Security Plan and Controls Catalog.
o Assessing the current status of application and infrastructure security controls against the TIERS
System Security Plan.
o Supporting corrective actions to address any identified gaps in the security controls working
with HHSC stakeholders and vendors.
o Supporting the enhancement of the TIERS Software Development Life Cycle (SDLC) to address
security requirements.
• Address and remediate a majority of open audit findings related to TIERS security and assist HHSC to
re-establish the authority to connect to federal systems.
• Application security testing of the 8 major TIERS applications
• Advise and coordinate remediation efforts for vulnerabilities identified in the TIERS application security
testing results working with TIERS stakeholders and vendors.
• TIERS Security Architecture Review
• Application Security Training (OWASP top ten and advanced secure coding).
• Mobile application security testing as well as advising and coordinating software vulnerability remediation
on the mobile applications.
Department of Management Services, State of Florida, RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
15 of 20
RFI Response For Department of Management Services, State of Florida:
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
© Denim Group, Ltd., 2015. All Rights Reserved.
Addendum B: Denim Group Security Assessment Methodologies
Denim Group Approach to Application Security Assessments
Denim Group combines static and targeted dynamic security assessment services to clients that are interested in
understanding the security state of an application. We use a variety of tools and manual testing approaches to
characterize how the application responds to manual and automated attacks.
Application security assessments commence with a static analysis of the application source code consisting of
automated code scanning and manual review. This portion of the assessment identifies and enumerates coding
flaws in the application and informs application remediation feedback for the development team about where and
how flaws exist in the code as well as development level strategies for remediation.
After the completion of the static portion of the security assessment, Denim Group performs a targeted dynamic
assessment of the application. Dynamic tests help identify flaws in application logic and data flow. The dynamic
portion of the testing requires credentials based on specific roles to the application and includes tests to determine
whether authorized users can elevate access and privileges.
Assessment engagements conclude with a final written report as well as a technical debrief with key stakeholders.
Denim Group’s final written deliverable includes an executive summary, vulnerability observations, and remediation
recommendations to address the security state of the application. Denim Group proposes remediation strategies
to help enable the customer to develop a remediation plan to address vulnerabilities observed during the
assessment.
The emerging industry standard defined by the Open Web Application Security Project (OWASP) provides a base
for Denim Group’s assessment methodology, which captures the major classes of web application vulnerabilities
that might exist in the application. Once identified, vulnerabilities are assigned a classification and rating which
clarifies their respective type and severity for remediation.
Denim Group’s deliverables include an Observations and Recommended Remediation Report to include the
following: risk ranking, explanation of findings, suggested remediation strategies, recommendations addressing
strategies for the execution of secure application development remediation.
Denim Group’s Approach to Project Management
Our team employs a project management approach developed by Denim Group. Our team separates Project
Management into two areas of responsibility. There is a project manager responsible for resourcing, accounting,
time tracking, timeline adherence, client communication, and general business aspects of project success. The
project technical lead works alongside the project manager to maintain a high level of technical quality and provide
technical guidance to our delivery team. In addition to the primary project management team, our methodology
includes the internal support of subject matter experts for application and network security oversight, as well as
technical architecture and scalability oversight.
This layered project management approach allows our team to benefit from the communal expertise of the company
as opposed to relying too heavily on the skills of one or two project team members. It also provides a larger pool
of individuals familiar with the project, which helps to mitigate schedule interruptions.
Department of Management Services, State of Florida, RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
16 of 20
RFI Response For Department of Management Services, State of Florida:
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
© Denim Group, Ltd., 2015. All Rights Reserved.
Using this project methodology, Denim Group has delivered hundreds of successful projects over many years,
ranging from weeks-long application security assessments to enterprise information security assessments to green-
field customer secure application development across multiple years.
Denim Group Approach to Threat Modeling
Denim Group identifies the likely threat agents and vulnerable components associated with the specific application.
Denim Group works with the customer team to produce a holistic view of the system and uses this view to create a
structured approach to enumerating possible areas of weakness. The result is a dataflow diagram, a list of identified
threats, detailed countermeasures for these threats, and any areas where additional security measures should be
considered.
Major tasks include: interviews with client subject-matter experts, reviews of specifications, schemas, and design
documentation, compilation of data flows and attacker profiles, attack planning.
• OWASP Application Security Verification Standard (See also: https://www.owasp.org/images/a/a0/Wichers_-
_About_OWASP_ASVS_Web_Edition_v2.pdf)
• OWASP Testing Guides
• OWASP Web Application Security Testing Cheat Sheet
• OWASP Black Box Testing
• Microsoft STRIDE Rating Model http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
• DREAD Risk Assessment Model http://en.wikipedia.org/wiki/DREAD:_Risk_assessment_model
• NIST SP800-53 Revision 3 Controls Standards: Guide for Assessing the Security Controls in
Federal Information Systems and Organizations – Building Effective Security Assessment Plans.
Denim Group Use of Standards
OWASP OpenSAMM http://www.opensamm.org
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and
implement a strategy for software security that is tailored to the specific risks facing the organization. The
resources provided by SAMM will aid in:
• Evaluating an organization’s existing software security practices
• Building a balanced software security program in well-defined iterations
• Demonstrating and measuring security-related activities within and organization
SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations
using any style of development. Additionally, this model can be applied organization-wide, for a single line-of
business, or even for an individual project. As an open project, SAMM content shall always remain vendor-neutral
and freely available for all to use.
OWASP Application Security Verification Standard (ASVS) https://www.owasp.org/index.php/ASVS
The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing
Department of Management Services, State of Florida, RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
17 of 20
RFI Response For Department of Management Services, State of Florida:
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
© Denim Group, Ltd., 2015. All Rights Reserved.
application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: • Use as a metric - Provide application developers and application owners with a yardstick with which to
assess the degree of trust that can be placed in their Web applications,
• Use as guidance - Provide guidance to security control developers as to what to build into security controls
in order to satisfy application security requirements, and
• Use during procurement - Provide a basis for specifying application security verification requirements in
contracts.
Department of Management Services, State of Florida, RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
18 of 20
RFI Response For Department of Management Services, State of Florida:
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
© Denim Group, Ltd., 2015. All Rights Reserved.
Addendum C: ThreadFix™
ThreadFix Community Edition is an open source vulnerability management platform that substantially accelerates
the process of resolving application-level vulnerabilities. ThreadFix aggregates vulnerability test results from
disparate static and dynamic scanning tools as well as the results of manual penetration testing, code review and
threat modeling to create a single comprehensive view of the security status of all applications within an
organization. With ThreadFix, the reporting, prioritization and remediation of an organization’s application security
vulnerabilities are centralized in a single location, significantly easing communications between the application
development and security teams. This centralization enables security analysts and development managers to
make better-informed remediation decisions. ThreadFix is designed to give security practitioners the ability to
understand the security of their applications and efficiently conduct remediation. See also:
http://www.slideshare.net/denimgroup/threadfix-22-preview-webinar-with-dan-cornell
ThreadFix ingests results from multiple automated scanning solutions and third party assessment platforms,
organizes the information, and communicates a clear picture of the security state of your applications to both the
security and the development teams, leveraging the tools they are already using.
ThreadFix is an application vulnerability management platform that provides a window into the state of application
security programs for organizations that build software. The platform helps to bridge the gap between security and
software development teams by aggregating vulnerability test results from static and dynamic application security
scanning tools. ThreadFix also imports the results of manual penetration testing, code reviews and threat modeling
to provide a comprehensive view of software security for an organization. Once a unified list of security
vulnerabilities has been created, ThreadFix allows application security managers to further prioritize discovered
vulnerabilities via a centralized dashboard. As the development team resolves defects, status updates are
synchronized within ThreadFix, enabling the security team to schedule follow-up testing to confirm that security
holes have indeed been closed. ThreadFix also auto-generates application firewall rules to block application
attacks while remediation efforts occur. ThreadFix empowers managers with vulnerability trending reports that
demonstrate software security progress over time.
ThreadFix Features and Benefits
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simplified View of Application Test Results
Consolidate and de-duplicate imported results from open source, commercial dynamic and static scanning tools,
as well as the results of manual testing and threat modeling to get a complete view of the state of your applications.
Reports
Get the latest security status of your applications while providing an eagle’s-eye view of your organization’s
progress over time to pinpoint any process problems.
Defect Tracker Integration
Department of Management Services, State of Florida, RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
19 of 20
RFI Response For Department of Management Services, State of Florida:
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
© Denim Group, Ltd., 2015. All Rights Reserved.
Help security professionals translate application vulnerabilities into software defects and push tasks to developers
in the tools and systems they are already using. A list of currently supported defect trackers is available on the
ThreadFix website. http://www.threadfix.org/product-tour/integrations/
Virtual Patching
Create virtual Web Application Firewall (WAF) rules to help block malicious traffic while vulnerabilities are being
resolved. While your organization takes on remediation of your applications, virtual patching helps guard against
common vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injections.
Compatible with Open Source and Commercial Products
ThreadFix is compatible with a number of commercial and freely available dynamic and static scanning
technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers.
Why ThreadFix?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ThreadFix benefits from Denim Group’s extensive secure development background. By leveraging widespread
knowledge of both security and software development, Denim Group has created a product that is accessible to
professionals from both worlds. ThreadFix translates, de-duplicates and consolidates results from multiple sources
(dynamic and static scanning, manual testing and threat modeling), resulting in a simplified and prioritized list of
software defects that accelerate software remediation efforts. By streamlining the workflow between the security
and software development teams, ThreadFix helps you accelerate software vulnerability remediation.
ThreadFix Enterprise Edition Licensing
ThreadFix Enterprise Edition includes enhanced features above and beyond what is available in the Community
Edition. Enterprise Edition features include LDAP (Lightweight Directory Access Protocol) and AD (Active
Directory) integration, and role-based access control to ensure applications under development can only be
accessed by the specific developers assigned to that application. Scan Orchestration enables multiple team
members to test multiple applications on an automated basis. ThreadFix Enterprise also offers enhanced
vulnerability reporting to help corporate applications to remain in compliance. ThreadFix Enterprise also includes
unlimited phone and email product support available Monday through Friday from 8 am CST to 5 pm CST.
ThreadFix Kickstart Plus Integration Program
Finding time and committing resources to learning and implementing a new technology can be challenging. For
this reason, Denim Group has created a ThreadFix Kickstart program.
The ThreadFix Kickstart Plus program expedites the setup and configuration of ThreadFix within your organization.
Kickstart Plus adds additional implementation time to work with your application security team to integrate
additional applications, scan agents and defect trackers. This engagement is customized to meet your needs. At
the end of the engagement, you will be left with a fully functional deployment of ThreadFix.
Typical Kickstart Activities and Deliverables:
Provide ThreadFix questionaire and capture implemtation requirements
Build project schedule and success criteria up to 2 applications
Conduct interviews with SMEs onsite
Prepare ThreadFix for installation in the environment
Onsite kickoff meeting with stakeholders
Department of Management Services, State of Florida, RFI Response
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
20 of 20
RFI Response For Department of Management Services, State of Florida:
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
© Denim Group, Ltd., 2015. All Rights Reserved.
ThreadFix installation and configuration
LDAP/Active Directory Integration
Configure user roles and responsibilities for up to 10 users
Scan agent configuration for up to 2 scan agents
Test import and integration of app sec tool results between tools and over time (up to 3 supported tools)
Test integration with software defect tracker and WAF (1 supported tracker and 1 supported WAF/IDS/IPS)
Import historical app sec tool output files (Up to 6 historical output files)
Vulnerability lifecycle testing, demonstration and out brief
Deliver report: Summary, vulnerability lifecycle guidance, recommended next steps.