John Dickson, PrincipalAs the market witnesses a growing imperative to build software more quickly, John Dickson, Principal, Denim Group remarks, “DevOps, IT departments and, by extension, security teams are being stretched to the breaking point to support expedited software development and delivery.” This often results in application vulnerabilities being introduced due to rushed deadlines or ignored best practices in application development and design. Organizations are constantly battling to build revenue-generating software quickly while making sure all efforts have been exhausted to ensure its safe deployment and sustainability. Denim Group has played a significant role in solving this predicament ever since its inception in 2003. “Following the mantra of “building a world where technology is trusted,” we empower clients to build software in a faster and secure manner,” Dickson adds.
Denim Group’s chronicle can be traced back to the pioneering effort of the three Principals—Dan Cornell, Sheridan Chambers, and John Dickson. While Cornell and Chambers came from classic software development backgrounds where they built large-scale custom software systems for enterprise clients primarily in Java and .NET, Dickson, an ex-Air Force officer worked in the early version of the Air Force Computer Emergency response team (AFCERT). When the team identified that the intersection of the two areas—development and security—would be a hot area in the future, they dedicated their individual competencies to solving the discrepancies that prevailed in client application security outcomes and ultimately, software vulnerability remediation.
The company’s vulnerability management platform, ThreadFix is architected to facilitate stronger communication between security and development teams as well as executives. The platform identifies vulnerabilities in applications quickly and early ensuring an immediate fix during the development process where cost savings can be best realized.
ThreadFix connects leading application vulnerability scanners to risk management and compliance (GRC) tools like RSA Security’s Archer. Archer enables software development and security teams to communicate software risks to executives. By syncing with these tools, application security is placed in front of security operators and risk management decision makers for inclusion, analysis, and comparison with all other risk information.
Following the mantra of “building a world where technology is trusted,” we empower clients to build software in a faster and secure manner
“ThreadFix helps our clients accelerate the remediation of vulnerable software and report the results through Archer,” cites Dickson.
ThreadFix also minimizes reporting duplication. The ThreadFix dashboard offers a view of the applications based on vulnerability level, recent scan activity, and collaboration. “We ensure that our platform supports the needs of large-scale organizations, by offering compliance reporting for PCI and HIPAA, Active Directory integration, scan orchestration, and phone and email support,” explains Dickson. Further, clients can reduce manual review efforts by leveraging ThreadFix’s merge and Hybrid Analysis Mapping capabilities that have been shown to reduce overlapping vulnerabilities by more than 40 percent. In addition to ThreadFix, Denim Group provides security advisory, assessment, training, and managed services targeted at securing custom software.
It is the self-effacing work culture and Denim Group’s passionate teams that have made the company a stellar performer and hit among its clients. “Because we are software developers ourselves, we have great empathy for our client’s software teams,” says Dickson. “Clients love that.”
With the next big advance in the industry being the huge drive for automation that is captured under the umbrella term DevOps, the company vests its focus on keeping up with that shift. Denim Group will infuse application security earlier in the software build process to “bake in” automated security testing. “This advance will drive both the ThreadFix product as well as our services that support secure development architecture in what’s called ‘Continuous Integration/Continuous Development’ environments,” concludes Dickson.