[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1197665392032.6be33199-02da-471b-a24b-cd6e0a079e34@google.com>
Date: Fri, 14 Dec 2007 12:49:52 -0800 (PST)
From: secreview <secreview@...hmail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [Professional IT Security Providers - Exposed]
Denim Group ( A - )
The Denim Group located at http://www.denimgroup.com is Security
Services Provider that focuses strictly on Web Application Security
Services. We asked them why they chose the name Denim Group and they
said that it was a marketing idea that enables them to stand out from
the rest of the providers. (the name was actually thought up by a
founders X wife) As it turns out, it was a good idea and it works! When
we think Denim Group the first thing that comes to mind is Clothing and
what the hell does that have to do Application Security? Can't forget
the name and the total lack of correlation.Aside from the name, we are
actually pleased with what we found when we reviewed the Denim Group.
When we spoke with John Dickson we learned a lot about their
methodology. We learned that the Denim Group does use automated tools
such as WebInspect to perform preliminary scans against target
applications. They also use tools like fortify to perform source code
reviews. That being said, automation only covers about 20% of the
workload for the services that they deliver.The remaining 80% of the
workload is done by high talent Web Application Security Specialists
that truly understand how to harden a Web Application. They not only
look for the common issues like Cross Site Scripting (No Sacure, its
not called Cross-Site Shipping) , Cross Site Request Forgery, Remote
File Inclusion, etc. but they also look for logic issues and other
types of design flaws. The Denim Group does use tools to help them
perform their manual testing, as do most worthy security providers. The
tools that they use are special interception proxies that enable them
to view and manipulate conversations between client and server, amongst
other similar manually intensive tools. This enables the Denim Group to
truly impact the quality of their deliverables with strong manual
testing.All in all, if you are looking for a provider to perform Web
Application Security type services, we think that the Denim Group is a
great fit. If you are looking for a full service Professional Security
Services shop, well you'll probably have to look somewhere else because
they do not offer Network Penetration Testing Services, Vulnerability
Assessments, etc. That being said we were so impressed with the Denim
Group and the caliber of their service offerings, that we decided to
give them an A-. The only reason why they didn't get an A or an A+ is
because they are technically not a full service shop. So, we recommend
using the Denim Group, they kick ass!If you'd like to comment on this,
please visit http://secreview.blogspot.com and post a comment. If you
feel that this post is inaccurate, please let us know why and we'll
consider your opinion for a review. Thanks for reading!
--
Posted By secreview to Professional IT Security Providers - Exposed at
12/14/2007 12:13:00 PM
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists