Full Disclosure mailing list archives
[Professional IT Security Providers - Exposed] Denim Group ( A - )
From: secreview <secreview () hushmail com>
Date: Fri, 14 Dec 2007 12:49:52 -0800 (PST)
The Denim Group located at http://www.denimgroup.com is Security Services Provider that focuses strictly on Web Application Security Services. We asked them why they chose the name Denim Group and they said that it was a marketing idea that enables them to stand out from the rest of the providers. (the name was actually thought up by a founders X wife) As it turns out, it was a good idea and it works! When we think Denim Group the first thing that comes to mind is Clothing and what the hell does that have to do Application Security? Can't forget the name and the total lack of correlation.Aside from the name, we are actually pleased with what we found when we reviewed the Denim Group. When we spoke with John Dickson we learned a lot about their methodology. We learned that the Denim Group does use automated tools such as WebInspect to perform preliminary scans against target applications. They also use tools like fortify to perform source code reviews. That being said, automation only covers about 20% of the workload for the services that they deliver.The remaining 80% of the workload is done by high talent Web Application Security Specialists that truly understand how to harden a Web Application. They not only look for the common issues like Cross Site Scripting (No Sacure, its not called Cross-Site Shipping) , Cross Site Request Forgery, Remote File Inclusion, etc. but they also look for logic issues and other types of design flaws. The Denim Group does use tools to help them perform their manual testing, as do most worthy security providers. The tools that they use are special interception proxies that enable them to view and manipulate conversations between client and server, amongst other similar manually intensive tools. This enables the Denim Group to truly impact the quality of their deliverables with strong manual testing.All in all, if you are looking for a provider to perform Web Application Security type services, we think that the Denim Group is a great fit. If you are looking for a full service Professional Security Services shop, well you'll probably have to look somewhere else because they do not offer Network Penetration Testing Services, Vulnerability Assessments, etc. That being said we were so impressed with the Denim Group and the caliber of their service offerings, that we decided to give them an A-. The only reason why they didn't get an A or an A+ is because they are technically not a full service shop. So, we recommend using the Denim Group, they kick ass!If you'd like to comment on this, please visit http://secreview.blogspot.com and post a comment. If you feel that this post is inaccurate, please let us know why and we'll consider your opinion for a review. Thanks for reading! -- Posted By secreview to Professional IT Security Providers - Exposed at 12/14/2007 12:13:00 PM
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Professional IT Security Providers - Exposed] Denim Group ( A - ) secreview (Dec 14)
- Re: [Professional IT Security Providers - Exposed] Denim Group ( A - ) Peter Dawson (Dec 14)