AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***
Back To Schedule
Friday, July 6 • 10:15am - 11:00am
Building an AppSec Program with a Budget of $0: Beyond the OWASP Top 10 LIMITED

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity seats available

The premise of this session is how to build an application security program with a budget of $0. The session explores the OWASP universe, and how different open-source projects are connected together as foundational pieces of an application security program.
OWASP is famous for the top 10, but many do not understand the depth and breadth of the different projects. The projects are explained with a focus on how to implement each within a successful program. This talk is more than just a catalog of the OWASP projects. It is also a practitioner’s guide on how to implement the OWASP projects within an AppSec program. The projects are explained and broken into different phases to delineate between the improvements for a new program versus an established program that is adding new capabilities.
The first group of projects is training / awareness and program definition. These projects focus on high-level knowledge, methodology, and training for the application security program. This group includes OWASP Top 10, OWASP Proactive Controls, Software Assurance Maturity Model, and training apps (Juice Shop, DevSlop, and WebGoat). The process for raising awareness with knowledge / training and building out a program are discussed.
The second group is builder or developer. These focus on requirements, code review, best practices, development libraries, and building software without known vulnerabilities. This group includes Security RAT, ASVS, cheat sheets, threat modeling, Java encoder, and Dependency Checker. The end-to-end world of the developer is explored, from requirements through writing code.
The third group is breaker or tester. This group focuses on testing guidance/process and tools, including the testing guide, Offensive Web Testing Framework (OWTF), and ZAP. The testing approach and touch points are discussed, as well as a high-level survey of the tools.
The final group is the defender. These include tools that can be used to protect the application from attackers on the Internet, both at the edge and within the application. This group includes ModSecurity and AppSensor.
 All of these tools work together to form the basis of an application security program with a budget of $0 except for the people resources to implement, and I’ll discuss what is required from the human resources to make a program such as this successful.

avatar for Chris Romeo

Chris Romeo

CEO, Kerr Ventures
Chris Romeo is the Chief Executive Officer of Kerr Ventures and is a leading voice and thinker in application security, threat modeling, and startups. Chris is the host of the award-winning “Application Security Podcast” and “The Security Table” and is a highly rated industry... Read More →

Friday July 6, 2018 10:15am - 11:00am BST
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE