The premise of this session is how to build an application security program with a budget of $0. The session explores the OWASP universe, and how different open-source projects are connected together as foundational pieces of an application security program. OWASP is famous for the top 10, but many do not understand the depth and breadth of the different projects. The projects are explained with a focus on how to implement each within a successful program. This talk is more than just a catalog of the OWASP projects. It is also a practitioner’s guide on how to implement the OWASP projects within an AppSec program. The projects are explained and broken into different phases to delineate between the improvements for a new program versus an established program that is adding new capabilities. The first group of projects is training / awareness and program definition. These projects focus on high-level knowledge, methodology, and training for the application security program. This group includes OWASP Top 10, OWASP Proactive Controls, Software Assurance Maturity Model, and training apps (Juice Shop, DevSlop, and WebGoat). The process for raising awareness with knowledge / training and building out a program are discussed. The second group is builder or developer. These focus on requirements, code review, best practices, development libraries, and building software without known vulnerabilities. This group includes Security RAT, ASVS, cheat sheets, threat modeling, Java encoder, and Dependency Checker. The end-to-end world of the developer is explored, from requirements through writing code. The third group is breaker or tester. This group focuses on testing guidance/process and tools, including the testing guide, Offensive Web Testing Framework (OWTF), and ZAP. The testing approach and touch points are discussed, as well as a high-level survey of the tools. The final group is the defender. These include tools that can be used to protect the application from attackers on the Internet, both at the edge and within the application. This group includes ModSecurity and AppSensor. All of these tools work together to form the basis of an application security program with a budget of $0 except for the people resources to implement, and I’ll discuss what is required from the human resources to make a program such as this successful.
