AppSec Europe 2018

Assuring application security (AppSec) is much more than a technology problem – it requires coordinating the actions of numerous people, which means organization and process. Roles and responsibilities must be defined; budgets must be approved; people need to be hired, educated, and enabled to develop skills; culture needs to be created; tools need to be selected and acquired; and policies and processes must be defined.
Do you wonder how others are wrangling this challenge?
 In this presentation, we will present insights and observations from a study of AppSec program management. In 2017, we reviewed over 75 published articles and talks and interviewed 16 application security practitioners to understand the problem space AppSec practitioners face. We learned a lot and will share our observations of the boundaries used to define the scope of an application security program, the goals of the people responsible for assuring the security of application software, the metrics and measurements that they employ in the pursuit of these goals, and the tools that they used to measure and track application security metrics.