OWASP 2024 Global AppSec San Francisco

In the fast-evolving world of cybersecurity, managing an application security (AppSec) program can feel like running a marathon—a test of endurance, strategy, and continuous improvement. This presentation draws insightful parallels between marathon running and effective AppSec management, demonstrating how the principles of disciplined training, strategic pacing, and incremental progress can lead to long-term success.


Over the past five years, the speaker has completed seven marathons and has qualified for the prestigious Boston Marathon next year. With more than a decade of experience in building application security programs for various companies, they bring a unique perspective to bridging the gap between these two demanding fields.


Mindset and goal setting are critical for success in both marathon running and AppSec programs. We will explore the essential tools and techniques that both marathon runners and AppSec professionals need to optimize performance and achieve their goals. For instance, choosing the right footwear—whether it's the Nike ZoomX Vaporfly or the Adidas Ultraboost—and leveraging SAST, DAST, and SIEM systems can significantly impact outcomes.


Moreover, the session will delve into targeted training methodologies such as interval training and long runs, translated into AppSec practices like threat modeling and regular security audits. Attendees will learn the importance of continuous monitoring and feedback mechanisms—whether it's through wearables and performance metrics or automated testing and security dashboards.


Adaptation and evolution are crucial in both fields. Just as runners adjust to varying conditions and integrate innovative techniques, AppSec programs must adapt to emerging threats and incorporate state-of-the-art technologies. We'll share real-world examples showcasing how these adaptations can lead to improved security postures.


We will also cover some commonly seen pitfalls for both marathon runners and those managing application security programs. Understanding these pitfalls can help avoid setbacks and ensure a smoother path to success.


Collaboration and knowledge sharing form the backbone of success in both marathon running and application security. This presentation will highlight the role of running communities, expert consultations, and workshops in fostering growth and resilience. Similarly, it will emphasize the importance of cross-team collaboration, industry engagement, and internal training sessions in cultivating a robust AppSec culture.


Key Takeaways:

1. Believe in Yourself: Anyone can run a marathon and anyone can run an application security program with the right mindset.
2. Realistic Goals and Concrete Plans: Setting realistic goals and concrete plans is essential for both your marathon and your application security program.
3. Enjoy the Process and Have Fun: Enjoying the process and having fun can make the journey more rewarding.

Join us to discover how to navigate your journey from the start line to the security finish, ensuring that your application security program is not only resilient but also continuously evolving, much like a marathon runner training for the ultimate race.

Are you an AppSec professional struggling to align security with your company's project management (PM) processes? Whether you're a software developer, architect, or CISO, this talk will show you how to turn PM frameworks into powerful tools for building secure applications.


We'll explore how common PM methodologies like Agile and Waterfall impact security requirements and compliance. 

We'll discuss the challenges of aligning national security compliance systems with company-specific requirements and various PM implementations.




You'll learn how to:

• Understand how security requirements work within different PM frameworks
• Choose the right PM framework for your organization's security needs
• Effectively introduce and implement AppSec requirements into your company's PM framework
• Understand how large companies approach PM frameworks and security requirements, enabling you to work with them more effectively

This talk is ideal for those who:

• Work in a large company and want to better understand and influence how security is handled within the existing PM framework
• Work in a small company and want to tailor a PM framework to optimize AppSec
• Work with external clients (large or small) and need to understand their PM-driven security perspectives

By the end of this session, you'll have a deeper understanding of how AppSec and PM intersect. You'll be equipped with strategies to integrate security into your projects, regardless of the PM framework used, leading to more secure software and smoother collaborations. 

If you are working in cybersecurity, the world can feel very scary. Keeping up with the industry means reading the latest news about new threat actors, vulnerabilities, and massive breaches. When we find a new flaw in our environment with a CVSS of 10, we feel a real sense of urgency to fix it. But for some reason, all too often, it can be really hard to get executives and boards to listen to you. Don't they know what "Critical" means? 

Could it be that the executive team is speaking a different language?

The security team plays a vital role in improving the security posture of an organization. However, it is equally important that the software developers contribute to securing all of the applications their organization creates and maintains. If there is an absence of trust and buy-in between security professionals and developers it can hinder progress, create vulnerabilities, and limit growth within organizations. In this thought-provoking talk, we look at the reasons behind a lack of trust and explore the importance of establishing buy-in and trust for success. We delve into why we cannot succeed without trust, effective strategies and tactics, and specific and actionable advice on what to do and what NOT to do. Together, let’s rebuild trust, mend grievances, and unlock our true potential for success by changing the way we run our AppSec programs.

The complexity of the cybersecurity landscape, compounded by evolving frameworks and compliance regulations, necessitates a clear understanding of how different standards align and relate to each other. Mappings between standards have been our solution so far, but manual mappings are a slow, labour intensive process. The OWASP OpenCRE project aims to remediate this issue.


This presentation explores the current state of standard mappings, comparing traditional manual methods with the innovative OpenCRE solution. It highlights the benefits and limitations of each approach and shares insights from our experiences using OpenCRE. We also investigate a novel approach combining manual mappings with OpenCRE to extend mappings to standards outside OpenCRE.


Key concepts of mappings such as purpose, target audience, and relationship types are examined. We discuss how these elements help organisations align different guidelines and best practices. While OpenCRE supports various relationship types and offers a fast, automated alternative to manual mappings, it has limitations. This is illustrated by comparing the SAMM -> SSDF mapping generated with OpenCRE to the direct manual mapping approved by NIST.


Proposed solutions include improving the quality of OpenCRE mappings by involving standards & regulations bodies (NIST, ISO, etc.) and using OpenCRE as a foundation for expert-reviewed and validated mappings. A specific example showcases how mappings can facilitate compliance efforts, by using SAMM to infer compliance with other frameworks.


In conclusion, mappings are crucial for aligning standards and frameworks, serving as guidelines rather than definitive proofs of compliance. Despite technological advancements, expert involvement remains essential for creating high-quality mappings. Investing in these mappings can streamline security and compliance efforts, making processes more robust and reducing the burden on security professionals.