OWASP 2024 Global AppSec San Francisco

As engineers, our goal is to deliver new features to the product, bringing clear value to customers. All of our KPIs and tools are built around facilitating exactly this; how to write quality code while increasing our delivery velocity. Security doesn’t naturally fit into what we do on a daily basis. Or does it?


When we’re breached, everyone cares, from the CEO all the way down to the development teams, and it’s clear that we need to adopt security and AppSec measures to safeguard our software in the future, but it’s unrealistic to expect developers to easily work within AppSec and CyberSecurity tools or to sacrifice development velocity to increase the security posture.


This talk will lay out a framework for AppSec and security leaders to communicate and facilitate security adoption by engineering teams and more importantly, emphasize ways to build security best practices into the development process holistically. 


A bit of what I’ll cover:

1. Translating security to development - 

• Going from a vulnerability bug list to ownership of the harmful vulnerabilities in their code can do.
• Tying together engineering and security KPIs.
• Stakeholder cooperation between SecOps, engineering, and product.

2. Best practices to integrate security tests from phase one.

3. Doing all this while balancing development velocity.

Ever felt ignored when raising security concerns? So did we until we changed the game. This is the story of how a small team can drive change by wielding data-driven insights.

This talk delves into our journey of influencing our entire organization through threat modeling. From adopting a framework to managing threat intelligence, we’ll share the lessons learned and the solutions we found to common challenges.

As a small team, it is not realistic to cover everything by ourselves. We need to focus our energy on high value, high return activities and play the influence game. It was not an easy task, but we managed to do it.

Throughout the presentation, we’ll do an overview of our organization’s size and structure, where our team fits in to give some context and how all of this affects decision-making. We’ll explore the three key strategies we implemented to efficiently work toward our goal, namely:

• adopting a common language for threat modeling across the organization,
• embedding threat modeling into everyday operations according to the needs of each team, and
• managing threat intelligence smoothly in an automated manner.

At the end of this talk, you will leave with actionable insights on what could be your next step and a newfound confidence in your abilities to drive change in your organization.

Security design reviews are an essential part of any modern application security program. While technical frameworks to identify security defects in software are well documented and standardized among the industry, little guidance can be found on how to bootstrap, manage and grow an overarching process and program that developers happily engage in and that is measurably effective at finding critical security flaws before they launch to production.


300 reviews later and with an absolute NPS of 52 we are ready to share our data, stories, experiments, failures and accomplishments collected during our journey to build an effective security design review program from scratch for an organization of 500 software developers.


We will present and release all material needed to replicate the program 1-to-1 in your organization.

The "assume breach" point of view has become the norm for security professionals, recognizing that incidents are bound to happen sooner or later.  But what about breaches that go beyond the typical security threats exploited by malicious outsiders? In this talk, we will dive into privacy breaches, from major well-published scandals to smaller, barely mentioned cases, showing the impact of weak privacy design and how these breaches could have been avoided. 

Through these high profile privacy incidents, we will derive actionable learning that you can integrate into your current security practices, ensuring your products will be both secure and privacy-respecting.