OWASP 2024 Global AppSec San Francisco

In the fast-evolving world of cybersecurity, managing an application security (AppSec) program can feel like running a marathon—a test of endurance, strategy, and continuous improvement. This presentation draws insightful parallels between marathon running and effective AppSec management, demonstrating how the principles of disciplined training, strategic pacing, and incremental progress can lead to long-term success.


Over the past five years, the speaker has completed seven marathons and has qualified for the prestigious Boston Marathon next year. With more than a decade of experience in building application security programs for various companies, they bring a unique perspective to bridging the gap between these two demanding fields.


Mindset and goal setting are critical for success in both marathon running and AppSec programs. We will explore the essential tools and techniques that both marathon runners and AppSec professionals need to optimize performance and achieve their goals. For instance, choosing the right footwear—whether it's the Nike ZoomX Vaporfly or the Adidas Ultraboost—and leveraging SAST, DAST, and SIEM systems can significantly impact outcomes.


Moreover, the session will delve into targeted training methodologies such as interval training and long runs, translated into AppSec practices like threat modeling and regular security audits. Attendees will learn the importance of continuous monitoring and feedback mechanisms—whether it's through wearables and performance metrics or automated testing and security dashboards.


Adaptation and evolution are crucial in both fields. Just as runners adjust to varying conditions and integrate innovative techniques, AppSec programs must adapt to emerging threats and incorporate state-of-the-art technologies. We'll share real-world examples showcasing how these adaptations can lead to improved security postures.


We will also cover some commonly seen pitfalls for both marathon runners and those managing application security programs. Understanding these pitfalls can help avoid setbacks and ensure a smoother path to success.


Collaboration and knowledge sharing form the backbone of success in both marathon running and application security. This presentation will highlight the role of running communities, expert consultations, and workshops in fostering growth and resilience. Similarly, it will emphasize the importance of cross-team collaboration, industry engagement, and internal training sessions in cultivating a robust AppSec culture.


Key Takeaways:

1. Believe in Yourself: Anyone can run a marathon and anyone can run an application security program with the right mindset.
2. Realistic Goals and Concrete Plans: Setting realistic goals and concrete plans is essential for both your marathon and your application security program.
3. Enjoy the Process and Have Fun: Enjoying the process and having fun can make the journey more rewarding.

Join us to discover how to navigate your journey from the start line to the security finish, ensuring that your application security program is not only resilient but also continuously evolving, much like a marathon runner training for the ultimate race.

Are you an AppSec professional struggling to align security with your company's project management (PM) processes? Whether you're a software developer, architect, or CISO, this talk will show you how to turn PM frameworks into powerful tools for building secure applications.


We'll explore how common PM methodologies like Agile and Waterfall impact security requirements and compliance. 

We'll discuss the challenges of aligning national security compliance systems with company-specific requirements and various PM implementations.




You'll learn how to:

• Understand how security requirements work within different PM frameworks
• Choose the right PM framework for your organization's security needs
• Effectively introduce and implement AppSec requirements into your company's PM framework
• Understand how large companies approach PM frameworks and security requirements, enabling you to work with them more effectively

This talk is ideal for those who:

• Work in a large company and want to better understand and influence how security is handled within the existing PM framework
• Work in a small company and want to tailor a PM framework to optimize AppSec
• Work with external clients (large or small) and need to understand their PM-driven security perspectives

By the end of this session, you'll have a deeper understanding of how AppSec and PM intersect. You'll be equipped with strategies to integrate security into your projects, regardless of the PM framework used, leading to more secure software and smoother collaborations. 

If you are working in cybersecurity, the world can feel very scary. Keeping up with the industry means reading the latest news about new threat actors, vulnerabilities, and massive breaches. When we find a new flaw in our environment with a CVSS of 10, we feel a real sense of urgency to fix it. But for some reason, all too often, it can be really hard to get executives and boards to listen to you. Don't they know what "Critical" means? 

Could it be that the executive team is speaking a different language?

The security team plays a vital role in improving the security posture of an organization. However, it is equally important that the software developers contribute to securing all of the applications their organization creates and maintains. If there is an absence of trust and buy-in between security professionals and developers it can hinder progress, create vulnerabilities, and limit growth within organizations. In this thought-provoking talk, we look at the reasons behind a lack of trust and explore the importance of establishing buy-in and trust for success. We delve into why we cannot succeed without trust, effective strategies and tactics, and specific and actionable advice on what to do and what NOT to do. Together, let’s rebuild trust, mend grievances, and unlock our true potential for success by changing the way we run our AppSec programs.

The complexity of the cybersecurity landscape, compounded by evolving frameworks and compliance regulations, necessitates a clear understanding of how different standards align and relate to each other. Mappings between standards have been our solution so far, but manual mappings are a slow, labour intensive process. The OWASP OpenCRE project aims to remediate this issue.


This presentation explores the current state of standard mappings, comparing traditional manual methods with the innovative OpenCRE solution. It highlights the benefits and limitations of each approach and shares insights from our experiences using OpenCRE. We also investigate a novel approach combining manual mappings with OpenCRE to extend mappings to standards outside OpenCRE.


Key concepts of mappings such as purpose, target audience, and relationship types are examined. We discuss how these elements help organisations align different guidelines and best practices. While OpenCRE supports various relationship types and offers a fast, automated alternative to manual mappings, it has limitations. This is illustrated by comparing the SAMM -> SSDF mapping generated with OpenCRE to the direct manual mapping approved by NIST.


Proposed solutions include improving the quality of OpenCRE mappings by involving standards & regulations bodies (NIST, ISO, etc.) and using OpenCRE as a foundation for expert-reviewed and validated mappings. A specific example showcases how mappings can facilitate compliance efforts, by using SAMM to infer compliance with other frameworks.


In conclusion, mappings are crucial for aligning standards and frameworks, serving as guidelines rather than definitive proofs of compliance. Despite technological advancements, expert involvement remains essential for creating high-quality mappings. Investing in these mappings can streamline security and compliance efforts, making processes more robust and reducing the burden on security professionals.

As engineers, our goal is to deliver new features to the product, bringing clear value to customers. All of our KPIs and tools are built around facilitating exactly this; how to write quality code while increasing our delivery velocity. Security doesn’t naturally fit into what we do on a daily basis. Or does it?


When we’re breached, everyone cares, from the CEO all the way down to the development teams, and it’s clear that we need to adopt security and AppSec measures to safeguard our software in the future, but it’s unrealistic to expect developers to easily work within AppSec and CyberSecurity tools or to sacrifice development velocity to increase the security posture.


This talk will lay out a framework for AppSec and security leaders to communicate and facilitate security adoption by engineering teams and more importantly, emphasize ways to build security best practices into the development process holistically. 


A bit of what I’ll cover:

1. Translating security to development - 

• Going from a vulnerability bug list to ownership of the harmful vulnerabilities in their code can do.
• Tying together engineering and security KPIs.
• Stakeholder cooperation between SecOps, engineering, and product.

2. Best practices to integrate security tests from phase one.

3. Doing all this while balancing development velocity.

Ever felt ignored when raising security concerns? So did we until we changed the game. This is the story of how a small team can drive change by wielding data-driven insights.

This talk delves into our journey of influencing our entire organization through threat modeling. From adopting a framework to managing threat intelligence, we’ll share the lessons learned and the solutions we found to common challenges.

As a small team, it is not realistic to cover everything by ourselves. We need to focus our energy on high value, high return activities and play the influence game. It was not an easy task, but we managed to do it.

Throughout the presentation, we’ll do an overview of our organization’s size and structure, where our team fits in to give some context and how all of this affects decision-making. We’ll explore the three key strategies we implemented to efficiently work toward our goal, namely:

• adopting a common language for threat modeling across the organization,
• embedding threat modeling into everyday operations according to the needs of each team, and
• managing threat intelligence smoothly in an automated manner.

At the end of this talk, you will leave with actionable insights on what could be your next step and a newfound confidence in your abilities to drive change in your organization.

Security design reviews are an essential part of any modern application security program. While technical frameworks to identify security defects in software are well documented and standardized among the industry, little guidance can be found on how to bootstrap, manage and grow an overarching process and program that developers happily engage in and that is measurably effective at finding critical security flaws before they launch to production.


300 reviews later and with an absolute NPS of 52 we are ready to share our data, stories, experiments, failures and accomplishments collected during our journey to build an effective security design review program from scratch for an organization of 500 software developers.


We will present and release all material needed to replicate the program 1-to-1 in your organization.

Despite the hype surrounding DevSecOps, the reality is starkly different: reported issues remain unresolved, SLAs are neglected, and the role of security champions is reduced to basic training sessions. 


This talk examines the shortcomings of the current DevSecOps maturity model and its failure to drive substantial improvements in security practices. We will discuss the cultural shifts needed to instill a security-first mindset, emphasizing the importance of guiding teams effectively. 


By empowering security champions with meaningful responsibilities and integrating advanced technologies for automated and proactive security measures, we can transform the theoretical promises of DevSecOps into a practical framework that genuinely addresses and fixes security vulnerabilities. 


Join us to explore actionable solutions and strategies for bridging the gap between DevSecOps hype and reality.

The "assume breach" point of view has become the norm for security professionals, recognizing that incidents are bound to happen sooner or later.  But what about breaches that go beyond the typical security threats exploited by malicious outsiders? In this talk, we will dive into privacy breaches, from major well-published scandals to smaller, barely mentioned cases, showing the impact of weak privacy design and how these breaches could have been avoided. 

Through these high profile privacy incidents, we will derive actionable learning that you can integrate into your current security practices, ensuring your products will be both secure and privacy-respecting.