Loading…
Attending this event?
Registration is NOW Open
Marriott Wardman Park
2660 Woodley Rd NW
Washington DC, District of Columbia 20008 USA
Phone: 1-202-328-2000 

Book Now 
*discount rates expire August 19, 2019
Wednesday, September 11 • 9:00am - 5:00pm
Building an AppSec Program with OWASP

Sign up or log in to save this to your schedule and see who's attending!

Explore the OWASP universe and how to build an application security program with a budget of $0. Experience a practitioner's guide for how to take the most famous OWASP projects and meld them together into a working program. Projects are broken down into awareness/process/tools, with an explanation of the human resources required to make this successful.
This course is a one-day training where there is a mixture of a lecture on a specific segment of OWASP projects, and then a practical exercise for how to use that project as a component of an application security program.
The first group of projects is "training/education". These projects focus on high-level knowledge, methodology, and training for the application security program. This group includes OWASP Top 10, OWASP Proactive Controls, cheat sheets, and training apps (Juice Shop, DevSlop, and WebGoat). Discussions focus on the process of raising awareness with knowledge/training and building out a program. The practical portion includes discussion of rolling out proactive controls and hands-on time with JuiceShop.
The second group is "process/measurement". These focus on requirements, code review, best practices, development libraries, and building software without known vulnerabilities. This group includes ASVS, SAMM, threat modeling, Code Review guide, and the testing guide. The end-to-end world of the developer is explored, from requirements through writing code. The working portion includes using ASVS to assess a sample app, threat modeling a sample app, and using SAMM for a sample assessment.
The third group is "tools". This group focuses on tools, including the testing guide, Dependency-Check, Threat Dragon, CRS, and ZAP. The testing approach and touchpoints are discussed, as well as a high-level survey of the tools. The working portion includes using ZAP to scan a sample application.
All of these tools work together to form the basis of an application security program with a budget of $0 except for the people resources to implement. This class teaches the projects to use as well as how to use them, with practical, hands-on experience.

Audience: The audience for this session is two-fold. The first group is those that are interested in building an application security program using the various tools and documents available from OWASP. The second group is those that want to experience multiple OWASP tools and materials and use them in practical exercises.

Prerequisites: Participants should have a foundational understanding of application/product security.

Computer Setup: Bring a computer for executing the lab exercises. Participants should download the OWASP Proactive Controls, ASVS, SAMM, and ZAP.


Speakers
avatar for Chris Romeo

Chris Romeo

CEO, Security Journey
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security... Read More →


Wednesday September 11, 2019 9:00am - 5:00pm
Feedback form isn't open yet.

Attendees (2)