Registration is NOW Open
Marriott Wardman Park
2660 Woodley Rd NW
Washington DC, District of Columbia 20008 USA
Phone: 1-202-328-2000 

Book Now 
*discount rates expire August 19, 2019
Back To Schedule
Wednesday, September 11 • 9:00am - 5:00pm
Building an AppSec Program with OWASP

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Explore the OWASP universe and how to build an application security program with a budget of $0. Experience a practitioner's guide for how to take the most famous OWASP projects and meld them together into a working program. Projects are broken down into awareness/process/tools, with an explanation of the human resources required to make this successful.
This course is a one-day training where there is a mixture of a lecture on a specific segment of OWASP projects, and then a practical exercise for how to use that project as a component of an application security program.
The first group of projects is "training/education". These projects focus on high-level knowledge, methodology, and training for the application security program. This group includes OWASP Top 10, OWASP Proactive Controls, cheat sheets, and training apps (Juice Shop, DevSlop, and WebGoat). Discussions focus on the process of raising awareness with knowledge/training and building out a program. The practical portion includes discussion of rolling out proactive controls and hands-on time with JuiceShop.
The second group is "process/measurement". These focus on requirements, code review, best practices, development libraries, and building software without known vulnerabilities. This group includes ASVS, SAMM, threat modeling, Code Review guide, and the testing guide. The end-to-end world of the developer is explored, from requirements through writing code. The working portion includes using ASVS to assess a sample app, threat modeling a sample app, and using SAMM for a sample assessment.
The third group is "tools". This group focuses on tools, including the testing guide, Dependency-Check, Threat Dragon, CRS, and ZAP. The testing approach and touchpoints are discussed, as well as a high-level survey of the tools. The working portion includes using ZAP to scan a sample application.
All of these tools work together to form the basis of an application security program with a budget of $0 except for the people resources to implement. This class teaches the projects to use as well as how to use them, with practical, hands-on experience.

Audience: The audience for this session is two-fold. The first group is those that are interested in building an application security program using the various tools and documents available from OWASP. The second group is those that want to experience multiple OWASP tools and materials and use them in practical exercises.

Prerequisites: Participants should have a foundational understanding of application/product security.

Computer Setup: Bring a computer for executing the lab exercises. Participants should download the OWASP Proactive Controls, ASVS, SAMM, and ZAP.

avatar for Chris Romeo

Chris Romeo

CEO, Kerr Ventures
Chris Romeo is the Chief Executive Officer of Kerr Ventures and is a leading voice and thinker in application security, threat modeling, and startups. Chris is the host of the award-winning “Application Security Podcast” and “The Security Table” and is a highly rated industry... Read More →

Wednesday September 11, 2019 9:00am - 5:00pm EDT
Lincoln 3