SC conference - Building AppSec Teams
-
Upload
dinis-cruz -
Category
Software
-
view
250 -
download
1
Transcript of SC conference - Building AppSec Teams
![Page 1: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/1.jpg)
Building Application Security Teams
Dinis Cruz, CISO
![Page 2: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/2.jpg)
Me▪ Developer for 25 years ▪ AppSec for 13 years ▪ Day jobs:
▪ Leader OWASP O2 Platform project ▪ Application Security Training ▪ Part of AppSec team of:
▪ The Hut Group ▪ BBC ▪ WorldFirst
▪ AppSec Consultant and Mentor ▪ CISO (soon)
▪ “I build AppSec teams….” ▪ https://twitter.com/DinisCruz ▪ http://blog.diniscruz.com ▪ http://leanpub.com/u/DinisCruz
![Page 3: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/3.jpg)
CISO POINT VIEW
![Page 4: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/4.jpg)
What type of security organisation to create▪ Create an environment and workflow where Security (InfoSec
and AppSec) is an enabler. ▪ Allow the business to ship faster with quality, security and
assurance ▪ InfoSec protects the organisation and operations ▪ AppSec protects the code created, used and bought ▪ Developers code in environments where it is very hard to
create security vulnerabilities ▪ Applications run in environments where security exploits are
contained and visible ▪ Align business risk appetite with reality (using proposed Risk
Workflow to allocate responsibility at the correct level)
![Page 5: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/5.jpg)
How to embed security into the culture▪ Give security teams a mandate to focus on Quality, Testing
and Engineering ▪ Create a network of Security Champions ▪ Become the ‘Department of Yes’ ▪ Measure code pollution using Risk Workflow ▪ Understand that developers are key players and need to be
trusted ▪ Testing and Quality are core business requirements (and what
gives you speed) ▪ Create an central AppSec team (usually there is only an
InfoSec team)
![Page 6: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/6.jpg)
What about security policies?▪ Security policies are the foundation of decisions ▪ They underpin the reason behind actions and risk accepted ▪ But, if not based on reality, most policies will NOT be ▪ read ▪ followed ▪ enforced
▪ For policies to work they need to be customised to its target (for example Secure coding standards for App XYZ)
▪ They also need to be delivered in the target’s environment (for example IDE)
![Page 7: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/7.jpg)
Security magic pixie dust▪ If you don’t:
▪ have an AppSec team ▪ do Threat Models ▪ do weekly code reviews and security assessments ▪ have embedded security automation automation in your SDL pipeline ▪ have secure coding standards, bug-bounties, dependency
management ▪ …. and many other other AppSec activities
▪ There will be massive security vulnerabilities in the applications you use ▪ Because where is security going to come from? ▪ Without these activities:
▪ Your security model is based on the ‘skill level’ and ‘business model’ of your attackers
▪ … and … ’magic security pixie dust’ (which works until attacked)
![Page 8: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/8.jpg)
WHERE IS APPSEC?
![Page 9: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/9.jpg)
You are a software company▪ Even if your company does not hire developers, you are already
a ‘software company’ ▪ You probably don’t view Software Development as a core
competency, and don’t control the Software/Applications that run your business (which is a high risk)
▪ If your company operations, customer experiences and sales are controlled by software that you write, then you ARE A SOFTWARE COMPANY (regardless of industry sector you’re in) ▪ The question is how much does your board and exec team
realises that, and how much priority and focus is given to (secure) Software development
▪ ‘Code’ controls your company ▪ The question is how much do you ‘control’ your code
![Page 10: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/10.jpg)
Quality on the code that runs your business▪ Quality is not something you can sprinkle at the end ▪ Security is just like Quality ▪ Specially Application Security (i.e. secure code) ▪ Key concept: ▪ You can use Security to measure quality ▪ because although ▪ not all quality issues are security issues ▪ all security issues are quality issues
![Page 11: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/11.jpg)
If your not deploying daily/hourly▪ You’re not in the game ▪ Will struggle to innovate ▪ Depend on your competitors being worse than you
https://github.com/blog/1241-deploying-at-
http://joshuaseiden.com/blog/2013/12/amazon-deploys-to-production-
![Page 12: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/12.jpg)
CISO MindMap
http://www.aurorait.com/2016/06/13/one-size-never-fits/
![Page 13: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/13.jpg)
CISO MindMap (Zoomed in)
![Page 14: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/14.jpg)
Top level functions (from CISO MindMap)▪ Business Enablement ▪ Selling InfoSec (Internal) ▪ Governance ▪ Security Operations ▪ Project Delivery Lifecycle ▪ Budget ▪ Security Architecture ▪ Compliance and Audit ▪ Legal and Human Resources ▪ Risk Management ▪ Identity Management
But where is Application Security?
![Page 15: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/15.jpg)
![Page 16: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/16.jpg)
Where is AppSec?
![Page 17: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/17.jpg)
Should AppSec be this low down the priorities?
▪ Of course you need to get the other security functions right (Risk, Networks, SecOps) ▪ But if you don’t write or buy secure code, your assets will
be exposed ▪ In fact with the current move for DevOps, Continuous
Deployment and quick releases ▪ You will create an environment where security
vulnerabilities will be pushed into production in days (or hours)
▪ Application Security (AppSec) needs to be a first class citizen, with strong budget and staff
![Page 18: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/18.jpg)
I like this Security Group Structure▪ Key Areas: ▪ SecOps ▪ SOC ▪ RISK ▪ AppSec ▪ Testing
▪ Also important: ▪ Security
Champions ▪ Knowledge ▪ RND
![Page 19: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/19.jpg)
Example of Security Function Budget and Team
▪ Budget should be 4% of turn-over (same as GDPR max fine) ▪ 26 staff ▪ 4x Management (CISO, Senior Director InfoSec, Project Manager, PA) ▪ 8x SecOps (2x Network & Information Security, 2x End-User-
Computing, 2x DevOps, 2x SysAdmin)
▪ 4x Risk (DPO - Data Protection Officer, 2x Standards, Policy)
▪ 4x SOC (2x SOC SME and 2x SOC Engineer)
▪ 5x AppSec (Senior Architect Manager, 2x Senior Dev 2x Dev)
▪ 1x Testing (1x RedTeam)
▪ Each function has individual budget (for tools and 3rd party consulting services)
![Page 20: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/20.jpg)
AppSec is a first class citizen
AppSec as a top level function
![Page 21: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/21.jpg)
APPSEC FUNCTION
![Page 22: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/22.jpg)
Service driven organisation▪ AppSec and Testing services can be requested by existing
Teams/Squads:
▪ External Pen-Tests ▪ Code Reviews (internal and external) ▪ Threat Modeling ▪ Static and Dynamic scanning of code ▪ AppSec Training ▪ AppSec Advisory Surgery
![Page 23: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/23.jpg)
AppSec Functions Provided▪ Security Champions Network ▪ AppSec Risk Workflow ▪ AppSec knowledge base (Wiki based)
▪ AppSec Policy ▪ Secure Coding Standards (based on JIRA Risk issues and
OWASP ASVS) ▪ SDL (Secure Development Lifecycle) programme owner ▪ Internal and External Bug-Bounty management ▪ Maturity Models mapping (based on OwaspSAMM) ▪ Application Registry and Attack Surface mapping ▪ Visualisation of existing architecture/code and Business
reporting of existing risks
![Page 24: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/24.jpg)
Security tools integration in SDL▪ Evaluate and deploy tools to perform Static (SAST) and
Dynamic (DAST) scans of existing Application and components
▪ Customisation of rules in order to create highly defensible findings
▪ Work with Security Champions on how to fix issues
![Page 25: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/25.jpg)
APPSEC SQUAD
![Page 26: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/26.jpg)
AppSec Squad is an horizontal service/team
focused on Securing Applications and code
![Page 27: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/27.jpg)
AppSec Squad Function ▪ The AppSec Squad is focused on Secure Code and Fixes ▪ It is an horizontal team (vs dev squads/teams which are vertical)
▪ Works independently or directly with devs (on AppSec issues and fixes)
▪ Helps Security Champions in activities or code-fixes that require significant resources
▪ Independent from ‘product’ owners and deadlines ▪ Focus is on making applications/products more secure, resilient
and safe ▪ Made of developers and graduates ▪ Creates next generation of expert Security Champions
▪ 3 months rotation by internal developers/graduates
![Page 28: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/28.jpg)
Security Features != AppSec Squad ▪ Security Features are focused on creating, coding, deploying
and maintaining business features that have a security angle to them ▪ 2FA (two-factor authentication) ▪ Secure file upload ▪ Data encryption ▪ HTTPS support ▪ Authentication/Authorization/RBAC improvements ▪ …other
▪ The AppSec Squad is focused on Secure Code, Security Testing and Visualisation/Documentation
![Page 29: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/29.jpg)
Example of AppSec Squad driven projects* ▪ Mass fixing ‘systemic’ security vulnerability ▪ Create targeted and global SAST rules (scale security knowledge) ▪ Create Attack Surface mapping tool ▪ Web Services Visualisation tool ▪ Standard Schemas and validation across the company ▪ Application registry (and app-to-app connections) ▪ Security focused (unit/integration) tests ▪ Performance and DoS testing/visualisation ▪ Add reaction and mitigation capabilities (to app, not network)
RBAC visualisation and testing ▪ Apps containerisation and instrumentation *Security Champions to be involved in these projects
![Page 30: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/30.jpg)
Team▪ Project Manager: 1x ▪ AppSec Specialist: 1x ▪ AppSec Developers: 2x to 4x ▪ AppSec Graduates: 2x to 4x
![Page 31: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/31.jpg)
AppSec Developers (2 to 4) ▪ Activities:
▪ Fix Security issues ▪ Improve QA environments ▪ Write tests ▪ Harden Dev environment (creating secure-by-default APIs and
runtimes) ▪ Improve apps logging capabilities and visualisation ▪ Create data-flow and architecture diagrams from code (used by
Threat models) ▪ Skills:
▪ experts in language(s) used in company ▪ Interested in AppSec and Security ▪ Able to write code fixes and tests with confidence and speed Able to
find innovative solutions for improving the Test and QA environments
![Page 32: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/32.jpg)
AppSec Graduates: 2 to 4 ▪ Activities: ▪ Simple/known security code fixes ▪ Support AppSec Function activities ▪ Support Security Champion’s activities ▪ Help with JIRA tickets maintenance ▪ Help with Threat Model diagrams
▪ Skills: ▪ Developers ▪ Passion for AppSec and Security
![Page 33: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/33.jpg)
SECURITY CHAMPIONS
![Page 34: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/34.jpg)
SCs Roles and Responsibilities▪ Allocated to each Squad ▪ SME for all AppSec issues related to allocated tribe ▪ Maintain JIRA tickets for allocated code-base (projects and
components) ▪ Write Security Focused tests and embed SDL practices into CI
pipeline ▪ Triage AppSec Findings and Fix relevant issues
![Page 35: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/35.jpg)
More expanded definition
![Page 36: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/36.jpg)
If you don’t have an SC, get a Mug
![Page 37: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/37.jpg)
JIRA RISK WORKFLOW
![Page 38: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/38.jpg)
JIRA RISK Workflow
![Page 39: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/39.jpg)
Key for AppSec JIRA workflow is this button
![Page 40: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/40.jpg)
PATH #1 - Fix issue
![Page 41: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/41.jpg)
PATH #2 - Accept and Approve RISK
![Page 42: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/42.jpg)
PATH #2 - Variation when risk not approved
![Page 43: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/43.jpg)
JIRA Risk workflow▪ Open JIRA issues for all AppSec issues ▪ Write passing tests for issues reported ▪ Manage using AppSec RISK workflow ▪ Fix Path: Open, Allocated for Fix, Fix, Test Fix, Close ▪ Accept Risk Path: Open, Accept Risk, Approve Risk,
(Expire Risk) ▪ Automatically report RISK’s status
![Page 44: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/44.jpg)
Separate JIRA project▪ This is a separate JIRA repo from the one used by devs
▪ I like to call that project ‘RISK’ ▪ This avoids project ‘issue creation’ politics and ‘safe harbour for:
▪ known issues ▪ ’shadow of a vulnerability’ issues ▪ ‘this could be an problem…’ issues ▪ ‘app is still in development’ issues
▪ When deciding to fix an issue: ▪ that is the moment to create an issue in the target project
JIRA (or whatever bug tracking system they used) ▪ When issue is fixed (and closed on target project JIRA):
▪ AppSec confirms fix and closes RISK
![Page 45: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/45.jpg)
Always moving until fix or acceptance▪ Key is to understand that issues need to be moving on one of
two paths: ▪ Fix ▪ Risk Accepted (and approved) ▪ Risks (i.e. issues) are never in ‘Backlog’ ▪ If an issue is stuck in ‘allocated for fix’, then it will be
moved into the ‘Awaiting Risk Acceptance’ stage
![Page 46: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/46.jpg)
You need volume▪ If you don’t have 350+ issues on your JIRA RISK Project, you
are not playing (and don’t have enough visibility into what is really going on)
▪ Allow team A to see what team B had (and scale due due to issue description reuse)
▪ Problem is not teams with 50 issues, prob is team with 5 issues
▪ This is perfect for Gamification and to provide visibility into who to reward (and promote)
![Page 47: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/47.jpg)
Threat model▪ All issues identified in Threat Models are added to the JIRA
RISK project ▪ Create Threat models by ▪ layer ▪ feature ▪ bug
▪ … that is a topic for another talk
![Page 48: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/48.jpg)
JIRA AppSec Dashboards
![Page 49: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/49.jpg)
Weekly emails with Risk status
![Page 50: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/50.jpg)
Full details on “SecDevOps Risk Workflow” book
▪ Get it for free at https://leanpub.com/secdevops
![Page 51: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/51.jpg)
GDPR
![Page 52: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/52.jpg)
GDPR (for Apps)▪ All this applies to GDPR ▪ If you trade with EU customers you will need to do it ▪ GDPR should be easy if you have an ▪ SOC ▪ Effective RISK team (with DPO) ▪ SecOps team ▪ AppSec team
▪ See great presentation at https://www.owasp.org/images/c/c8/2017-01-25,GDPR_Readiness-Handout.pdf (some screenshots shown in next slide)
![Page 53: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/53.jpg)
7 Key principles enshrined in the EU GDPR
![Page 54: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/54.jpg)
Twelve steps towards GDPR Readiness (1/2)
https://www.owasp.org/images/c/c8/2017-01-25,GDPR_Readiness-Handout.pdf
![Page 55: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/55.jpg)
Twelve steps towards GDPR Readiness (2/2)
![Page 56: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/56.jpg)
MATURITY MODELS
![Page 57: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/57.jpg)
OwaspSAMM and BSIMM
https://www.owasp.org/index.php/OWASP_SAMM_Project
https://www.bsimm.com/
![Page 58: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/58.jpg)
OWASP Maturity-Models project▪ Tool to help collect and visualise maturity models date ▪ Open source https://github.com/owasp/maturity-models ▪ All data stored as Json using Git as data store ▪ Supports both OwaspSAMM and BSIMM schemas ▪ REST API to consume data ▪ Easy to deploy using docker image ▪ 97% to 100% code coverage ▪ Try it out on QA server http://138.68.145.52
![Page 59: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/59.jpg)
![Page 60: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/60.jpg)
BUILDING APPSEC TEAMS
![Page 61: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/61.jpg)
You can’t hire AppSec specialists▪ AppSec specialists will cost £120k+ (UK/US) and even then, they
might not be aligned with your values, technologies or focus ▪ Best to hire (internally) developers
▪ from £50k to £80k ▪ invest %25 of salary in Education/Knowledge (£12,5k to £20k)
▪ OWASP conferences (US or EU + regional) ▪ OWASP Summits ▪ BlackHat, DefCon, HITBSecConf, Shmoocon , DevSecCon
conferences ▪ Classroom based training sessions with security experts ▪ Web based learning tools (massive innovation in this area) ▪ Books, books, books, books
▪ 20% of their time allocated to learning and RnD (1 day a week)
![Page 62: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/62.jpg)
Build your AppSec team from inside▪ Ideal path is:
▪ Company hires Developers ▪ passes internal quality control, culture and skill’s requirements
▪ Developer applies to become a Security Champion ▪ Developer likes being a Security Champion and applies to an
open position in the AppSec Team (or other Security Function) ▪ Another option is:
▪ Hire specific individuals from 3rd-party ‘Application Security focused’ or ‘Quality development focused’ companies
▪ Give them a job :) (with full transparency and support from 3rd party company)
▪ ‘Worse case scenario’ ▪ Hire developers from outside (via recruiters or directly)
![Page 63: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/63.jpg)
OWASP
![Page 64: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/64.jpg)
Epicentre of Application Security▪ Best (dedicated) AppSec conferences of the year ▪ 100s of chapters around the world ▪ 100s of research projects on AppSec ▪ All released under OpenSource and Creative Common
licenses ▪ Best concentration of AppSec talent in the world ▪ Please join, collaborate, participate
![Page 65: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/65.jpg)
Conferences
![Page 66: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/66.jpg)
Chapters
![Page 67: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/67.jpg)
Projects - Flagship
![Page 68: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/68.jpg)
Projects - Labs
![Page 69: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/69.jpg)
Projects - Incubator
![Page 70: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/70.jpg)
OWASP Summits▪ Imagine a place where (some of) the best Application Security and
OWASP minds come together to collaborate and work ▪ … a meeting of minds focused on solving hard problems that we
all have everyday ▪ … a place where security experts, developers, users, government
agencies and vendors work together on shared goals ▪ … a place where you will find like minded individuals that care
deeply about what you are passionate about ▪ … an environment designed for maximum geek-time, synergies
and collaboration ▪ … basically it’s AppSec from 8am till 2 am (next day)
▪ This place is something that only OWASP can create ▪ This place is an OWASP Summit
![Page 71: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/71.jpg)
Summit - 2008
![Page 72: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/72.jpg)
Summit 2011
![Page 73: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/73.jpg)
OWASP Summit 2017 (June 12,16)▪ http://owaspsummit.org/
![Page 74: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/74.jpg)
Industry working together on hard problems
![Page 75: SC conference - Building AppSec Teams](https://reader031.fdocuments.in/reader031/viewer/2022030222/58b8a3411a28abc06d8b585b/html5/thumbnails/75.jpg)
THANKSAny questions?