Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.
Topics:
- OWASP Top-10 and OWASP projects - how to use within your organisation
- Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,...)
- Benchmarking & Maturity Models
- Security Strategy
- Organisational Design and managing change for global information security programs
- SDLC
- Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers
- Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide
- Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, ...), Threat assessments using OWASP Cornucopia
All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).
Attendee takeaways and key learning objectives
- how to effectively build and run a global information security function
- strengthening web and application security using OWASP projects
- improving web & application security for organisations from green-field level to very sophisticated security organisations