Wednesday 26 April 2017

Owasp top 10 2017 Working Session at next OWASP Summit

Given the recent debates about the changes made on this new version of the OWASP Top 10 (which you can download from here), the next OWASP Summit 2017 will host a Working Session to allow for further collaboration and debate.

Please take a look at and add/change it accordingly (btw, you can now register as participant, and, if you want to help organising it, please we need an organiser for this Working Session)

Here is a first pass at the topics to cover:

Monday 10 April 2017

RfP for Owasp SAMM assessment (£10k budget)

Here is a project brief I have been asked to share by a company that operates across Europe, USA and Australia.

Seems to me like a great opportunity for an active member of the OWASP/SAMM community :)

Ping me if your company (or you) want to respond, and I'll put you in touch with them.


Project brief:

Our e-commerce security maturity is of critical importance to us and our valued customers.

Through this RfP process, we are approaching the App/InfoSec community to invite responses from Europe-based AppSec consultants and businesses who are interested in engaging with our Group Security team to delivery an acute assessment of our individual team's security maturity.

We welcome responses from those well versed in the OWASP SAMM methodology, and have full-stack technical experience of auditing complex e-commerce environments and practices. Experience in producing board-level written reports and visualisations of data collected is highly desired. The data is to be collected using the Owasp Maturity Model tool.

Presentation: Building AppSec Teams

Here is the presentation I delivered recently at an online SC Conference on Web Application Security.

This is the consolidation of my recent research (and practical experience) of creating AppSec teams.

I think this structure and focus would make a massive difference (if implemented) at a large number of companies (specially the AppSec Squad concept)

The video is available on demand here

Presentation: OWASP Summit 2017 (Jan and Feb updates)

Here are two presentations I delivered recently (at the OWASP London Chapter) about the forthcoming OWASP Summit 2017

Presentation: Security champions

Here is a presentation I delivered recently to a newly created Security Champions team.

The objective was to present them what are Security Champions, and to motivate them into wanting to become one.

Let me know what you think of it, and if there is anything missing from this initial 'motivational' slide deck

Presentation: Legacy-SecDevOps (AppSec Management Debrief)

Here is a presentation I created last year as a debrief to C-Level execs

It is quite strong, but they took it quite well and agreed with most of it :)

Let me know what you think of it (I'm sure you've seen many similar projects and organisations)

Friday 7 April 2017