Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Regency Ballroom 2 [clear filter]
Thursday, October 11


SDL at Scale: Growing Security Champions
If you’re tasked with securing a portfolio of applications it’s a practice in extremes. You’ve got a small team of security experts trying to help a multitude of developers, testers, and other engineers. You have to find a way to work with the team that’s been around forever doing Waterfall on one huge product, and at the same time, you have to support all the microservices that the new Agile and DevOps teams are building. And to make things extra exciting, those agile teams are pushing for production anywhere from once a month to several times a day. Even if your security team is fully staffed, there still aren’t enough security experts to go around. Do you focus all your attention on the highly engaged team, the noisy and demanding team, or the team that never replies to your emails? They all need you.

By partnering with your development organization to create a guild of Security Champions you can help them all. Establishing a Security Champion role on your development teams enables them to be more self-sufficient while maintaining and even improving their security posture. With careful selection and well-defined goals, you can train Security Champions that go beyond just interfacing with the security team but also handle a range of security activities completely within their teams, helping you scale your program.

This presentation will examine the value of the Security Champion role within the development team, which groups need to commit for the program to succeed, how to find good champions, and what benefits everyone involved can expect to gain. Based on lessons learned building a successful Security Champion program over the past 5 years, it will detail actionable steps you can take to bootstrap, monitor, and maintain a customized program that fosters these champions in your organization.

avatar for Ryan O' Boyle

Ryan O' Boyle

Manager, Product Security, Veracode
Ryan O'Boyle is the Manager of Product Security at Veracode. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments. He has presented at conferences including AppSec USA & EU, BlackHat EU, and RSA Europe. Throughout his career, Ryan... Read More →

Thursday October 11, 2018 11:00am - 11:35am
Regency 2
  • NEW FIELD 1 Track 2
Friday, October 12


Battle Tested Application Security
Building Application Security programs from scratch or dropping into existing organizations with some AppSec functions can be a war zone. As practitioners are on the front lines of implementing AppSec programs, there is no one-size fits all or a magic supplier who can come in and solve all opportunities. It takes a dedicated staff to drive an effective program beyond the check the box mentality, with a critical focus on security culture.

Through the talk, I'd like to provide insight into the nuances of dealing with different environments large to small and the associated lessons learned to help drive the culture of security to truly provide defensive capabilities and empower the organization. 

avatar for Ty Sbano

Ty Sbano

Head of Information Security, Periscope Data
Ty Sbano is an Information Security leader with over 12 years of experience mainly in Financial Technology organizations. Ty’s career has been focused on developing application and product security programs for LendingClub, Capital One, JPMorgan Chase, and Target. Key areas of knowledge... Read More →

Friday October 12, 2018 10:15am - 10:50am
Regency 2
  • NEW FIELD 1 Track 2


Security as a Service: Work where You Engineers Live
Product Engineers and Managers live in git, JIRA, and wikis to develop and release software, so why do security engineers use a fully different set of tools and dashboards to try to drive security fixes onto product teams' roadmaps?  

Our team decided to use the 'live where they work' approach to see if we could increase the effectiveness and measurability of our engineering teams' participation in the SDLC.  

In this talk, we will show you how our roots on the product engineering team inspired us to live where our engineers live, and leverage existing software development processes to enable our engineers to get security work done when and where it needs to get done, without the overhead of constantly trying to reinforce security-specific processes.  

We will talk through the case study of setting up our 3rd Party Library vulnerability detection program. The case study will highlight how we were able to create a zero-overhead approach by leveraging automation and processes that we in had previously put in place. The new system ensures we have an accurate view of the 3rd Party Libraries in use by our products at all times. We integrated this with our project tracking software to automatically file tickets with the team at the discovery of a vulnerability or a vulnerable library. This approach enables us to respond as quickly as possible to disclosure of a vulnerability in a library used by one of our 15+ products with tons of moving pieces. We will also talk about our vulnerability management program and strategy, which heavily leverages our JIRA project tracking system as our source of data, so we’re working from the same dataset as our engineers.

By working where our engineers live, we are able to immediately cut down barriers to getting security work done where and when it needs to be done, and consolidate the source of truth about se. We empower our engineers to know

avatar for Julia Knecht

Julia Knecht

Manager, Security & Privacy Architecture, Adobe
avatar for Taylor Lobb

Taylor Lobb

Manager, Security and Privacy Architecture, Adobe

Friday October 12, 2018 11:45am - 12:20pm
Regency 2
  • NEW FIELD 1 Track 2


Security Culture Hacking: Disrupting the Security Status Quo
This session is an exploration into the world of security culture hacking. In the wake of the "data breach of the day", organizations claim they are more serious about security. The truth is that many still have weak security cultures. At the end of the day, how much actual security culture change occurs post-breach? The answer is not enough. This session describes how to change security culture from the inside out, utilizing best practices and real-world examples. With security culture disruption, the security team attempts to impact employees through positive security learning and experience.

The session begins by introducing the audience to the concepts of security culture and security culture hacking and then explains the security status quo. Security culture hacking is the skills and creativity necessary to disrupt an existing culture and redirect it towards a more secure future. Security status quo is the idea that companies move in a herd mentality and believe that their security must only be an average of their peers. To prove this point, we profile some anonymous organizations based on their external security story versus reality. Next, we'll discuss what makes a good security culture hacker, including the skills required for success in this type of endeavor.

The middle of this session includes a how-to of hacking security culture. Each section includes various tips and stories from real life experience about how to influence security culture. The phases of security culture improvement are explored, including awareness, big learning, and community. In addition, a discussion of organizational reach, marketing, rewards, recognition, and metrics surrounding security culture improvement are explored. It's time to make security fun.

At the conclusion, a plan is laid out for how a learner could put true security culture change into practice in their organization. Audience members receive a 30-60-90-1-year plan for how to implement true security culture change. 

avatar for chris_romeo.1y2dtviu


Security Journey
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security... Read More →

Friday October 12, 2018 1:30pm - 2:05pm
Regency 2
  • NEW FIELD 1 Track 2