As security professionals charged with protecting large enterprise application portfolios, we continually find ourselves managing a wide array of disparate security initiatives, each of which demands to be treated as a top priority. Few of these initiatives ever achieve full coverage across the application portfolio. So we’re left to prioritize on the fly and try to keep everything we’re juggling in the air. Inevitably some will get dropped.
What if we could develop an AppSec program that ties those disparate initiatives together into a repeatable and continuous program that not only addresses coverage of the entire portfolio but acts as an enabler of high-paced development paradigms such as DevOps and CI/CD? In this presentation we’ll discuss a model for deploying AppSec programs that addresses these goals. A strategy for tying together various security activities including threat modeling, code reviews, and penetration tests, with business and risk processes in a way that actually makes development more efficient. We’ll discuss how an organization can tailor their own program based on the model but addressing the unique challenges and business goals of the individual firm.
You’ll see how the Continuous AppSec Model leverages the key principles of the latest OWASP SAMM to break down and unify your security activities. You’ll learn how an Application Security Program can be designed to enable continuous improvement within the program itself. You’ll discover how this continuous improvement allows for implementation of a program based on this model in an easily digestible and incremental fashion. You’ll understand how a truly continuous program allows you to better prioritize your security initiatives by providing you a clearer picture of the risks across your environment. You’ll leave with a better strategy for enabling your application teams to not only support but actually advocate for the security practices already employed within your enterprise as well as those perhaps thought too advanced for your organization.
