Grant Ongers (rewtd)
Given that:
- Security teams are outnumbered by developers 100:1
- 50 - 80% more bugs are found in code review than in testing
- More than 70% of CVEs are caused by implementations in code
It must follow that AppSec should be the biggest part of your concern as a security person, and that you either need to seriously invest in more AppSec people to keep up with the developer population or you need to get developers looking for AppSec issues during code review.
So, how does one do that?
We'll lay out the problem space in a bit more detail, covering some of the issues described in our BlackHat EU talk and then we'll move onto how we solve this.
We'll talk about the OWASP Application Security Curriculum project, it's goals, ambitions, and milestones - as well as talking about the current artefacts.
We'll then talk about how you get developers engaged in the education program and how we leverage other OWASP projects (like Cornucopia and the ASVS) to make it all fit together.
Grant Ongers (rewtd)
Co-founder of Secure Delivery and current OWASP Global Foundation board member, Grant Ongers (@rewtd), is a firm believer in security enabling delivery not blocking it. Well-known in the international InfoSec community (it's hard to forget the beard!), his 10+ years of experience in Dev, 20 years in Ops and 30 years in Sec (mostly white hat) has made him a firm believer that there's no such thing as DevSecOps - just DevOps done right, and that compliance != security (or the other way around). Alongside his role as CTO within Secure Delivery, Grant provides C-suite advice and guidance on security to FTSE100 enterprises and strategic risk analysis within M&A diligence teams.