Data-Driven AppSec Champions Programs – Benchmarking Your Program with Numbers - John Dickson
Speaker
John Dickson
Coalfire, Vice President
Description
AppSec champions program exist in virtually every organization that builds a ton of software and is security paranoid. These programs use informal influence and the art of persuasion to get software developers to write code with fewer security vulnerabilities. Many programs originate from the bottom up and lack strong organizational mandates – that’s where the Jedi Mind tricks come in.
AppSec champions may be widely implemented, but in general there is a lack of data on what organizations are actually doing in the field. The results of a 9-month research survey project attempt to change that, with first-ever data of common denominators of leading-edge appsec champions programs published. The structured research project involved 26 of the most innovative appsec programs, all of which had an appsec champion program. Many, if not most, were operating in isolation with no competitive data or widely understood best practices.
This session will identify the common denominators that we observed in the survey responses including emerging best practices around recruiting appsed champions, how security organizations trained champions, and how they communicated with champions in the field. Finally, return on investment responses are included to provide insight into how organizations are measuring success around their programs.
This data will certain recommendations about how security leaders should further build these programs to get upstream of the “vulnerability production engine” that creates additional attack surface. An emphasis will be focused on how attendees can take the survey results and use them for further justification for their own programs.
We’re not remotely close to solving the secure development problem. AppSec champions help win the hearts and minds of developers who are ultimately the ones who solve this problem. The hope is that armed with appsec champions numbers and best practices, attendees will be better equipped to help their development colleagues via AppSec champions programs.
Speaker
John Dickson
Coalfire, Vice President
Managed by the OWASP® Foundation
https://owasp.org/
