logo
allArticlesConferencesPresentations

These are the Vulns You are Looking For: AppSec Champions & Jedi Mind Tricks

Conference:  OWASP 20th Anniversary Event

2021-09-24

Authors:   John Dickson

Abstract

Abstract:AppSec champions program exist in virtually every organization that builds a ton of software and is security paranoid.   These programs use informal influence and the art of persuasion to get software developers to write more secure applications.  Many programs originate from the bottom up and lack strong organizational mandates – that’s where the Jedi Mind tricks come in.  AppSec champions may be widely implemented, but in general there is a lack of data on what organizations are actually doing in the field. The results of a nine-month research survey attempt change that, with first-ever data of common denominators of leading-edge AppSec champions programs published. The structured research project involved 26 of the most innovative AppSec programs. Many, if not most, were operating in isolation with no benchmarking data or widely understood best practices.This session will identify the common denominators that we observed in the survey respondents including emerging best practices around identification and recruiting of champions, how security organizations trained champions, and how they communicated with champions in the field. Finally, return on investment responses are included to provide insight into how organization are measuring success around their programs.This data provides certain recommendations about how security leaders should further build these programs to get upstream of the “vulnerability production engine” that creates additional attack surface. An emphasis will be placed on how attendees can take the survey results and use them for further justification for their own programs.We’re not remotely close to solving the secure development problem.  AppSec champions helps win the hearts and minds of developers who are ultimately the one who solve this issue.  The hope is that, armed with AppSec champions numbers and best practices, attendees will be better equipped to help their development colleagues via AppSec champions programs.
Materials:
Tags:
AppSec Champions
AppSec Programs
software development
Persuasion

Post a comment

Related work

Can the Workforce Shortage Be Fixed?

Conference:  RSA Conference 2022
Authors:
2022-06-06

Developer Driven Security in high-growth environments

Conference:  Global AppSec Dublin 2023
Authors: Jakub Kaluzny
2023-02-16

Scaling Product Security with a Product Security Lead Program

Conference:  RSA Conference 2023
Authors: Brenna Leath
2023-04-24

Bootstrap and increase your software assurance with OWASP SAMM v2.1

Conference:  Global AppSec Dublin 2023
Authors: Sebastien Deleersnyder, Bart De Win
2023-02-15

Stakeholders and Allies: Amplifying Your Application Security Program

Conference:  Global AppSec San Francisco 2022
Authors: Warren Kopp
2022-11-18

Elite Security Champions Build Strong Security Culture in a DevSecOps World

Conference:  RSA Conference 2022
Authors:
2022-06-06