SecAppDev 2020 Lecture Details

From the OWASP Top Ten(s) to the OWASP ASVS

Jim Manico
Monday March 9, 14:00 - 15:30
Short description

This talk will describe the importance of the OWASP Application Security Verification Standard and how to use if effectively in your organization or project for secure development.

Abstract

Some people are under the misconception that if they follow the OWASP top 10 that they will have secure web applications. But in reality, the OWASP Top Ten (and other top ten lists) are just the bare minimum that at best provide entry-level general awareness. A more comprehensive understanding of Application Security is needed.

This talk with review the OWASP Top Ten 2017 and the OWASP Top Ten Proactive Controls 2018 and compare them to the more comprehensive OWASP Application Security Verification Standard (ASVS) v4.0. OWASP's ASVS contains over 180 requirements that can provide a basis for defining what secure software really is. The OWASP ASVS can be used to help test technical security controls of web and API applications. It can also be used to provide developers with a list of requirements for secure development with much more nuance and detail than a top ten list! You cannot base a security program off a Top Ten list. You can base an Application Security program off of the OWASP ASVS.

Key takeaway

The participant will take away a usable strategy to apply the Application Security Verification Standard to their organizations secure development of web and API applications.

Content level

Introductory

Target audience

Anyone building, designing or securing web applications

Prerequisites

None


SecAppDev is the most immersive application security course you have ever seen

Book your seat now

Jim Manico

Jim Manico

CEO, Manicode Security

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences, and BitDiscovery. Jim is a frequent speaker on secure software practices, is a Java Champion, and is the author of "Iron-Clad Java - Building Secure Web Applications" from Oracle Press. Jim also volunteers for OWASP as the project co-lead for the OWASP ASVS and the OWASP Proactive Controls.

Full speaker profile


Related security activities sessions

Automated software testing and verification

Lecture by Jan Tobias Muehlberg

Discover a technology stack that allows us to construct distributed software systems with well-defined security guarantees. We will address testing, formal verification, and runtime isolation.

Security activities Thursday March 12, 16:00 - 17:30

Story-driven threat modeling for the Agile-DevOps age

Lecture by Abhay Bhargav

Find that your Threat Modeling is outmoded, outdated and out of touch with your rapid-release app? Learn how you can change that with "story driven threat models" where you are threat modeling with your Agile Sprint and iterative SDLC

Security activities Thursday March 12, 14:00 - 15:30

Application security seen from an enterprise level

Lecture by Stefaan Van Daele

Developing secure code is a good start, what more could you do to improve security posture? The session puts secure application development in the context of an Enterprise Security Architecture model and how these two relate to each other.

Security activities Thursday March 12, 16:00 - 17:30

Persona-based security and threat-modeling

Lecture by Deepak Subramanian

The session will include a presentation about persona-based security leading to persona-based threat modeling. If time permits a small exercise would be held to do a persona-based organizational threat model.

Security activities Tuesday March 10, 16:00 - 17:30