Talks

I have given talks on a variety of different topics and would be happy to do so for your event or group as well.

Here you can see a breakdown of talks and training I have previous given.

Here you can see a list of my upcoming events.

For OWASP or other non-profit chapters I will generally do this for free but for corporate, private or paid/for-profit events that may not be possible.

When I am travelling for work, I often try to reach out to the local OWASP Chapter to see if they would like me to speak for them and I have also done a number of virtual talks for OWASP chapters including Morocco, Luxembourg.

There are a number of key areas which I have experience in and have pre-prepared materials for. Let me know which makes the most sense for you or if you have other areas of interest.

Topics List:

  1. OWASP Application Security Verification Standard (ASVS)
    1. Introduction to the ASVS
    2. Sustainable Security Requirements with the ASVS
  2. What is OWASP
  3. Tune your Toolbox for Velocity and Value
  4. How to get the best AppSec test of your life
  5. The Real AppSec Issues

OWASP Application Security Verification Standard (ASVS)

The OWASP ASVS is a security requirements standard which can be used to build software securely and verify that this has been done. It is designed to provide developers and assessors with a comprehensive software security blueprint

I am one of the co-leaders on the project and have been heavily involved in the 4.x version and the upcoming 5.x version.

Introduction to the ASVS

In this talk aimed at anyone involved in software development, I generally talk about:

  • The context of the project among other OWASP projects
  • How the project is structured
  • Key/interesting requirements in the project
  • Suggested use-cases
  • How people can get involved
  • The plan for version 5.0

Example video focused on current ASVS 4.0

Example video looking forwards to ASVS 5.0

Sustainable Security Requirements with the ASVS

This talk is more detailed and aimed at software architects, developers, product managers and software engineering leaders.

In the talk, I talk in more detail about how to use the ASVS to develop security requirements for applications in a consistent and sustainable way.

I usually talk about how to:

  • Get buy-in for security at this stage
  • Balance trade-offs and prioritize different security requirements
  • Trim the ASVS to focus on your current context
  • Make the process repeatable and maintain a view of security state

Example video of this talk

What is OWASP

Recently I have found that a lot of developers and even security professionals are less familiar with the scope of what OWASP can offer and especially the benefits that membership can bring.

I have been involved with a number of projects, global events as well as my local chapter and I am in a good position to help people to understand this better and give them good ideas for resources that can help them in their day jobs.

OWASP resources that I highlight include:

  • A simple outline to get you started in software security.
  • Comprehensive requirements to use as a security baseline.
  • Detailed guides on how to write secure code in various languages and situations.
  • Sample vulnerable applications you can use to challenge your security knowledge.
  • A community of security experts who are usually happy to answer questions and help out.
  • And more…

Tune your Toolbox for Velocity and Value

You bought the application security tools, but now what? Many organizations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using automated scanners, such as SAST, DAST or SCA tools, in your organization, these may be familiar feelings to you.

In this talk, I will give you ideas on how to streamline your implementation and automation to focus on what matters most. We’ll also discuss what to consider when designing the manual processes and tasks around the automation so that you get more value in less time.

You will leave with a much better understanding of these security tools as well as ideas for improving processes and adding value that you can take and apply at your own organizations.

How to get the best AppSec test of your life

The Internet is full of advice on delivering a better pen test. That’s great but what if you are the one arranging or receiving the test? In this talk, I want to use my experience of scoping and delivering these tests to give you, the recipient, ideas on how to get the best value from AppSec tests.

I will talk about how you can “hack your test” to better tailor it to your needs, how you can be best prepared for a smooth test and how you can make sure the report is focused and actionable.

Example video of this talk

The Real AppSec Issues

This is a talk for people looking for more strategic thinking about Application Security.

Application Security threats have been behind a number of recent breaches. We hear all sorts of perspectives about the key issues to be concerned about, but is this telling the whole story?

In this talk I will explore some of the real AppSec issues that I have observed from talking to a number of people and organizations in the industry and my advice for addressing them. The key trend throughout is that focusing on tactical AppSec vulnerabilities without thinking about the broader picture will prevent organizations from addressing this area of security in an effective and sustainable way.