I have given talks on a variety of different topics and would be happy to do so for your event or group as well.
For OWASP or other non-profit chapters I will generally do this for free but for corporate, private or paid/for-profit events that may not be possible.
When I am travelling for work, I often try to reach out to the local OWASP Chapter to see if they would like me to speak for them and I have also done a number of virtual talks for OWASP chapters including Morocco, Luxembourg.
There are a number of key areas which I have experience in and have pre-prepared materials for. Let me know which makes the most sense for you or if you have other areas of interest.
OWASP Application Security Verification Standard (ASVS)
The OWASP ASVS is a security requirements standard which can be used to build software securely and verify that this has been done. It is designed to provide developers and assessors with a comprehensive software security blueprint
I am one of the co-leaders on the project and have been heavily involved in the 4.x version and the upcoming 5.x version.
I generally talk about:
- The context of the project among other OWASP projects
- How the project is structured
- Key/interesting requirements in the project
- Suggested use-cases
- How people can get involved
- The plan for version 5.0
What is OWASP
Recently I have found that a lot of developers and even security professionals are less familiar with the scope of what OWASP can offer and especially the benefits that membership can bring.
I have been involved with a number of projects, global events as well as my local chapter and I am in a good position to help people to understand this better and give them good ideas for resources that can help them in their day jobs.
OWASP resources that I highlight include:
- A simple outline to get you started in software security.
- Comprehensive requirements to use as a security baseline.
- Detailed guides on how to write secure code in various languages and situations.
- Sample vulnerable applications you can use to challenge your security knowledge.
- A community of security experts who are usually happy to answer questions and help out.
- And more…
Tune your Toolbox for Velocity and Value
You bought the application security tools, but now what? Many organizations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress.
If you are involved in using automated scanners, such as SAST, DAST or SCA tools, in your organization, these may be familiar feelings to you.
In this talk, I will give you ideas on how to streamline your implementation and automation to focus on what matters most. We’ll also discuss what to consider when designing the manual processes and tasks around the automation so that you get more value in less time.
You will leave with a much better understanding of these security tools as well as ideas for improving processes and adding value that you can take and apply at your own organizations.
How to get the best AppSec test of your life
The Internet is full of advice on delivering a better pen test. That’s great but what if you are the one arranging or receiving the test? In this talk, I want to use my experience of scoping and delivering these tests to give you, the recipient, ideas on how to get the best value from AppSec tests.
I will talk about how you can “hack your test” to better tailor it to your needs, how you can be best prepared for a smooth test and how you can make sure the report is focused and actionable.