Facilitating Application Security Maturity presented at OWASP AppSec Brasil 2010

by Jeremiah Grossman (WhiteHat Security),

Tags: Application Security

URL : http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Schedule

Summary : Over the last ten years a fast growing number of organizations, from the largest of the large to the smallest of the small, are truly starting to "get" Web application security. They are also learning that application security success does not happen overnight. Experience and results, especially results, takes time. Some organizations have indeed demonstrated an ability to improve faster than others. The question is, how? What separates the leaders from the laggards is the way their teams utilize time and allocate resources to best facilitate application security maturity.

Having worked with hundreds of organizations, many of which easily considered leaders in their industry, what I've found is a consistent set of stages that characterize where on the maturity continuum they are located. This is insight is key. An application security professional's ability to quickly identify a given organizations current stage of maturity is vital. For example, a trusted advisor may provide a new student different guidance than to that of a subject matter expert facing identical challenges. It is all about isolating needs, encouraging progression, and serving outcomes that are in the best interests of all involved. By sharing my related personal experiences I hope to facilitate the application maturity of the entire industry.

Jeremiah Grossman: Jeremiah Grossman founded WhiteHat Security in August 2001. A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what’s to come. Mr. Grossman was named a “friend of Google” and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc.