Building An In-House Application Security Assessment Team presented at OWASP Appsec 2009

by Keith Turpin (Boeing),

Tags: Risk


Summary : Like many companies, Boeing historically relied on contracted security vendors to provide various IT security assessments. However, as part of taking a more proactive approach to application security, Boeing decided to bring this service in-house and build an internal assessment team. We learned a lot about what it takes to run an effective team and maybe some of our lessons will be useful to others who are trying to establish their own teams. This discussion covers the full life cycle including intake processes, risk analysis, standardizing findings and remediation, designing and issuing reports and managing corrective actions. I also touch on other issues like metric reporting and integration with secure software development teams.