AppSec Awareness: A Blue Print for Security Culture Change presented at Converge 2016

by Chris Romeo,

Summary : How does an individual change the application security culture of an organization? By designing and deploying an application security awareness program that contains engaging content, humor, and recognition. Application security awareness is part security knowledge, part lessons learned from history, and action to improve security into the future. Each company has an application security culture, but most of them need a boost. Come and experience a successful blue print for how you can build an application security awareness program of your own. The content is based on five years of real life experience implementing application security awareness in a large enterprise reaching 30,000 people. Go beyond traditional security awareness, and dive deep into changing the DNA of those who code, test, and deploy applications within their organization. The session uses the illustration of building a house, with six points used to show the ideal way to construct a successful application security awareness program. We move from answering what is application security awareness, to providing the details for how anyone can build a program of their own. This advice is from real life experience; this is how we did it, and how anyone in the audience can use this blue print to deploy their own program. The six blueprints are: Mission: how to define and build a team to support Program architecture: design a program that covers all roles and recognizes achievements, on a budget Curriculum: what to teach, and how to decide what to include Humor: how to use humor to engage the audience Content Creation: how to build application security learning that people want to enjoy Tools: things you can add to enhance the program's organizational visibility