Andre Gironda will be back in Phoenix to present some great information
about using OWASP resources to build an effective Application Security
lifecycle/program, followed by SUNSEC Happy Hour at Casey Moore's, at
7:30! Using ASVS with the Code Review Guide, Testing Guide, and Time Management
The
OWASP Application Security Verification Standards, which defines four
levels of web application security verification, lays down a framework
for security architecture review. While the ASVS includes many
requirements for controls, it does not suggest which tools, techniques,
timeline or methodologies to utilize. The OWASP Code Review and Testing
Guides provide the technical practices and suggest or hint at tools,
but also lack the timeline and methodology necessary to complete an
application penetration-test or SDLC integration project for proper
application security hygiene.
This presentation will provide the
1000 foot view all the way down to the nitty gritty details of how to
perform ASVS activities using OWASP resources, as well as some OWASP
and non-OWASP tools (freeware or demoware). Example timelines for
typical ASVS activities, including reports, will be discussed so that
any sort of application security project can be scoped properly,
delivered on-time, and within budget.
Andre Gironda is an
application security specialist with a global security consulting firm
providing IT security services to the Fortune 500 and financial
institutions as well as U.S. and foreign governments. Prior to his
current employment, Andre held a number of payment application security
positions in addition to working for the largest online auction
website. He is currently a leader for the Open Web Application Security
Project (OWASP), where he co-produces the global OWASP News Podcast.
