際際滷

際際滷Share a Scribd company logo

Growing Up AppSec and ASVS

Download as PPTX, PDF
Vibhor Mahajan
Vibhor Mahajan

- The document discusses growing application security (AppSec) at Trantor, an application development services provider. It introduces the AppSec Excellence Center (ACE) group maturity model and challenges implementing AppSec standards. - It provides an overview of the OWASP Application Security Verification Standard (ASVS), a flagship project that defines security requirements through three levels of maturity. ASVS can be used as a metric, guidance, and during procurement. - Resources include the OWASP website for more information on ASVS.

1 of 20
Download to read offline
Growing up AppSec As an App Dev services provider
Vibhor Mahajan Tech Arch @ Trantor Member of the ACE, SEPG & PMO I Contribute to Null & OWASP Chd Scrum Alliance Agile Chd I Love Traveling Beauty in Code Software Engineering
Growing Up AppSec and ASVS
Mission Secure Chandigarh Be Safe Online Make Safe Online
We can keep talking about the problem
https://flic.kr/p/h1dxBm
AppSec @ Trantor
Coaching Call to good will of developers Interesting tech talks Developed a group of mentors/trainers
Growing Up AppSec and ASVS
Addition to Quality Manual A push from top down to "do AppSec"
Good luck enforcing it
Rock Bottom is a Beautiful Start https://flic.kr/p/a2dQ2T
ACE Group Maturity Model
Challenges and Lessons Each of your customers would have their own way and you cannot enforce a standard What gets measured gets managed You can call on the good-will but it is never a guarantee People would follow the crowd
Introduction to OWASP ASVS OWASP Flagship project Started in 2009 3 levels of maturity Basically a curated checklist of all the good practices that you have known all along Collection of practical advise on implementation
Maturity Levels ASVS Level 1 (opportunistic) is meant for all software ASVS Level 2 (standard) is for applications that contain sensitive data, which requires protection ASVS Level 3 (advanced) is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust
Uses of OWASP ASVS Use as a metric Use as guidance Use during procurement
Lets take a look at the Checklist
Growing Up AppSec and ASVS
Resources Application Security Verification Standard https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verificatio n_Standard_Project

More Related Content

Growing Up AppSec and ASVS

  • 1. Growing up AppSec As an App Dev services provider
  • 2. Vibhor Mahajan Tech Arch @ Trantor Member of the ACE, SEPG & PMO I Contribute to Null & OWASP Chd Scrum Alliance Agile Chd I Love Traveling Beauty in Code Software Engineering
  • 4. Mission Secure Chandigarh Be Safe Online Make Safe Online
  • 5. We can keep talking about the problem
  • 8. Coaching Call to good will of developers Interesting tech talks Developed a group of mentors/trainers
  • 10. Addition to Quality Manual A push from top down to "do AppSec"
  • 12. Rock Bottom is a Beautiful Start https://flic.kr/p/a2dQ2T
  • 14. Challenges and Lessons Each of your customers would have their own way and you cannot enforce a standard What gets measured gets managed You can call on the good-will but it is never a guarantee People would follow the crowd
  • 15. Introduction to OWASP ASVS OWASP Flagship project Started in 2009 3 levels of maturity Basically a curated checklist of all the good practices that you have known all along Collection of practical advise on implementation
  • 16. Maturity Levels ASVS Level 1 (opportunistic) is meant for all software ASVS Level 2 (standard) is for applications that contain sensitive data, which requires protection ASVS Level 3 (advanced) is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust
  • 17. Uses of OWASP ASVS Use as a metric Use as guidance Use during procurement
  • 18. Lets take a look at the Checklist
  • 20. Resources Application Security Verification Standard https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verificatio n_Standard_Project