Starting an AppSec Program: An Honest Retrospective

Presented at LocoMocoSec 2018, April 6, 2018, 3:50 p.m. (40 minutes)

This talk will cover the lessons learned from a 2-year journey starting an appsec program at a small-medium sized company that previously had no security program. This will be an honest look at what worked, what didn't work, as well as a follow-up analysis. There will be plenty of stories, common sense perspective, as well as discussion around goal-setting and execution. This will be the talk I wish I had two years ago when I was starting this adventure.

Presenters:

• John Melton - Oracle, NSBGU
  John is currently a principal member of technical staff at Oracle, NSBGU. His previous positions have been focused on secure software engineering, in the technology, financial and defense sectors. He also volunteers at OWASP, working primarily on the AppSensor project.

Links:

• https://locomocosecurityconference2018.sched.com/event/BPCq/starting-an-appsec-program-an-honest-retrospective
• https://infocon.org/cons/LocoMocoSec/LocoMocoSec 2018 Kona/John Melton Starting an AppSec Program An Honest Retrospective.mp4
• https://infocon.org/cons/LocoMocoSec/LocoMocoSec 2018 Kona/John Melton Starting an AppSec Program An Honest Retrospective.eng.srt (subtitles)

Similar Presentations:

• AppSec USA 2015 / Doing AppSec at Scale: Taking the best of DevOps, Agile and CI/CD into AppSec.
• BSides Austin 2016 / Taking AppSec to 11: AppSec Pipelines, DevOps and Making Things Better
• AppSec USA 2013 / How To Stand Up an AppSec Program - Lessons from the Trenches