Workshop: Building an AppSec Program with OWASP

Explore the OWASP universe and how to build an application security program with a budget of $0. Experience a practitioner's guide for how to take the most famous OWASP projects and meld them together into a working program. Projects are broken down into awareness/process/tools, with an explanation of the human resources required to make this successful.

This course is a one-day training where there is a mixture of a lecture on a specific segment of OWASP projects, and then a practical exercise for how to use that project as a component of an application security program.

The first group of projects is training/education. These projects focus on high-level knowledge, methodology, and training for the application security program. This group includes OWASP Top 10, OWASP Proactive Controls, cheat sheets, and training apps (Juice Shop, DevSlop, and WebGoat). Discussions focus on the process of raising awareness with knowledge/training and building out a program. The practical portion includes discussion of rolling out proactive controls and hands-on time with JuiceShop.

The second group is process/measurement. These focus on requirements, code review, best practices, development libraries, and building software without known vulnerabilities. This group includes ASVS, SAMM, threat modeling, Code Review guide, and the testing guide. The end-to-end world of the developer is explored, from requirements through writing code. The working portion includes using ASVS to assess a sample app, threat modeling a sample app, and using SAMM for a sample assessment.

The third group is tools. This group focuses on tools, including the testing guide, Dependency Check, Threat Dragon, CRS, and ZAP. The testing approach and touch points are discussed, as well as a high-level survey of the tools. The working portion includes using ZAP to scan a sample application.

All of these tools work together to form the basis of an application security program with a budget of $0 except for the people resources to implement. This class teaches the projects to use as well as how to use them, with practical, hands-on experience.

Audience:
The audience for this session is two-fold. The first group is those that are interested in building an application security program using the various tools and documents available from OWASP. The second group is those that want to experience multiple OWASP tools and materials and use them in practical exercises.

Prerequisites:
Participants should have a foundational understanding of application/product security.

Computer Setup:
Bring a computer for executing the lab exercises. Participants should download the OWASP Proactive Controls, ASVS, SAMM, and ZAP.