growing up appsec and asvs
TRANSCRIPT
Growing up AppSecAs an App Dev services provider
Vibhor Mahajan • Tech Arch @ Trantor– Member of the ACE, SEPG &
PMO• I Contribute to – Null & OWASP Chd– Scrum Alliance Agile Chd
• I Love– Traveling– Beauty in Code– Software Engineering
Mission Secure Chandigarh
• Be Safe Online• Make Safe Online
We can keep talking about the problem
https://flic.kr/p/h1dxBm
AppSec @ Trantor
Coaching
• Call to good will of developers• Interesting tech talks• Developed a group of mentors/trainers
Addition to Quality Manual
• A push from top down to "do AppSec"
Good luck enforcing it
Rock Bottom is a Beautiful Start
https://flic.kr/p/a2dQ2T
ACE Group Maturity Model
Challenges and Lessons
• Each of your customers would have their own way and you cannot enforce a standard
• What gets measured gets managed• You can call on the good-will but it is never a
guarantee• People would follow the crowd
Introduction to OWASP ASVS
• OWASP Flagship project• Started in 2009• 3 levels of maturity – Basically a curated
checklist of all the good practices that you have known all along
• Collection of practical advise on implementation
Maturity Levels
• ASVS Level 1 (opportunistic) is meant for all software
• ASVS Level 2 (standard) is for applications that contain sensitive data, which requires protection
• ASVS Level 3 (advanced) is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust
Uses of OWASP ASVS
• Use as a metric• Use as guidance• Use during procurement
Let’s take a look at the Checklist
Resources
Application Security Verification Standard https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project