AppSec Europe 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

CISO [clear filter]
Thursday, June 30


Security Project Management: how to be Agile in Security Testing projects
"Order or disorder depends on organization" wrote Sun Tzu centuries ago. Organization in managing Security Testing project is fundamental. Actually, the rise of Agile methodologies for IT Software Development and the continue Business Changes produces challenging deadlines for Deployment and for Security Testing. But because Security requirements have to be considered as a Must and have to be fulfilled or the software – often – will not have the “go” for production if there are vulnerabilities. The Secure Software Development Life cycle and the Team have to adapt to specific needs and planned accordingly defining priorities, skills and a sound Business Case for Security Testing. 
The role of the Project Manager - or Team Leader – is crucial. Practices like micro-management not work and it is counterproductive with skilled Penetration Testers. Project Manager has to be a servant leader and a facilitator who enables the Testers to work smoothly, facilitate the communication and remove impediments for the testing (and bureaucratic work) in order to meet the Security goals. 
The workshop will describe - by examples - how to combine Agile Project Management methodologies such as the DSDM Agile Project Framework tailored for Security Testing projects blending the OWASP Testing Guide, TOP 10 and other de-facto standards for IT and Information Security. Covering different aspects of the management of a Penetration Test such as the Business Case, Estimates, Risks and Quality. 

avatar for Simone Onofri

Simone Onofri

Security Business Consultant, Hewlett Packard Enterprise
Simone is a Security Business Consultant for Hewlett Packard Enterprise and a Director of DSDM Consortium. Simone has a 13+ years of experience in the field if IT, serving customers in the EMEA area mainly for Security Testing and Incident Response projects with an innovative, practical... Read More →

Thursday June 30, 2016 11:35 - 12:20
Room C (Tiziano Ballroom Sec. 2)


Using Third Party Components for Building an Application Might be More Dangerous Than You Think
Today, nearly all developers rely on third party components for 
building an application. Thus, for most software vendors, third party 
components in general and Free and Open Source Software (FOSS) in 
particular, are an integral part of their software supply chain. 

As the security of a software offering, independently of the delivery 
model, depends on all components, a secure software supply chain is of 
utmost importance. While this is true for both proprietary and as well 
as FOSS components that are consumed, FOSS components impose 
particular challenges as well as provide unique opportunities. For 
example, on the one hand, FOSS licenses contain usually a very strong 
"no warranty" clause and no service-level agreement. On the other 
hand, FOSS licenses allow to modify the source code and, thus, to fix 
issues without depending on an (external) software vendor. 

This talk is based on working on integrating securely third-party 
components in general, and FOSS components in particular, into the 
SAP's Security Development Lifecycle (SSDL). Thus, our experience 
covers a wide range of products (e.g., from small mobile applications 
of a few thousands lines of code to large scale enterprise 
applications with more than a billion lines of code), a wide range of 
software development models (ranging from traditional waterfall to 
agile software engineering to DevOps), as well as a multiple 
deployment models (e.g, on premise products, custom hosting, or 

In this talk, 
* we analyze and categorize the challenges and opportunities of 
the secure use of a FOSS components in building proprietary 
enterprise software, 
* we discuss the challenges in basing the decision in using FOSS 
on empirical research results, and 
* we discuss three different cost models for using FOSS in a 
commerical software development process: 
- the centralized model, where vulnerabilities of a FOSS component 
are fixed centrally and then pushed to all consuming products (and 
therefore costs scale sub-linearly in the number of products) 
- the distributed model, where each development team fixes its own 
component and effort scales linearly with usage 
- the hybrid model, where only the least used FOSS components are 
selected and maintained by individual development team 
* we provide, based on our experience, a clear recommendation of 
minimal actions that should be followed when using third party 
components as part of a software development process. 

avatar for Achim D. Brucker

Achim D. Brucker

The University of Sheffield
Dr. Achim D. Brucker (www.brucker.ch) is a Senior Lecturer and consultant at The University of Sheffield, UK where he heads the heads the Software Assurance & Security Research Team (logicalhacking.com). Until December 2015, he was a Research Expert (Architect), Security Testing Strategist... Read More →
avatar for Stanislav Dashevskyi

Stanislav Dashevskyi

PhD student, University of Trento
avatar for Fabio Massacci

Fabio Massacci

Deputy Head of Department, University of Trento
Fabio Massacci research interests are is the development of experimental and empirical methods for cybersecurity. Fabio has a PhD in computing from the University of Rome La Sapienza. He was the European coordinator of the Socio-Economics Meets Security (SECONOMICS; www.seconomics.org... Read More →

Thursday June 30, 2016 11:35 - 12:20
Room D (Tiziano Ballrom Sec. 3)


Open Source Approaches to Security for Applications and Services at Mozilla
At Mozilla, source exposure is a feature, not a bug. Adam Muntner discusses elements of Mozilla’s approach to securing the websites and services that support 400+ million Firefox users. These could be adopted by many types of organizations. 

- Why your bug bounty program is one of the best sources of intelligence for driving the future direction of your application security program. 
- Lessons learned from radical open sharing of design documentation. 
- Approaches to qualitative comparison of risk for an inventory of websites and services. 
- Using OpenSAMM in a DevOps organization. 
- Get non-security engineers help pentest by setting up a Red Team. 
- Maximizing the value gained from identified vulnerabilities. 


Adam Muntner

Security Engineer, Mozilla Corp
Adam Muntner works on the team that protects the websites and services which support 400+ million Firefox users. His current responsibilities include rethinking Mozilla's Application Security program, being Product Owner of Mozilla's Web Bug Bounty program, and breaking stuff. He... Read More →

Thursday June 30, 2016 12:25 - 13:10
Room D (Tiziano Ballrom Sec. 3)


OWASP CISO Survey Report – Tactical Insights for Managers
This presentation relates to the latest version of the OWASP CISO Survey report project and its findings, which conducted a survey of hundreds of CISOs and senior security managers around the world about the latest trends and risks to security and is compiling the OWASP CISO Survey Report 2015 based on that data. 

The main goal is to provide tactical intelligence, guidance and best practices on application and web security for senior managers. With a constantly evolving threat landscape threatening web applications tied to sensitive data and company information, CISOs are challenged on how best to mitigate these risks. Often risk decisions include the trade off between current and new web application security measures and where to invest. The proper investment in application security is critical to reducing security risks and meeting governance, security and compliance policies.

avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and... Read More →

Thursday June 30, 2016 14:10 - 14:55
Room D (Tiziano Ballrom Sec. 3)


avatar for Julia Knecht

Julia Knecht

Manager, Security & Privacy Architecture, Adobe

Thursday June 30, 2016 15:00 - 15:45
Room D (Tiziano Ballrom Sec. 3)


Time for Addressing Software Security Issues: Prediction Models and Impacting Factors
Authors: Lotfi ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, and Achim D. Brucker.

Finding and fixing software vulnerabilities has become a major struggle for most software-development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment.

We present in this talk our work on the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process and we show how the issue fix time could be used to monitor the fixing process. We used in this work three basic machine-learning methods and evaluated their predictive power in predicting the time to fix issues. Interestingly, the generated prediction models indicate that the impact of vulnerability type has a small impact on issue fix time. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues.

avatar for Lotfi ben Othmane

Lotfi ben Othmane

Head of Department Secure Software Engineering, Fraunhofer SIT
Lotfi ben Othmane is currently the head of the Department Secure Software Engineering group at Fraunhofer SIT. He received his Ph.D. degree from Western Michigan University (WMU), USA, in 2010 and the M.S. degree from University of Sherbrooke, Canada in 2000. He worked on several... Read More →

Thursday June 30, 2016 17:05 - 17:50
Room D (Tiziano Ballrom Sec. 3)
Friday, July 1


Grow up AppSec: A case study of maturity models and metrics
How mature is your security practice? How do you show where your security services are weak and need to improve? We took a look at the current state of the art for security maturity models and were underwhelmed, they were either way too scientific, not scientific enough, or just didn’t feel right. We wanted a way to measure the maturity of the various services in our security organization, but hated everything out there. What were we to do? Like good security researchers, we decided to invent our own and put them to the test in a large enterprise organizational setting, while also trying to convince our friends and enemies that it was the best thing ever. 

This talks highlights the flaws in current maturity models and reveals a basic framework we have developed, using 7 critical measurements, to quickly assess a security program. We will talk through the pros and cons of our model, how we have adopted it, and where we see it going in the future. We will also take a specific deep dive into application specific maturity models and metrics with exciting graphs and dashboards, with open source code and fancy executive spreadsheets freely available to all who dare to follow. 

We require this to be a collaborative session, so we are anticipating and demanding feedback, criticism, praise, and drinks for our efforts – enjoy!

avatar for Jon Rose

Jon Rose

Agile Security, Dun & Bradstreet
Jon has a unique combination of an innovative entrepreneur with the proven ability to lead Fortune 500 companies. With over 16 years of experience launching products, securing environments, training and educating technology teams, and building agile security organizations, Jon has... Read More →
avatar for Rohini Sulatycki

Rohini Sulatycki

Director of Security Assessments, Dun & Bradstreet
Rohini specializes in application security, application penetration testing, mobile penetration testing, virtualization security assessments, network penetration testing and security code reviews. Rohini has conducted Secure Development Training classes for clients worldwide. Rohini... Read More →

Friday July 1, 2016 10:20 - 11:05
Room D (Tiziano Ballrom Sec. 3)


Grip on SSD: Dutch government standard for outsourcing secure software

This talk presents the method ‘Grip on Secure Software Development’: the result of a continuous cooperation between Dutch security experts, large software suppliers and government organisations. This method provides guidelines for clients and software suppliers to coordinate application security: discuss it, agree on it and control it.

More than 20 organisations are involved in this initiative, including the Dutch Tax office, IBM, Cap Gemini, the Ministry of the Interior and the Software Improvement Group.

avatar for Rob van der Veer

Rob van der Veer

Principal consultant, Software Improvement Group
Rob van der Veer has an extensive background in building software and running software businesses. IT security has been a constant theme in his career, from hacking into the British RAF in 1986, to building big data solutions for national security. As principal consultant at the Software... Read More →

Friday July 1, 2016 14:10 - 14:55
Room D (Tiziano Ballrom Sec. 3)