DBL HDR: Using OWASP SAMM and SKF to build secure applications

OWASP Vancouver May meetup double header, featuring:
_____________________________________________________________________
6-7pm: Build more secure apps by harnessing the power of OWASP SKF & ASVS on Kubernetes
Abstract: Did you know OWASP Application Security Verification Standard (ASVS) can be used as a set of application security requirements? Do you know what the Security Knowledge Framework (SKF) is, and how you can use it to manage your application security requirements and train developers? Are you curious what is takes to deploy a containerized application like SKF into Kubernetes? Do you want to harness the full potential of an open Application Security Verification Standard for a more secure SDLC? This talk will address these questions and more! Discover the power OWASP’s ASVS and SKF running on Kubernetes.

OWASP ASVS is the open application security standard for designing, building, and testing application security controls – and it is baked right into OWASP SKF. During our talk we will highlight the integration between the two projects, show how to start using SKF to learn and manage ASVS requirements, and demo a few relevant SKF Labs.

A Github repo will be released prior to the session with the tools and scripts to setup and deploy OWASP SKF using 1) “minikube” on a single EC2 instance with “terraform” and 2) a complete ‘from scratch’ AWS Kubernetes cluster configuration configured with “kops” and “terraform”.

We believe the OWASP SKF and ASVS projects have a lot of potential, and we hope to foster some additional community attention and contributions.

Speakers
Farshad Abasi: An innovative technologist with over twenty years of experience in security, software design and development, network and system architecture and management. Farshad spent a decade as a senior member of HSBC’s IT security team and currently leads OWASP’s Vancouver chapter. (Designations & Certifications: CISSP, AWS Security Professional)
Kurt Hundeck: Kurt is a seasoned cybersecurity professional with twenty years of experience developing and securing software systems. He has attended many security conferences (DEFCON, Blackhat, HOPE) and is continuously learning. Kurt is eager to see your code and to help you navigate the complex topic of Application Security (Designations & Certifications: CISSP, GCSA)

______________________________________________________________________
7-8pm: OWASP SAMM v2.0 and Benchmarking with Brian Glas
Learn more about how the OWASP Software Assurance Maturity Model (SAMM) can be used to build and grow software assurance in an organization. We'll walk through the features of SAMM v2.0 and the future of SAMM Benchmark that we are currently developing to provide measurement capabilities and comparisons for SAMM participants.

Speaker
Brian Glas has worked in IT for 20 years and Information/Application Security for the last fifteen. I started as an Enterprise Java Developer; then transitioned to helping build an Application Security program as both tech lead and manager. I later played the role of Enterprise Architect and did a little incident response and reverse engineering malware for fun. I then spent a number of years as a consultant helping clients build AppSec Programs, perform SAMM Assessments, create/update SDLCs, and other related initiatives. I worked on the Trustworthy Computing team at Microsoft for a period, and am currently an Assistant Professor of Computer Science teaching Computer Science and Cybersecurity. I have been one of the project leads and active contributor to SAMM v1.1-2.0+ and OWASP Top 10 2017+. I have previously spoke numerous meetings and conferences over the years.