OWASPOttawa September 2021: Leading your Security Program with Wardley Maps

Special Notice:

Due to the COVID-19 (Coronavirus) pandemic our events will continue online on our YouTube channel.

Subscribe to our YouTube channel, set a reminder and you’ll get a notification as soon as we go live!

We will post information here and on all our other medias (email, twitter etc.) as we are closer to the date.

https://youtu.be/1yDYiPC_ykM

7:00 PM EDT Technical Talks

1. Announcements

2. Using OWASP Nettacker For Recon and Vulnerability Scanning

Abstract:
A company with a security program is sometimes like a mule with a spinning wheel. No one knows how they got it and damned if they know what to do with it.

If you're responsible for directing a security program - or lead the last line of defense against the onslaught of relentless risks - we need to talk.

• When a new attack class appears do you know what it means for your security?
• When you're asked for your security priorities how do you answer the inevitable question: "So what?"
• When a new product is buzzing around halls of R&D how do you know where it fits in your security priorities?

This talk looks at the journey of being handed the keys to an information security program. We'll discuss our journey from controls-based SP800-53, to Maturity Models like BSIMM and ultimately deciding on Wardley Mapping for providing long-range guidance and short-term priorities to hundreds of technical staff across multiple continents developing national-security level software.

Wardley Mapping is a new technique for communicating situational awareness. Get good at this and you'll find yourself in the middle of everything from business to technical strategy. We'll show how what Wardley Mapping is - and how applying it to security allows you to:

• Determine what security activities address core user needs (and what don't!)
• Decide what should be built and what should be bought
• Understand what new shiny vulnerabilities and tools mean for your program
• How to structure your teams and decide their areas of responsibility

Bio:
John Duffy - Director, ID/Payment Security, Canadian Bank Note Company
If you have made an Interac purchase, bought a lottery ticket, been to a hospital or used your passport to cross a border – you have probably used my products.

I’ve been responsible for security and development work that protects hundreds of millions of people. Large-scale systems of goverment and high-end corporations located across 80+ countries in high-security environments.

I’m always fascinated with researching and understanding things at a deeper level. My work into secure networks was previously recognized by OCIPEP for outstanding research in security.

I’ve lead teams that achieved a series of notable “Firsts”: First issued high-security ePassport, First issued Drivers Licence with printed digital signature and First general-public Mobile Drivers License (craft beer purchases with your phone!)