Log in
  • Home
  • vCISO Roundtable with Phoenix Security

vCISO Roundtable with Phoenix Security

  • 15 Mar 2023
  • 12:00 - 13:00
  • Zoom

Francesco Cipollone

Application Security Vulnerability Framework - measurements, maturity magic - Vulnerability Framework Project


Software vulnerability scanning is becoming more and more complex. 

The number of false positives is piling up, application struggle to trace teams, and security champions are helping. Still, modern application security teams need a systematic approach to triage, measuring and tackle the sea of vulnerabilities. 

We explore metrics, methodologies and measurements in this talk.

The Project is a candidate OWASP project with several contributors 



  • application security
  • head of application security
  • product security
  • security engineers 

Software scanning is becoming quite widespread, but what to do with vulnerabilities? 

What is good enough? How wide should the scope be? 

Several frameworks are currently available to push application security maturity forward, like DSOM and SAMM. 

Vulnerability management and triage of defects are often overlooked, and complex processes that is often overlooked.

Presenting in this talk the vulnerability maturity model and how to evolve an application and vulnerability management program

SLA and OKR are the most popular method for measuring, and we will explore the pros and cons of some of those methods

we will also explore maturity models around those methods and when to introduce what.

The Project is a candidate owasp project with several contributors 

Take away:

  • Learning how to start measuring an application security program
  • Understanding the various step of triage and how to measure progress
  • metrics for an application security program
  • how to create a narrative around security with product security
  • how to involve management/business on heartbeat of application security 
  • how to automate triage and start measuring risk

Contextualize prioritize and ACT on risk





Copy 2023 vCISO Catalyst
Powered by Wild Apricot Membership Software