Francesco Cipollone
Application Security Vulnerability Framework - measurements, maturity magic - Vulnerability Framework Project
Abstract
Software vulnerability scanning is becoming more and more complex.
The number of false positives is piling up, application struggle to trace teams, and security champions are helping. Still, modern application security teams need a systematic approach to triage, measuring and tackle the sea of vulnerabilities.
We explore metrics, methodologies and measurements in this talk.
The Project is a candidate OWASP project with several contributors
Longer:
Audience
- application security
- head of application security
- product security
- security engineers
Software scanning is becoming quite widespread, but what to do with vulnerabilities?
What is good enough? How wide should the scope be?
Several frameworks are currently available to push application security maturity forward, like DSOM and SAMM.
Vulnerability management and triage of defects are often overlooked, and complex processes that is often overlooked.
Presenting in this talk the vulnerability maturity model and how to evolve an application and vulnerability management program
SLA and OKR are the most popular method for measuring, and we will explore the pros and cons of some of those methods
we will also explore maturity models around those methods and when to introduce what.
The Project is a candidate owasp project with several contributors
Take away:
- Learning how to start measuring an application security program
- Understanding the various step of triage and how to measure progress
- metrics for an application security program
- how to create a narrative around security with product security
- how to involve management/business on heartbeat of application security
- how to automate triage and start measuring risk
Contextualize prioritize and ACT on risk
——
https://phoenix.security/
