Growing up AppSecAs an App Dev services provider

Vibhor Mahajan • Tech Arch @ Trantor– Member of the ACE, SEPG &

PMO• I Contribute to – Null & OWASP Chd– Scrum Alliance Agile Chd

• I Love– Traveling– Beauty in Code– Software Engineering

Mission Secure Chandigarh

• Be Safe Online• Make Safe Online

We can keep talking about the problem

https://flic.kr/p/h1dxBm

AppSec @ Trantor

Coaching

• Call to good will of developers• Interesting tech talks• Developed a group of mentors/trainers

Addition to Quality Manual

• A push from top down to "do AppSec"

Good luck enforcing it

Rock Bottom is a Beautiful Start

https://flic.kr/p/a2dQ2T

ACE Group Maturity Model

Challenges and Lessons

• Each of your customers would have their own way and you cannot enforce a standard

• What gets measured gets managed• You can call on the good-will but it is never a

guarantee• People would follow the crowd

Introduction to OWASP ASVS

• OWASP Flagship project• Started in 2009• 3 levels of maturity – Basically a curated

checklist of all the good practices that you have known all along

• Collection of practical advise on implementation

Maturity Levels

• ASVS Level 1 (opportunistic) is meant for all software

• ASVS Level 2 (standard) is for applications that contain sensitive data, which requires protection

• ASVS Level 3 (advanced) is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust

Uses of OWASP ASVS

• Use as a metric• Use as guidance• Use during procurement

Let’s take a look at the Checklist

Resources

Application Security Verification Standard https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project