Creating AppSec Teams

Back to list of all Outcomes

Original Working Session content: Creating AppSec Teams


Synopsis and Takeaways

Considerations for reaching new AppSec Professionals

  • Consultants to help sell the need
  • Evidence-based business case, but not constructive fear-mongering
  • Security function needs to provide value
  • Case study mentioned: change the culture of security
    • To become the most secure organisation
    • Run exercises to identify potential security champions
    • Trained in security and peer-2-peer working (“influencers”)
    • Colleagues want to become like this and the effect snowballs
    • Approach originally developed by ETNA
  • Goal of security team is to close the gap between security and development
  • WAF? operational or AppSec?
  • Ultimate goal of security is to reduce risk
  • Required skills: coding, InfoSec, risk, social
  • Universities are teaching GCHQ type security course, not AppSec
  • Hardest skill is development - AppSec is not for graduates
  • Source AppSec team from within development community
  • Secure code is an output of great developers
  • Security champion is a developer who can teach, be a role model, an agent for culture change, and is trained in security; give them a career roadmap
  • Instill “love” for security from a young age (8-13)
  • Kids see hacking as how to break things - we should tell them it is about building things properly;
    hacking is part of the journey, but it needs to be fun
  • Create fun activities within an organisation by blue and red teams war-gaming

“Education early and over a lifetime”

Back to list of all Outcomes

Edit this page here