Creating AppSec Teams


This Working Session will focus on how to create an AppSec team, a challenge which needs a strong mandate and strong executive support. Given the massive skills shortage in the AppSec industry, we need innovative solutions if we are going to create another 100,000 AppSec professionals worldwide. This Working Session will discuss and evaluate ways of creating and growing AppSec talent and teams.


  • What is the best way to create an AppSec team from scratch?
  • Common AppSec team structures
  • How to budget for AppSec teams
  • How to align with business objectives and priorities
  • Define AppSec team’s services and practices
  • The role of security champions
  • Using development-focused ‘AppSec Squads’ to help facilitate the creation, testing, and deployment of security fixes Identify gaps in our current meta staffing for AppSec.
  • How to scale AppSec training
  • The Role of security champions in creating the next generation of security professionals
  • Define audiences for future security professionals: Which industries should we approach to promote the idea of becoming security professionals (Developers, engineers, craftsmen, AI specialists, lawyers)? What level of career should we try to capture (early/mid/advanced)?
  • What is the role of early careerists?
  • What can be done at university/college level?
  • Should we capture people attending bootcamps and other non-traditional educational pathways?
    • ‘Ethical Hacking’ and ‘Bug Bounties’ have a tool to excite new members
  • How should OWASP work to reach these people?


Considerations for reaching new AppSec Professionals:

  • Consultants to help sell the need
  • Evidence based business case, but not constructive fear-mongering
  • Security function needs to provide value
  • Case study mentioned: change the culture of security - to become the most secure organisation - run exercises to identify potential security champions - trained in security and peer-2-peer working (“influencers”) - colleagues want to become like this and the effect snowballs - approach originally developed by ETNA
  • Goal of security team is to close the gap between security and development
  • WAF? operational or app sec?
  • Ultimate goal of security is to reduce risk
  • Required akills: coding, infosec, risk, social
  • Universities are teaching GCHQ type security course, not app sec
  • Hardest skill is development - appsec is not for graduates
  • Source appsec team from within development community
  • Secure code is an output of great developers
  • Security champion is a developer who can teach, role model, culture changer, and trained to do security, give them a career roadmap
  • Install “love” for security from young age (8-13)
  • Kids see hacking as how to break things - we have to tell them it’s about building things properly, but hacking is part of the journey - but it needs to be fun
  • Make fun within organisation by blue and teams wargaming

“Education early and over a lifetime”


The target audience for this Working Session is:

  • AppSec professionals
  • CISOs
  • AppSec Team leads
  • Recruitment agencies
  • Universities
  • Bug Bounty companies/programmes

Working materials

Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions)


… add content …

Related Working Session(s)

Back to list of all Working Sessions and Tracks

Edit this page here