AppSec: From the OWASP Top Ten(s) to the OWASP ASVS

Some people are under the misconception that if they follow the OWASP top 10 that they will have secure web applications. But in reality the OWASP Top Ten (and other top ten lists) are just the bare minimum that at best provide entry-level general awareness. A more comprehensive understanding of Application Security is needed.

This talk will review the OWASP Top Ten 2017 and the OWASP Top Ten Proactive Controls 2018 and compare them to a more comprehensive standard: the OWASP Application Security Verification Standard (ASVS) v4.0. OWASP's ASVS contains over 180 requirements that can provide a basis for defining what secure software really is. The OWASP ASVS can be used to help test technical security controls of web and API applications. It can also be used to provide developers with a list of requirements for secure development with much more nuance and detail than a top ten list! You cannot base a security program off a Top Ten list. You can base an Application Security program off of the OWASP ASVS.

Who should attend this talk: Software engineers and support staff, application security professionals

Academic level: Intermediate

What is the take away in this talk:

• Details on the limitations of awareness resources like the OWASP Top Ten
• How to properly use the OWASP Application Security Verification Standard
• How to define to core technical requirements of an application security program