Wednesday, September 26, 2018

Comsec's Josh Grossman presenting at AppSec USA 2018

Come and meet Josh Grossman, one of our Application Division team leaders, at AppSec USA 2018 being held in San Jose, California in October!

What is AppSec USA?

AppSec USA is organised by OWASP, the Open Web Application Security Project as one of their two, annual, global conferences. It brings application security professionals from across the world together to hear about cutting edge topics and ideas in the industry through three, two day tracks of lectures. Talks are evaluated through a competitive Call for Papers process to ensure that the highest quality talks are presented at the conferences.

What will the talk be about?

Josh will be giving a talk entitled "How to get the best AppSec test of your life". In this talk, he uses his experience of delivering hundreds of application security testing projects to provide insights into how companies can get the maximum value from this process. The insights come from all stages of the testing process from scoping all the way to actioning the report and assessing next steps and can be applicable whether companies are doing these tests by choice or based on regulation, company policy or customer demands. 

The talk begins by explaining how you can "Hack your test" by choosing the assessment that makes the most sense for your organisation and then customizing the assessment for your needs. The talk covers discuss, what should you consider when choosing a provider? What should you request and expect from them up front? How should the scope should be defined to best use the time available and how should the time available be split across different stages of the assessment? How to balance realism and practicality?

The talk continues with ideas to ensure you are prepared for the test. If you are well prepared, the tester gets to spend the maximum of time working on your app rather than getting distracted with questions or logistics issues. The talk discusses recommended testing setups and which elements you should discuss with the tester up front. It also discusses classic errors and misconceptions that can lead to time wastage and inadequate results.

Finally, the most important part of the whole exercise: getting high quality, actionable output from the assessment. Many of the points discussed above will automatically lead to better assessment results by better tailoring the assessment but you still need an actionable report. This section starts with how to decide on the reporting process that is best for your organisation. It then discusses what you should expect from recommendations, what you should do when you receive them and how you can utilize your tester to decide on next steps.

What are the key takeaways?

Developers and others involved in a company's software development lifecycle will leave this talk with ideas that you can apply today, tomorrow and in the future to ensure that application security tests aren’t just a compliance tick-box but rather deliver real value and make an application more secure.