The goal of the OWASP Top 10 project is to raise awareness and create a baseline for application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. To shape the OWASP Top 10 2017, the project ran a public call for data and industry survey to help define what should be included in the list. Gain insight into some of the details of the OWASP Top 10 Call for Data and industry survey, and what we were attempting to learn. Hear about was learned from collecting and analyzing widely varying industry data and attempts to build a dataset for comparison and analysis. This talk will discuss tips and common pitfalls for structuring vulnerability data and the subsequent analysis. Learn what the data can tell us and what questions are still left unanswered. Uncover some of the differences in collecting metrics in different stages of the software lifecycle and recommendations for handling them.

Brian has worked in IT for over 16 years and Information/Application Security for the last decade. He started as an Enterprise Java Developer; then transitioned to helping build an Application Security program as both tech lead and manager. He later played the role of Enterprise Architect and did a little incident response and reverse engineering malware for fun. He then spent a number of years as a consultant helping clients build AppSec Programs, create/update SDLCs, and other related initiatives. He has worked on the Trustworthy Computing team at Microsoft and is currently working at nVisium as the Director of Strategic Services. He is a co-lead for SAMM v1.1-2.0 and the OWASP Top 10. Brian has previously spoke at a few security chapter meetings and several conferences.

Back to BSides Chattanooga 2018 video list