OWASP Training Day - Auckland (June 2024)

We're pleased to offer our popular OWASP Training Day event once again in Auckland, on Saturday, 15th June.

Thanks to the generous support and assistance of the team at 2 Degrees, we're able to offer this low-cost training opportunity to interested professionals.

For this year's Auckland event, we have two (2) full-day classes on offer: 

• Assess and Improve Your AppSec Program using OWASP SAMM (John DiLeo, @gr4ybeard)
  
• Like ISO/IEC 27001, but Backwards (Stephen Coates, @securitysteve@mastodon.nz)

Class Fee: $125.00 per person (plus GST and booking fee)

Start Time: 8:45 a.m. (Registration check-in opens at 8:00)

End Time: 5:30 p.m.

Tea Breaks and Lunch will be provided.

Class Overview - Assess and Improve Your AppSec Program using OWASP SAMM:

Building security into the software development and management practices of an organisation can be a daunting task. There are many elements to the equation: organisation structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance can have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP SAMM gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation.

The goal of this one-day training, which is conceived as a mix of presentations and interactive workshops, is for the participants to get a more in-depth view of, and practical feel for, the OWASP SAMM model. The training is set up in three parts:

• In the first part, we present an overview of the model, and review the similarities and differences with other models. The five Business Functions - Governance, Design, Implementation, Verification, and Operations - are explained. Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.
• Next, approximately half a day will be spent doing an actual SAMM evaluation of your organisation (or one that you have worked for). We will go through an evaluation of all the SAMM domains and discuss the results in the group. This will give all participants a good indication of the organisation’s maturity in software assurance. In the same effort, we will define a target model for your organisation and identify the most important challenges in getting there.
• The final part of the training will be dedicated to specific questions or challenges that you are facing about secure development in your organisation. In this group discussion, experiences will be shared among participants to address these questions.

If you haven’t started a secure software initiative in your organisation yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for the highly effective and applicable treatment of this large domain!

Topic Outline:

Part One: SDLC Overview and OWASP SAMM Introduction

• The ‘Application Security Problem’
• Software Development Lifecycle (SDLC) Overview
• OWASP SAMM - Vision, History, Structure
• OWASP SAMM As an Assessment Tool

Part Two: Applying OWASP SAMM

• Methodology
• Establishing Assessment Scope
• Assessing Governance
• Assessing Design
• Assessing Implementation
• Assessing Verification
• Assessing Operations
• Setting Improvement Targets

Part Three: OWASP SAMM Tools

• Assessment Tools
  • OWASP SAMM Toolkit (Excel workbook)
  • SAMMwise (single-page application)
• Benchmark Project
• Relationships with Other SAMM Projects and Tools

Part Four: OWASP SAMM Best Practices

• Choosing the Right Starting Points
• Monitoring and Metrics
• Achieving Security by Default
• Critical Success Factors

Your Trainer: John DiLeo

Dr. John DiLeo is the leader of the OWASP New Zealand Chapter. In his day job, John is the Application Security Lead at Gallagher Security. Before joining Gallagher, John led the Application Security Services team at Datacom, providing support and guidance to clients in launching, managing, and maturing their enterprise software assurance programs.

Before turning to full-time roles in security, John was active as a Java enterprise architect and Web application developer. In earlier lives, John has been a full-time professor and had specialised in developing discrete-event simulations of large distributed systems.

John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, leads the OWASP State of AppSec Survey and SAMMwise Projects, and is a member of the OWASP Education and Training Committee.

Class Overview - Like ISO/IEC 27001, but Backwards:

ISO/IEC 27001 details the requirements of an Information Security Management System (ISMS). This risk-based framework gives a systematic approach to managing the confidentiality, integrity and availability of critical organisational information. Mandatory clauses 4-10 are at the core of the standard, covering the context of the organisation, leadership, planning, support, operation, performance evaluation, and improvement. It's a framework that has an embedded set of comprehensive controls based on good practice in information security. Implementing the framework and the relevant controls helps organisations protect themselves from the consequences of the risks they face.

However, as a consultant, Stephen Coates has witnessed a number of failed ISMS implementation projects. These are often due to a combination of focussing on the ISO/IEC 27001 mandatory clauses in sequence (from 4 to 10), treating these as the project plan and running out of steam, and trying to reimplement all of the Annex A controls at once. In this full days’ training, Stephen will examine some of those failures and propose the novel and strategic approach of working backwards, so that improvements, reviews, audits, metrics and operation are addressed earlier, rather than later or not at all.

It’s going to be a bit like assembling a jigsaw puzzle, starting with the final image in mind, finding the pieces for the outer frame, and then working our way through all the middle pieces. This method offers a fresh perspective and will lead us to insights we would not have gained by starting at Clause 4.

Topic Outline:

• Welcome and Introductions
• Overview of ISO/IEC 27001; Significance of each mandatory clause
• Group Exercise: Set the scene; allocate teams and roles
• Forward Approach to Clauses 4, 5, and 6
  • Detailed exploration of Clauses 4 (Context of the organization), 5 (Leadership), and 6 (Planning)
  • Group Exercise: Applying the mandatory clauses to our scenario
• Flip the Script to Clauses 10 to 8
  • Begin with Clause 10 (Improvement), discussing how to integrate continuous improvement from the start
  • Address Clause 9 on performance evaluation, ensuring we have the right metrics and targets 
  • Move to Clause 8, we tackle the operation of the ISMS, connecting it back to performance evaluation and improvement;
  • Cheat Mode: Overview of CIS Controls v8 and Implementation Group 1 (IG1)
  • Interactive Session: Group discussion on the Backwards Method
• Reinforcement and Practical Application
  • Introduce Clause 7 (Support), ensuring the resources and awareness needed for the ISMS
  • Revisit earlier work on Clauses 6, 5 and 4, integrating with the Backwards Method and highlighting typical gaps and gotchas
• Final Exercise: Forwards application of ISO/IEC 27001 to our scenario
• Q & A, Lessons indicated, and Wrap-up

Your Trainer: Stephen Coates

Stephen Coates is a pragmatic InfoSec Consultant in the governance, risk management, and compliance (GRC) space. He has come a long way since starting out as a software student apprentice, back in 1980s England. He now has many years of experience that cover information security, cloud, risk management, privacy, e-commerce, IT infrastructure and IT Service Management. Having worked in these fields for so long, he's accumulated a wealth of war stories and a treasure chest of badges and certifications, and he is also a PECB ISO/IEC 27001 Lead Auditor.

Team Discounts - For multiple registrations in a single order:

• 6 - 10 tickets in total: 10% off the entire order
• 11 - 15 tickets in total: 15% off the entire order
• 16 or more tickets in total: 20% off the entire order

Discounts will first appear, and will be applied, on the Payment page.

Questions? Please contact the Training Day Team.