Explore a comprehensive blueprint for transforming security culture in this conference talk from Converge 2016. Delve into the critical need for application security awareness in an increasingly software-driven world. Learn why the OWASP Top 10 approach has fallen short and understand the root causes of vulnerabilities. Gain insights into the developer mindset and discover the key features of a sustainable security culture. Examine the Cisco Security Dojo as a case study, then follow a step-by-step guide to building an effective Application Security Awareness Program. Cover essential aspects such as assessing current culture, building a team, creating themed levels and roles, and implementing recognition systems. Dive into content creation processes, including examples like "The Vulnerability Continuum," and explore the potential of gamification in security training. Conclude with practical advice on building your own program, followed by a Q&A session.
Overview
Syllabus
Intro
About Chris Romeo
Agenda
Software is eating the world
Customers demand security in everything
FAILED OWASP TOP 10
The Source of Vulnerabilities Requirements
The Mindset of the "Average" Developer
Why change a security culture?
Defining Features of a Sustainable Security Culture
The Cisco Security Dojo
Building an Application Security Awareness Program
Assess Security Culture
Build a Team
Theme
Levels
Roles
Activities & Behaviors
Recognition
Budget & Schedule
Assessment
Resources
Level 1 Content Map
Content Creation Process
Example Content: The Vulnerability Continuum
Humor / Story
Examples
A word of caution...
Gamification
User Interface
Competition
Build Your Own
Q+A & Contact
