John DiLeo
Dr. John DiLeo leads the OWASP New Zealand Chapter. In his day job, John is the Application Security Lead at Gallagher Security in Hamilton. Before joining Gallagher, John led the Application Security Services team at Datacom, providing support and guidance to clients in launching, managing, and maturing their enterprise software assurance programs.
Before turning to full-time roles in security, John was active as a Java enterprise architect and Web application developer. In earlier lives, John has been a full-time professor and had specialized in developing discrete-event simulations of large distributed systems.
Session
Application Security Testing is a key component of any organization’s software assurance program. The importance of these practices is reflected by their presence throughout OWASP's Software Assurance Maturity Model (SAMM), where they're represented primarily by two of the model's 15 core Practices (Requirement-driven Testing and Security Testing), and factor into numerous activities across the remaining Practices.
This class covers recommended Application Security Testing (AST) practices, along with supporting AST tools and ways to better leverage penetration testing, to verify and validate an application’s security features:
* Verify – How do we confirm our application’s security features were built right?
* Validate – How do we confirm we built the right security features, to secure the application's functionality?
Topic coverage will include establishing your overall AST strategy and aligning it with the OWASP ASVS (Application Security Verification Standard); defining and implementing security tests cases; leveraging AST tools; and using third-party penetration tests effectively within your testing strategy.