Export or edit this event...

Application Security -- The Framework, Processes and Tools to Secure Your Apps


RSVP: https://www.meetup.com/OWASP-Portland-Chapter/events/277480846/


Traditionally, breaches that make the news are about stealing data and that data being resold for financial gains. Think Target, Ashley Madison, Marriott and so many more. Recently a spotlight was put on supply chain security via the SolarWinds breach and how that affected many companies. The adversaries were able to inject malicious code into applications that have a lot or rights and are widely deployed in many organizations, small and large alike.

We will discuss the framework, your SDLC (SDL, SSDLC, etc.) – Secure Development Lifecycle – to lay out how you are going to develop and secure your applications. Customers care about this. Once you have your SDLC, you need to define your processes, select your tools, integrate them into your SDLC and finally automate those tools. This is not a short process and often multiple iterations are necessary to get to a good place. The goal of this presentation is to make you aware of a variety of tools that are out there, the various steps along the way of your SDLC you need to take and how to complete each of these steps.


Derek Hill has over 25 years of experience in Information Security and Information Technology. He is currently the Director of AppSec engineering at ForgeRock, an Identity and Access management company, based in Vancouver, WA. He is responsible for implementing and improving the company’s product security on a continual basis. He works closely with software engineers and security engineers in multiple countries to ensure the ForgeRock products are developed securely and tested in all phases of the development lifecycle. In addition to his full time job, Derek is also a SANS community instructor teaching Security Leadership and CISSP prep courses.

Prior to his current position, Derek held Information Security, IT management and technical roles at both large and small companies. In each role, he consistently focused on managing high-performing teams, delivering efficient solutions and providing excellent services to a variety of stakeholders, maximizing uptime and security. Derek also has significant experience in cloud technologies, responsible for moving, securing and maintaining them in various cloud environments through their lifecycle.