CactusCon

CactusCon13
February 14-15, 2025
Mesa, AZ

Anatomy of an AppSec Program; OR How to Stop Deploying Shoddy Code to Production Systems

It’s 2018, and we are haunted by the same vulnerabilities from more than a decade ago.  

Organizations of all sizes still struggle with very common vulnerabilities like command injection, XSS, and insecure direct object reference … despite an abundance of code scanners on the market. The OWASP Top 10 is quickly becoming irrelevant because it has barely changed in the last several years.

This is one of the most pressing issues for CISOs and there is no definitive solution. AppSec isn’t a product you can buy, it isn’t even a state that you can achieve. There is no how-to guide for application security.

But there are some qualities shared by successful AppSec programs. This talk will provide security managers and directors who struggle with application security a better understanding of those common elements and answer some questions, such as:

  • What are some of the critical functions of an AppSec program?
  • Will that work in my <insert buzzword SDLC here> environment?
  • Okay, so where do I start?

Joe Ward

Joe Ward is a Senior Security Analyst at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on network penetration testing, security architecture, and vulnerability management. He is also an expert in Active Directory.

At Bishop Fox, Joe led the team that created the application security program for a Fortune 100 global organization. He has authored a blog post on threat modeling for Bishop Fox as well as conducted internal trainings on the subject. Several military departments have enlisted Joe’s guidance in red team and blue team training. Joe is an active member of Arizona Infragard, a government alliance that is dedicated to mitigating physical and cyber threats via information sharing.

Prior to joining Bishop Fox, Joe spent 20 years in IT as a network and security engineer. Joe built datacenter implementations around the world in his past career. He has worked for various prominent enterprises such as the largest state agency in Arizona.