The Most Common AppSec Failures in Fortune 500 Companies and Beyond скачать в хорошем качестве

The Most Common AppSec Failures in Fortune 500 Companies and Beyond

Presentation slides: https://static.sched.com/hosted_files... For the past three years, I have performed over 40 hands-on security assessments of Fortune 500 companies and other organizations. Using a systematic methodology grounded in the OWASP SAMM framework, I have observed a clear pattern: regardless of size or maturity, organizations tend to make the same critical mistakes. Security is all about risk, yet I have rarely encountered a team with a shared understanding of their application risk profile and appetite. Applications are built around requirements, but security requirements are almost never explicitly defined, even though OWASP ASVS has already laid the groundwork. Threat modeling is often reduced to a whiteboard version of a pen test, outsourced to external teams or, worse, delegated to AI. Teams place unrealistic expectations on tools: “Once we deploy our ASPM tool, things will be better.” In reality, these tools often introduce new challenges. We continue to build dashboards around security metrics we don’t understand, in pursuit of goals we never defined. Finally, the siloed nature of development, security, and operations only amplifies these issues, leading to confusion, delays, and accountability gaps. This session will unpack these recurring pitfalls with concrete examples and provide pragmatic advice to break the cycle. Whether you’re leading an AppSec program or driving change from within, you’ll leave with a sharper understanding of what actually makes or breaks application security. Aram Hovsepyan Codific Founder and CEO For the past 15 years Aram has been involved in application security as a researcher, industry expert, and core contributor to the OWASP SAMM project. Aram holds a PhD in application security from DistriNet KU Leuven, which gives him a broad understanding of the security landscape. His work on refining and streamlining the LINDDUN privacy engineering methodology has been incorporated into both ISO and NIST standards. Aram is the founder and CEO of Codific, a Belgian cybersecurity product firm. At Codific, he works at the intersection of software engineering and application security, helping organizations build secure and reliable systems that protect what matters most. Aram is also a core contributing member of the OWASP SAMM project, which is the industry standard framework for managing application security programs. Managed by the OWASP® Foundation https://owasp.org/