OWASP Global AppSec Lisbon 2024

Ever wondered how to successfully mature application security culture in a complex organization? In this talk, I will try to answer this question by presenting the building blocks used to create the foundation for the cultural change in an IT-company with 500+ developers that provides IT-systems for banks. The building blocks are: 1) a management-backed security champions program and 2) an experimental approach to incrementally implementing new application security initiatives. 


As a large organization with ~100 teams covering everything from mainframe to mobile apps in a highly regulated sector, we face a lot of challenges in creating the desired change in security culture. These challenges include legacy systems, a complex technology stack, team autonomy, company culture, and regulation. Furthermore, we recognize that security is not top-of-mind for developers, and while each successful new security initiative is a step forward, every failure is five steps backwards, as failed initiatives create resistance against the desired security conscious culture. Hence, it is essential to minimize failed initiatives.


To mitigate these challenges, we built a security champions program which includes a core team with essential stakeholders, and approx. 30 security champions, each representing several teams. In addition to anchoring security knowledge in the development organization, this has created a feedback loop where previously uncollected security-relevant information is fed back to the security organization.


In addition to our security champions program, we have applied a methodology of experimentation based on empirical methods, which enables us to conduct structured experiments and evaluate the real-world impact of new security initiatives before rolling them out to the entire organization, hence, maximizing the change of success. 

Join this talk to learn what happens when guidelines meet reality in the complexity of a real-world setup. Learning from our experience, this will give you principles and methods you can apply to implement application security initiatives using structured experiments and to structure a successful security champions program.