This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

2015 BASC Homepage

Jump to: navigation, search

Boston-Banner-468x60.gif 2015 BASC: Home | Agenda | Presentations | Speakers

Platinum Sponsors


Silver Sponsors


Sponsorships are available: See Sponsorship Kit
Please help us keep BASC free by viewing and visiting all of our sponsors.


This is the homepage for the 2015 Boston Application Security Conference (BASC). This free conference will take place on Saturday, October 3rd at Microsoft New England Research and Development Center (NERD). Note the location is different from last year.

The BASC will be a free, one day, informal conference, aimed at increasing awareness and knowledge of application security in the greater Boston area. While many of the presentations will cover state-of-the-art application security concepts, the BASC is intended to appeal to a wide-array of attendees. Application security professionals, professional software developers, software quality engineers, computer science students, and security software vendors should be able to come to the BASC, learn, and hopefully enjoy themselves at the same time.


"How I Teach Security"

Rob Cheyne, CEO, Big Brain Security, Executive Director, SOURCE Conference

After spending over 10 years as a builder of software systems, and the next five years on the breaking side of things, I then spent over a decade teaching information security concepts to over 25,000 people around the world at leading global organizations.

Over the course of this work, I’ve noticed some interesting patterns across my body of students and clients.

In most organizations, I have seen have at least one critical area of the business where basic information security best practices were not implemented where they should be. In many cases, this is because people are either not factoring in an accurate representation of infosec risks into their planning & project life cycles, or they willfully ignore them.

The reason for this often boils down to one thing: the overall level of security awareness in most places is pretty low, even amongst developers, and even in organizations where you would think it should be a lot higher. Amongst business and management groups, it can be practically non-existent because security is still often assumed to be the purview of the security group, the infrastructure team, or the developers.

In such an environment, business requirements often take precedence over security requirements, even when the security requirements are truly protecting the best interests of the business.

I have seen that many people within a typical organization:

  • have little to no understanding of the actual risks they face.
  • have no idea how to balance rational security options against business requirements to mitigate those risks.
  • think that security is somebody else’s job, and ignore it accordingly.
  • believe that internal systems are somehow safe from attack
  • think that the data breach will never happen to them

I have come to believe strongly that this is as much as much our failure to communicate and influence information security initiatives as it is the business' failure to understand. Given the shortage of infosec professionals in the marketplace, I believe the only way we can scale ourselves is to communicate what we know more effectively.

In short, we need to learn how to communicate what we know much, much better than we are doing today.

Security is arguably much more of a people problem than a technology problem, and the ability to communicate rational security wisdom to people outside of the “InfoSec echo chamber” is a highly underrated skill. There are many areas of security where we have solid best practices, but they aren’t followed because the people who need to hear the message the most simply never receive it.

Please join me in this frank & interactive discussion of what it means to communicate information security outside of our echo chamber, and discuss some specific strategies for doing so.

The Details


Admission to the BASC is free but registration is required for breakfast, lunch, and the evening social time. We will do everything possible to accommodate late registrants but the facility and food are limited. Online registration is now open and you are encouraged to register early.

You can find out more about this conference at the 2015 BASC Homepage
Conference Organizer: Jim Weiler