This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Building an in-house application security assessment team

Jump to: navigation, search

The presentation

Owasp logo normal.jpg
Like many companies, Boeing historically relied on contracted security vendors to provide various IT security assessments. However, as part of taking a more proactive approach to application security, Boeing decided to bring this service in-house and build an internal assessment team. We learned a lot about what it takes to run an effective team and maybe some of our lessons will be useful to others who are trying to establish their own teams. This discussion covers the full life cycle including intake processes, risk analysis, standardizing findings and remediation, designing and issuing reports and managing corrective actions. I also touch on other issues like metric reporting and integration with secure software development teams.

The speaker

Keith Turpin leads the application security assessment team at The Boeing Company and is a member of Boeing?s Enterprise Red Team. Over the years he has held various IT security positions, including lead IT security advisor for Boeing?s international operations and security analyst for several programs. He also led the development of processes and standards for several of the company?s IT security assessment teams. Keith served four years as the Director of Communication for the Puget Sound chapter of the ISSA and is still actively involved. He also served three years on the ISSA Executive Planning Committee for ISSA NW regional conferences. Keith has a BA in Mechanical Engineering and MS in Computer Systems. He is actively involved in engineering education and is director of one of the largest multi-college engineering competitions in the Northwest and is an award winning speaker on engineering education.