This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Measuring Security: 5 KPIs for Successful Web App Security Programs

Jump to: navigation, search


Registration | Hotel | Walter E. Washington Convention Center

The presentation

Raf Official HP Headshot Avatar.jpg
Modern enterprises recognize the need to test their web applications for security vulnerabilities, but few security organizations can quantify the success or failure of their programs to the business. That’s because traditional security lifecycle metrics fail to convey whether the organization is actually reducing risks. Attendees will learn how to develop organizational metrics that leverage proven QA data, in addition to security data, to form a complete picture. The session will cover five critical KPIs which demonstrate security risks associated with web applications as a function of overall software quality.

Rafal Los

Rafal "Raf" Los, is a web application security evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging the gaps between security technologies and business needs to reduce enterprise risks and create embedded, lasting solutions on behalf of the HP Application Security Center group. He has spent over 10 years in various facets of information security and data protection, building programs at companies ranging from startups to Fortune 50 enterprises. Rafal is a regular speaker at security conferences including OWASP, SecTor, Defcon, CSI, and many other public and private events. Additionally, Los helped to write the first release of the Open Web Application Security Project (OWASP) testing guide.

Prior to joining HP, Los led the web application security program and served as a security lead at General Electric (GE) Consumer Finance. Los also worked with GE Power systems, leading security engineering, architecture and building the web application security program. Before GE, Los helped build a service-oriented security consulting company and was among the first 25 employees in a successful financial-based startup, leading internet- facing systems and security management and architecture.

Raf received his B.S. in Computer Information Systems from Concordia University, River Forest, Ill.