Admincontrol takes part in the Visma Application Security Program (VASP) which is a custom-made application security program based on leading standards and best practices.

While custom-made by Visma for Visma, the VASP is, by virtue of being an application security program, in many ways comparable to maturity models like OWASP SAMM in the way that it covers the organizational aspects for improving the security posture of our organization. It provides the governance, maturity benchmarking and continuous improvement practices needed to effectively improve our security practices.

OWASP ASVS and MASVS is used to provide a baseline for benchmarking the application security and for defining our application security requirements required to design, implement and test a secure design and conduct threat modelling before coding starts.

During our threat modelling session, we use OWASP Cornucopia, a threat modelling game, in order to identify these requirements.

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in agile development processes. It is language, platform, and technology agnostic. Admincontrol is using OWASP cornucopia to scale their security efforts and empower their teams to do agile application security work using gamification as a motivational factor.

Together with OWASP Threat Dragon, The OWASP Developer Guide and the OWASP MAS project, we are working on improving guidance on agile application security and scale threat modeling and application security efforts across the world.

We are doing this to ensure the successful implementation of agile security practices for web- and mobile applications for teams that uses Scrum, Lean or other agile methodologies. We believe the best way to scale application security efforts and empower development teams to take ownership for application security and improve application security posture is to gamify the security requirement- and threat modelling processes. Let the development team come up with the requirements themselves and support them in the planning, design and implementation of application security. Cornucopia will help development teams come up with those requirements and support them in planning, designing and implementing application security best practices, and if they don’t find the game interesting, why don’t let them create their own game using OWASP Cornucopia.

In this presentation we will talk about how agile application security can help scale your application security effort and the experiences from doing so at Admincontrol.