Watch Live!

AppSec USA Training

Managing Web & Application Security – OWASP for Senior Managers

September 17th
US $800

Presented by Tobias Gondrom

About the course

Managing and improving your global information security organization, Leverage OWASP and common best practices to improve your security programs and organization. Achieving cost-effective application security, bringing it all together on the management level.

Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.


  • OWASP Top-10 and OWASP projects – how to use within your organisation
  • Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,…)
  • Benchmarking & Maturity Models
  • Security Strategy
  • Organisational Design and managing change for global information security programs
  • SDLC
  • Training: OWASP Secure Coding Practices – Quick Reference Guide, Development Guide, Training tools for developers
  • Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide
  • Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, …), Threat assessments using OWASP Cornucopia

All discussion and issues raised by participants at the workshop will be under the confidentiality
under the Chatham House Rule.


The idea came from a number of discussions I had with CISOs and senior managers from various companies in the past, informing them about a multitude of OWASP benefits and tools in their context of managing and improving their security programs and development organisations and show how easy and cost-effective the use of OWASP material can be for their security programs (e.g. and potential benefits of becoming OWASP sponsors). The training is also linked to the recent OWASP project on writing the CISO guide and other industry related activities and shall make our OWASP projects more accessible to industry, developers and CISO managers. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Attendee takeaways and key learning objectives

  • how to effectively build and run a global information security function
  • strengthening web and application security using OWASP projects
  • improving web & application security for organisations from green-field level to very sophisticated security organisations

About the trainer

Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and CEO at Thames Stanley, a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures and global standardization organizations working for independent software vendors and large global corporations in the financial, technology and government sector. And he holds the most senior business degree from London Business School, the Sloan Masters in Leadership and Strategy.

Over the years, Tobias has trained and advised dozens of CISOs and senior information security leaders around the world on the management and organisation of security teams and programs. Since 2003 he is the chair of working groups of the IETF (, a member of the IETF security directorate, since 2010 chair of the web security WG at the IETF and since 2014 member of the IETF Administrative Oversight Committee (IAOC). He has been in a number of project and chapter leadership roles for OWASP since 2007. Currently, he is serving as global board member of OWASP, leading the OWASP CISO Report and Survey project and a contributor to the OWASP CISO Guide. Tobias Gondrom is also serving as a member of the NIS Platform of the European Commission, advising the European Union on Cyber Security and Risk Management. He serves on the board of the CSA Hong Kong and Macau chapter and is an ISC2 CSSLP and CISSP Instructor. Tobias has authored the Internet security standards RFC 4998, RFC 6283 and RFC 7034, co-authored the OWASP CISO Guide and the book „Secure Electronic Archiving“ and is a frequent presenter at conferences and author of articles on security (e.g. AppSec, IETF, …).

Enroll in this training course

Training requires a separate registration from the AppSec USA conference. Registration for both conference and training offerings may be found here.

AppSec USA

AppSec USA is a world-class software security conference for developers, auditors, risk managers, technologists, and entrepreneurs gathering with the world’s top practitioners to share the latest research and practices, in the high energy atmosphere of Downtown Denver.