Merge pull request #270 from owaspsamm/sanfran-agenda

Resolves #269

content/en/user-day/2024lisbon/_index.md

@@ -0,0 +1,22 @@
+---
+title: User Day
+layout: main-page
+description: User Day June 26, 2024
+keywords: ["about","what is","questions", "event", "user"]
+---
+
+## SUD 2024 Lisbon Highlights
+
+The OWASP SAMM team is excited to share highlights from its 2024 Lisbon User Day. We hope you find these resources helpful as you keep exploring software security and SAMM.
+
+{{< user_day_agenda_2024_lisbon_archive >}}
+
+#### SAMM Dinner sponsored by Toreon and Codific
+
+{{< responsive-image  "/img/sud/dinner.jpg" "SAMM Dinner - people at a restaurant">}}
+
+## Archive
+
+Here you can find the previous SAMM User Day pages with the full list of talks, downloadable material, and YouTube links.
+
+{{< buttons3 "user-day/2023" "2023 User Day page" "user-day/2021" "2021 User Day page" "user-day/2020" "2020 User Day page">}}

content/en/user-day/2024lisbon/influencing-boardroom-strategy-samm-as-a-communication-tool.md

@@ -0,0 +1,15 @@
+---
+type: user-day
+title: User day
+name: "Influencing Boardroom Strategy: OWASP SAMM as a communication tool"
+speaker: Dag Flachet
+image: /img/people/Dag_Flachet.jpg
+affiliation: Codific
+role: Co-founder
+abstract: |
+    We look at SAMM'S implementation from a leadership perspective. In this talk, we share some common pitfalls and strategies to overcome these. The first problem is: who should do the assessment? Someone at the business unit/ team that has all the information at hand? Or someone who is the organizational expert in SAMM and consistently scores across business units? The answer is both, but roles are to be divided in assessor and validator with a clear cyclical process. The second problem is our psychological fixation on the score. The solution is to provide a gap to target metric on which to focus. The third problem is the opaque relationship between maturity and risk. The solution lies in quantifying risk and correlating those risks with SAMM maturity scores.
+
+bio: |
+   Dag has a doctorate in behavioral psychology and is one of the founders of Codific. He has been heavily involved with the SAMMY tool and the strategic discussion around SAMM at different organizations. He is a professor at the Geneva Business School where he has taught SAMM to managers in training and he is a member of its board of directors.
+
+---

content/en/user-day/2024lisbon/maturing-sdlc-at-a-fortune-500-company-based-on-owasp-samm.md

@@ -0,0 +1,15 @@
+---
+type: user-day
+title: User day
+name: "Maturing SDLC at a Fortune 500 company based on OWASP SAMM: successes and pitfalls"
+speaker: Dr. Jasyn Voshell
+image: /img/people/Jasyn_Voshell.jpg
+affiliation: Zebra Technologies
+role: Director of product security
+abstract: |
+    Application security is a paramount concern for organizations that develop software. However systematically managing AppSec across diverse development teams in a measurable way remains a challenge. This talk outlines Zebra Technologies’ journey in adopting the OWASP Software Assurance Maturity Model (SAMM) as our guiding framework for measuring and improving application security practices. Zebra is a Fortune 500 company with 35 different product and IT teams developing and maintaining secure software applications and systems. Despite initial scepticism and the inherent challenges of integrating SAMM, particularly with embedded and delivered software teams, the implementation led to significant improvements. The introduction of SAMM facilitated a risk-driven, measurable approach to security. It provided a clear framework for comparison across business units and promoting a shared platform for discussing security concerns. Moreover, the gamification of SAMM scores spurred healthy competition among units, though it raised questions about the focus on risk-based improvements versus score chasing. Ultimately, the correlation between SAMM scores and other quality metrics affirmed the value of a SAMM-driven approach. We have seen a moderate (-0.5) inverse correlation between SAMM scores and risk scores produced by an Application Security Posture Management (ASPM) tool we use internally across all teams. To the best of our knowledge this is the first indication that SAMM scores could reduce risk. Overall, SAMM demonstrated tangible enhancements in application security and broader software development lifecycle processes at Zebra Technologies.
+
+bio: |
+   Dr. Jasyn Voshell, with a career spanning over two decades in the security industry, currently serves as the Director of Products and Solutions Security with Zebra Technologies. In this role, he spearheads the global Product & Solutions Security Program, managing its strategy, planning, and execution, while ensuring the seamless integration of security in products and solutions through collaboration with engineering teams. His background includes impactful positions such as Manager of Sales Engineers and Internal Audit Supervisor, where he notably led the North America Sales Engineer team for wireless sales and managed Internal Audit Global operations. Dr. Voshell's academic achievements include holding bachelor’s degrees in mathematics and physics, a master’s in applied mathematics and computer information systems, and a doctorate in civil law, underscoring his well-rounded expertise and leadership in the field.
+
+---

content/en/user-day/2024lisbon/round-table.md

@@ -0,0 +1,16 @@
+---
+type: user-day
+title: User day
+name: SAMM Round Table - assessment methodology
+speaker: All participants
+image: 
+affiliation: 
+role: 
+abstract: |
+    Join us for an engaging discussion where we'll focus on SAMM assessment methodology. We'll use this session as a platform for practitioners to exchange their experiences on how they perform SAMM assessments. From roles involved, to challenges and best practices.
+
+    We invite you to bring your questions, insights, and experiences to the table. This is a great opportunity to actively participate in the SAMM community, learn from your peers, and contribute to the collective knowledge that drives software security.
+
+bio: |
+   
+---

content/en/user-day/_index.md

@@ -6,41 +6,27 @@ images:
     - /img/sud/sud-feature-image.png
 keywords: ["about","what is","questions", "event", "user"]
 ---
-# We have 2 SAMM User Days in 2024
-<br/>
-
-
-## September 25th, San Francisco
+# September 25th, San Francisco
 
 We have a second SAMM User Day this year, in the context of {{< external-link "https://sf.globalappsec.org/" "Global AppSec San Francisco">}}, on Wednesday, September 25th.
 
-Please, consider delivering a talk or workshop. The <b>{{< external-link "https://docs.google.com/forms/d/e/1FAIpQLSeFMEjWLyiZXtN80mV-CscON-sW0lelhegBxwjauj_anurj9g/viewform" "call for presentations">}}</b> is open.
-
 <br/>
 {{< external-link "https://www.eventbrite.com/e/owasp-global-appsec-san-francisco-2024-tickets-723699172707?aff=oddtdtcreator" "Register here">}}
 
-
-We'll soon share our agenda, featuring talks and discussions led by industry experts on topics ranging from the practical applications of SAMM to real-world case studies showcasing its impact. Whether you're a seasoned practitioner or new to the field, there will be something for everyone to learn and contribute.
 <br/>
 <br/>
 
-## June 26th, Lisbon
-
-The OWASP SAMM team is excited to share highlights from its most recent User Day, which was part of {{< external-link "https://lisbon.globalappsec.org/" "Global AppSec Lisbon">}}, on Wednesday, June 26th.
-
-
-### Highlights
-
-{{< user_day_agenda_2024_lisbon_archive >}}
+## Agenda
 
-#### SAMM Dinner sponsored by Toreon and Codific
+Our agenda features talks and discussions led by industry experts on topics ranging from the practical applications of SAMM to real-world case studies showcasing its impact. Whether you're a seasoned practitioner or new to the field, there will be something for everyone to learn and contribute.
 
-{{< responsive-image  "/img/sud/dinner.jpg" "SAMM Dinner - people at a restaurant">}}
+{{< user_day_agenda_2024_sanfran >}}
 
 
 ## Archive
 
 Here you can find the previous SAMM User Day pages with the full list of talks, downloadable material, and YouTube links.
 <br/><br/>
 
+{{< button "user-day/2024lisbon" "2024 Lisbon User Day page">}}
 {{< buttons3 "user-day/2023" "2023 User Day page" "user-day/2021" "2021 User Day page" "user-day/2020" "2020 User Day page">}}

content/en/user-day/appsec-champion-programs.md

@@ -0,0 +1,15 @@
+---
+type: user-day
+title: User day
+name: "AppSec Champion Programs: Interaction and Impact on SAMM Maturity"
+speaker: Dustin Lehr
+image: /img/people/DustinLehr.jpeg
+affiliation: Katilyst
+role: Co-founder, Chief Product and Technology Officer
+abstract: |
+    
+
+bio: |
+   Dustin Lehr is an accomplished software engineer turned executive cybersecurity leader who designs security programs that reinforce proactive behavior to avoid security incidents. He is the Co-founder and Chief Product and Technology Officer at Katilyst, a company dedicated to helping organizations enhance their culture by building engaging security champion programs. Dustin is also the driving force behind the Security Champion Program Success Guide and possesses a wealth of experience in application security, providing innovative coaching and consulting services. In addition, he is a prominent community thought leader, speaker, and founder of the "Let's Talk Software Security" monthly open discussion meetup group.
+
+---

content/en/user-day/implementing-5-levels-of-cmm-for-ssdlc.md

@@ -0,0 +1,30 @@
+---
+type: user-day
+title: User day
+name: "Implementing 5 levels of Capability Maturity Model (CMM) for Secure Software Development Life Cycle (SSDLC)"
+speaker: Jamil Ahmed
+image: /img/people/Jamil_Ahmed.jpeg
+affiliation: Codific
+role: Co-founder
+abstract: |
+    Capability Maturity Model (CMM)  
+    The Capability Maturity Model (CMM) has advanced to effectively evaluate the maturity of software and the Software Development Life Cycle (SDLC). While the importance of CMM for SDLC is clear, a functional CMM specifically designed for the Secure Software Development Lifecycle (SSDLC) across all five levels is not widely recognized or adopted within the application security community and software engineering teams.  
+    CMM aims to assess an organization's capabilities through five levels: Initial, Managed, Defined, Quantitatively Managed, and Optimized.
+
+    Origin  
+    OWASP Software Assurance Maturity Model (SAMM) is the relevant CMM to SSDLC. 
+    I have devices a functional CMM for SSDLC based on SAMM. This maturity model is devised around important security domains of SSDLC. Although, SAMM provides a good foundation but it is limited to 3 levels. The proposed maturity model of this talk is comprised of 5 typical levels of CMM.
+
+    Objective  
+    Shifting left is crucial for improving the security posture of an organization’s software development processes. Therefore, it is essential that the CMM for SSDLC supports the shift-left approach at each of its five levels. As organizations progress to higher maturity levels, they need to implement more shift-left practices.
+
+    Security Domains and Categories  
+    The maturity model organizes Secure Software Development Lifecycle (SSDLC) practices into nine major security domains i.e. Security Policy and standards, Security Role and Culture, Security Training, Asset Inventory, Application Architecture Assessment, Building Source Code, Secure Deployment, Dynamic Application Scanning, Security Testing.
+
+    The full model includes descriptions, criteria, and guidelines for achieving these criteria at each of the five levels.
+
+    In the talk, I will share the complete maturity model.
+
+bio: |
+
+---

content/en/user-day/maturing-sdlc-at-a-fortune-500-company-based-on-owasp-samm.md

@@ -2,14 +2,14 @@
 type: user-day
 title: User day
 name: "Maturing SDLC at a Fortune 500 company based on OWASP SAMM: successes and pitfalls"
-speaker: Dr. Jasyn Voshell
-image: /img/people/Jasyn_Voshell.jpg
+speaker: Sunny Sharma
+image: 
 affiliation: Zebra Technologies
-role: Director of product security
+role:  Principal Information Security Engineer for Products and Solutions
 abstract: |
     Application security is a paramount concern for organizations that develop software. However systematically managing AppSec across diverse development teams in a measurable way remains a challenge. This talk outlines Zebra Technologies’ journey in adopting the OWASP Software Assurance Maturity Model (SAMM) as our guiding framework for measuring and improving application security practices. Zebra is a Fortune 500 company with 35 different product and IT teams developing and maintaining secure software applications and systems. Despite initial scepticism and the inherent challenges of integrating SAMM, particularly with embedded and delivered software teams, the implementation led to significant improvements. The introduction of SAMM facilitated a risk-driven, measurable approach to security. It provided a clear framework for comparison across business units and promoting a shared platform for discussing security concerns. Moreover, the gamification of SAMM scores spurred healthy competition among units, though it raised questions about the focus on risk-based improvements versus score chasing. Ultimately, the correlation between SAMM scores and other quality metrics affirmed the value of a SAMM-driven approach. We have seen a moderate (-0.5) inverse correlation between SAMM scores and risk scores produced by an Application Security Posture Management (ASPM) tool we use internally across all teams. To the best of our knowledge this is the first indication that SAMM scores could reduce risk. Overall, SAMM demonstrated tangible enhancements in application security and broader software development lifecycle processes at Zebra Technologies.
 
 bio: |
-   Dr. Jasyn Voshell, with a career spanning over two decades in the security industry, currently serves as the Director of Products and Solutions Security with Zebra Technologies. In this role, he spearheads the global Product & Solutions Security Program, managing its strategy, planning, and execution, while ensuring the seamless integration of security in products and solutions through collaboration with engineering teams. His background includes impactful positions such as Manager of Sales Engineers and Internal Audit Supervisor, where he notably led the North America Sales Engineer team for wireless sales and managed Internal Audit Global operations. Dr. Voshell's academic achievements include holding bachelor’s degrees in mathematics and physics, a master’s in applied mathematics and computer information systems, and a doctorate in civil law, underscoring his well-rounded expertise and leadership in the field.
+   Sunny Sharma, with over a decade of experience in security industry, currently serves as the Principal Information Security Engineer for Product and Solutions Security at Zebra Technologies. In this role, Sunny leads the strategic integration of security measures into Zebra’s products and solutions, managing the overall strategy, planning, and execution of the company’s security initiatives. He works closely with engineering teams to ensure that security protocols are seamlessly embedded throughout the product development lifecycle. Sunny’s extensive background encompasses a wide range of domains, including DevOps, DevSecOps, Product & Solutions Security, Cloud Security, Architecture, and Engineering. His expertise effectively bridges the gap between development and security, ensuring comprehensive security considerations are integrated from the ground up. This collaborative approach has been instrumental in enhancing the robustness and reliability of Zebra’s technological offerings. His diverse experience equips him with a comprehensive view of the complexities and challenges within the industry, making him an asset to any organization committed to maintaining high security standards. Sunny holds a bachelor’s degree in information technologies and informatics, underscoring his technical proficiency and commitment to the field. His leadership and innovative approach continue to drive excellence in product and solutions security, advancing Zebra Technologies’ mission to deliver secure and reliable products to a global clientele.
 
 ---

content/en/user-day/rolling-out-samm-in-established-and-diverse-corporations.md

@@ -0,0 +1,16 @@
+---
+type: user-day
+title: User day
+name: "Rolling out SAMM in established and diverse corporations"
+speaker: Nariman Aga-Tagiev
+image: /img/people/Nariman.jpg
+affiliation: Dassault Systems
+role: Cybersecurity Engineering Manager
+abstract: |
+    Interactive workshop about adapting OWASP SAMM as a maturity framework from sctratch in a big corporation with very diverse portfolio, tools and teams.
+
+
+bio: |
+   Nariman Aga-Tagiyev is an Application Security Architect with over two decades of experience in software development. Over the course of his career, Nariman has worn multiple hats, serving as a full stack web application developer, backend developer, DevOps engineer, and cloud developer. However, since 2016, his focus has been exclusively dedicated to the realm of Application Security and advancing Software Security Development Life Cycle (SSDLC) maturity.
+
+---

content/en/user-day/samm-benchmark-updates.md

@@ -0,0 +1,17 @@
+---
+type: user-day
+title: User day
+name: "SAMM Benchmark Updates"
+speaker: Aram Hovsepyan
+image: /img/team/aram.jpg
+affiliation: Codific
+role: CEO
+abstract: |
+    We will present the latest data and new insights from the OWASP Benchmarking project.
+
+    We aim to collect data from at least 100 organizations to release a comprehensive report. Your participation is vital. Contribute your dataset anonymously and help us build a robust, industry-wide benchmark.
+
+bio: |
+   Aram is the founder, CEO of Codific and a security and privacy expert. He has over 15 years of professional experience in designing and building complex software systems by explicitly focusing on security. He believes application security is a holistic discipline. Aram has a PhD in cybersecurity from DistriNet, KULeuven which provides him with a broad knowledge of the security landscape. Throughout his academic years he has mainly focused on privacy threat modeling and streamlining the LINDDUN methodology.
+
+---

data/sud2024sanfran/01_welcome.yaml

@@ -0,0 +1,6 @@
+weight: 1
+name: "Welcome to SAMM User Day San Francisco 2024"
+type: 
+presenter: "Aram Hovsepyan"
+time: "9.00"
+archive: false

data/sud2024sanfran/02_appsec_champion_programs.yaml

@@ -0,0 +1,7 @@
+weight: 2
+url: "appsec-champion-programs"
+name: "AppSec Champion Programs: Interaction and Impact on SAMM Maturity"
+type: "Presentation"
+presenter: "Dustin Lehr"
+time: "9.20"
+archive: true

data/sud2024sanfran/03_implementing_5_levels_of_cmm_for_ssdlc.yaml

@@ -0,0 +1,6 @@
+weight: 3
+url: "implementing-5-levels-of-cmm-for-ssdlc"
+name: "Implementing 5 levels of Capability Maturity Model (CMM) for Secure Software Development Life Cycle (SSDLC)"
+type: "Presentation"
+presenter: "Jamil Ahmed"
+time: "9.55"

data/sud2024sanfran/04_break.yaml

@@ -0,0 +1,4 @@
+weight: 4
+type: "Break"
+name: "Break"
+time: "10.30"

data/sud2024sanfran/05_influencing_boardroom_strategy_samm_as_a_communication_tool.yaml

@@ -0,0 +1,7 @@
+weight: 5
+url: "influencing-boardroom-strategy-samm-as-a-communication-tool"
+name: "Influencing Boardroom Strategy: OWASP SAMM as a communication tool"
+type: "Presentation"
+presenter: "Dag Flachet"
+time: "11.00"
+

data/sud2024sanfran/06_samm_benchmark_updates.yaml

@@ -0,0 +1,6 @@
+weight: 6
+url: "samm-benchmark-updates"
+name: "SAMM Benchmark Updates"
+type: "Presentation"
+presenter: "Aram Hovsepyan, Brian Glas"
+time: "11.45"

data/sud2024sanfran/07_break.yaml

@@ -0,0 +1,4 @@
+weight: 7
+type: "Break"
+name: "Lunch Break"
+time: "12.30"

data/sud2024sanfran/08_rolling_out_samm_in_established_and_diverse_corporations.yaml

@@ -0,0 +1,7 @@
+weight: 8
+url: "rolling-out-samm-in-established-and-diverse-corporations"
+name: "Rolling out SAMM in established and diverse corporations"
+type: "Workshop"
+presenter: "Nariman AGA-TAGIYEV"
+time: "13.30"
+

data/sud2024sanfran/09_maturing-sdlc-at-a-fortune-500-company-based-on-owasp-samm.yaml

@@ -0,0 +1,7 @@
+weight: 9
+url: "maturing-sdlc-at-a-fortune-500-company-based-on-owasp-samm"
+name: "Maturing SDLC at a Fortune 500 company based on OWASP SAMM: successes and pitfalls"
+type: "Presentation"
+presenter: "Sunny Sharma"
+time: "14.15"
+archive: true

data/sud2024sanfran/10_break.yaml

@@ -0,0 +1,4 @@
+weight: 10
+type: "Break"
+name: "Break"
+time: "15.00"

data/sud2024sanfran/11_round_table.yaml

@@ -0,0 +1,7 @@
+weight: 11
+url: "round-table"
+name: "Round Table: assessment methodology"
+type: "Round table"
+presenter: "All participants"
+time: "15.30"
+archive: true

data/sud2024sanfran/12_wrap_up.yaml

@@ -0,0 +1,6 @@
+weight: 12
+name: "Wrap-up"
+type: ""
+presenter: "SAMM Team Members"
+time: "17.00"
+archive: false

data/sud2024sanfran/13_dinner.yaml

@@ -0,0 +1,6 @@
+weight: 13
+name: "SAMM Dinner sponsored by Codific and Toreon"
+type: ""
+presenter: ""
+time: "18.00"
+archive: false