User day

Practical Advice for Application Risk Profiles

speaker picture

Daniel Hood

Phronesis Security
Chief Optimist (CTO)


Application Risk Profiles are a foundational piece of any application security program. They provide an easy way to communicate the importance and risk of any application in the organisation. They are integral in multiple practices within the OWASP SAMM, including threat modelling, security testing and security requirements. Without having appropriately defined profiles, an organisation can potentially exert vast amounts of effort trying to solve small problems. But what does a good set of application risk profiles look like? Do they change depending on the maturity level of the organisation? How can someone get started defining a set of effective profiles? This talk will cover the importance of application risk profiles, practical advice for defining profiles for any organisation of any size, maturity and budget, and how profiles can be used to supercharge any organisations application security program. It will give concrete examples of profiles from the trenches of actual organisation’s application security programs and provide examples of where profiles can be leveraged in real world situations to to solve large problems.

Speaker bio

Daniel has always had a curiosity for development and application security, from writing a mobile application that identifies types of shopping carts to win a Google hack day competition to helping Australian enterprises build application security programs from the ground up. He has now been in the industry for over a decade in a variety of roles, ranging from Network Security Engineer to Enterprise Security Architect to Director. Having worked as both a practitioner and executive in cyber security, he has an acute understanding of both the practical aspects of application security and how it fits into the bigger picture of helping organisations manage their risks. He now runs the Penetration Testing and Security Architecture teams as Chief Optimist (CTO) at Phronesis Security.