Abhay Bhargav
February 6, 2018

My Impressions from OWASP AppSec Cali 2018

One of the things I did to welcome the New Year, was to “surprise surprise”, attend a conference. This time it was the OWASP AppSecCali 2018 in Los Angeles. I had missed it last year, and I was pretty excited to be there. The location seemed to be great, Annenberg Beach House, true to its name, a stunning property next to the beach on the Pacific Coast Highway. I had heard much from friends who attended the same conference in 2017.

I was doubly excited, as I was presenting our integration with the amazing Robot Framework at the event. After my team at we45, and many of our clients had seen an immense value-add because of Security integration with Robot Framework, I had decided to open source the product and share its goodness with the world. This was a new talk for me, and I was eager to get opinions on it from colleagues and friends who attend this conference from all over the globe. Slides for my talk are here =>link. Do let me know if you want more details on this.Suffice to say, the conference was really great. It lived up to its reputation of being a great opportunity to network with the best in the industry, a great venue to learn some of the latest and greatest in Application Security and have an intimate experience, where you could really interact with people without getting lost in a massive crowd, that is the case with many a conference. I’d like to thank the OWASP Chapters that had worked really hard to put this event together, including Los Angeles, Orange County, Bay Area and others.

I attended quite a few talks, and although I missed some because they conflicted with my talk :(, I had a chance to meet some of these amazing speakers and pick their brains about the state and future of application security. Here are a few of my impressions from the event, and what I believe will be the state of things to come in Application Security

Ignore Threat Modeling at your own Peril

A major theme of the conference seemed to converge around some very useful and timely content around Threat Modeling. Be it Jonathan Marcil’s talk on Threat Modeling Toolkit (link here) or the panel on Threat Modeling with Adam Shostack, Brook Schoenfield, Jonathan Marcil and Izar Tarandach, I truly enjoyed some of the insights on the need, importance and approaches to Threat Modeling. While I hate to say “I told you so”, the focus on Threat Modeling mirrors my repeated emphasis to many of my clients on why the ABSOLUTELY NEED Threat Modeling to reduce friction in Continuous Delivery environments. To summarize:

  • Threat Modeling needs to be inclusive and collaborative. Siloed security teams doing Threat Modeling DOES NOT work.
  • Threat Modeling needs to be a part of the Engineering Process. This should be in many ways, both strategic and tactical. For instance, one of the ideas for threat modeling that I had recently proposed is to use “Abuser Stories” linked to User Stories to generate the Threat Model. The other tactical strategy that really gets behind and intends to research the c**p out of, is Jonathan Marcil’s “Threat Modeling Toolkit” which espouses the practice of “codifying” Threat Models as opposed to generating verbose Word Documents with massive and arcane DFDs (link). This would essentially drive the practice of using Threat Models as Code, like we have done with Infrastructure as Code, or Application Security as Code, which are the cornerstones of successful DevSecOps initiatives.
  • Threat Modeling, like the Software Development Lifecycle (SDL) in several places, needs to be iterative, rather than this “frozen” entity.

While these were some of the broad points from the different Threat Modeling Sessions. I think the message is loud and clear. You need to do Threat Modeling to derive valuable security outcomes for your Application Security Program. And if your Threat Modeling Practice is siloed and mostly static, even in the light of a fast-changing, evolving product landscape, you need to rethink the strategic and tactical aspects of your Threat Modeling Practice.

DevSecOps is here to stay

The Conference could essentially have had a “Make Security Go Faster” theme to it, with the number of DevSecOps (or similarly oriented talks) that were being delivered by various folks, including me. Most folks in the conference recognize that Security is a blocker for many an engineering team, and it is upto security to start enabling things to happen for the engineering teams. In my opinion, this is a HUGE shift from the time when security folks would pride themselves on being naysayers or pointing out the mistakes of those “idiot developers”. Things have changed and for the better. Security folks realize that Engineering is only going faster and blocking engineering is bad not only for the organization but for the security team itself. They realize that enabling Engineering Teams by being a part of them is more important than being an “oracle of esoteric security knowledge”. Some of the important observations from the talks I attended at AppSecCali:

  • Security Teams are pulled in several directions and they need to have more time available to do a great job of Application Security. This can be enabled by useful automation (like the one I showcased with the Robot Framework) and with more effective tooling baked right into the Continuous Delivery Pipeline. Security Testing in the pipeline is going to be the next big thing and a challenge to several organizations.
  • Security Teams have to collaborate with different teams including Quality Engineering, Project Management and Business Leaders to achieve desired outcomes.
  • Have a metric-driven (quantitative) approach to security activities, as highlighted in Richard Siersen’s amazing talk with great examples. (link)

This was not to say that there weren’t other great talks at the conference. There were a plethora of talks about specific exploits, Privacy, and related concerns, among others. In addition, there was a great talk by OWASP Board Member Andrew Van der Stock on the new OWASP Top 10, the process of identifying the Top 10 and the approaches security professionals should take to test and identify security issues with the OWASP Top 10 and other OWASP resources. All in all, I found this to be a very useful and fun conference and I would highly recommend and look forward to it in 2019