One of the things I did to welcome the New Year, was to “surprise surprise”, attend a conference. This time it was the OWASP AppSecCali 2018 in Los Angeles. I had missed it last year, and I was pretty excited to be there. The location seemed to be great, Annenberg Beach House, true to its name, a stunning property next to the beach on the Pacific Coast Highway. I had heard much from friends who attended the same conference in 2017.
I was doubly excited, as I was presenting our integration with the amazing Robot Framework at the event. After my team at we45, and many of our clients had seen an immense value-add because of Security integration with Robot Framework, I had decided to open source the product and share its goodness with the world. This was a new talk for me, and I was eager to get opinions on it from colleagues and friends who attend this conference from all over the globe. Slides for my talk are here =>link. Do let me know if you want more details on this.Suffice to say, the conference was really great. It lived up to its reputation of being a great opportunity to network with the best in the industry, a great venue to learn some of the latest and greatest in Application Security and have an intimate experience, where you could really interact with people without getting lost in a massive crowd, that is the case with many a conference. I’d like to thank the OWASP Chapters that had worked really hard to put this event together, including Los Angeles, Orange County, Bay Area and others.
I attended quite a few talks, and although I missed some because they conflicted with my talk :(, I had a chance to meet some of these amazing speakers and pick their brains about the state and future of application security. Here are a few of my impressions from the event, and what I believe will be the state of things to come in Application Security
Ignore Threat Modeling at your own Peril
A major theme of the conference seemed to converge around some very useful and timely content around Threat Modeling. Be it Jonathan Marcil’s talk on Threat Modeling Toolkit (link here) or the panel on Threat Modeling with Adam Shostack, Brook Schoenfield, Jonathan Marcil and Izar Tarandach, I truly enjoyed some of the insights on the need, importance and approaches to Threat Modeling. While I hate to say “I told you so”, the focus on Threat Modeling mirrors my repeated emphasis to many of my clients on why the ABSOLUTELY NEED Threat Modeling to reduce friction in Continuous Delivery environments. To summarize:
While these were some of the broad points from the different Threat Modeling Sessions. I think the message is loud and clear. You need to do Threat Modeling to derive valuable security outcomes for your Application Security Program. And if your Threat Modeling Practice is siloed and mostly static, even in the light of a fast-changing, evolving product landscape, you need to rethink the strategic and tactical aspects of your Threat Modeling Practice.
DevSecOps is here to stay
The Conference could essentially have had a “Make Security Go Faster” theme to it, with the number of DevSecOps (or similarly oriented talks) that were being delivered by various folks, including me. Most folks in the conference recognize that Security is a blocker for many an engineering team, and it is upto security to start enabling things to happen for the engineering teams. In my opinion, this is a HUGE shift from the time when security folks would pride themselves on being naysayers or pointing out the mistakes of those “idiot developers”. Things have changed and for the better. Security folks realize that Engineering is only going faster and blocking engineering is bad not only for the organization but for the security team itself. They realize that enabling Engineering Teams by being a part of them is more important than being an “oracle of esoteric security knowledge”. Some of the important observations from the talks I attended at AppSecCali:
This was not to say that there weren’t other great talks at the conference. There were a plethora of talks about specific exploits, Privacy, and related concerns, among others. In addition, there was a great talk by OWASP Board Member Andrew Van der Stock on the new OWASP Top 10, the process of identifying the Top 10 and the approaches security professionals should take to test and identify security issues with the OWASP Top 10 and other OWASP resources. All in all, I found this to be a very useful and fun conference and I would highly recommend and look forward to it in 2019