August 5, 2016



Okay, I’ll admit that this blog comes a little late. But work pressures have kept me from writing this earlier than I would’ve liked to.To begin, my experience at the OWASP AppSecUSA this year was uh-maazing! It was great meeting old friends and making  new friends, while at the same time learning and discussing tons of Application Security at the event.The event started off on a high note for us at we45. We delivered a sold-out workshop on Security in DevOps (SecDevOps/DevSecOps) at the event. The interactions and engagement at the workshop, led me to firmly believe that creating automated, yet effective processes around security for DevOps implementations is the only way to go forward. We did many hands-on exercises including, Creating Customized Application Security Test Automation for CI services, Secrets Management, Integrating instrumented scans for tools like OWASP ZAP and w3af and much more. I learned much from the audience as I hope they did from me. Here are some of the testimonials from participants in the workshop.

One of the key themes for the rest of the conference was centered extensively around Security in DevOps and creating automated security pipelines. Some of my favourite talks were:

  • Practical Static Analysis by Justin Collins - which articulated the need to solve small problems incrementally, especially while performing static analysis in a Continuous Application Delivery setting.
  • I enjoyed the talk on Threat Modeling by Stephen de Vries, which was one of the key areas I covered in the workshop as well. The talk  had some practical takeaways, especially for threat modeling in a continuous delivery and DevOps of setting.
  • Another topic that interested me was a talk on protecting Containerized Apps with System Call Profiling and Exploiting CORS misconfigurations for Bitcoins and Bounties by Chenxi Wang and James Kettle respectively. There was a ton of new material that I am going to take back from these talks, the keynotes and the deep interactions I had with my audiences at the workshop and outside it.

One thing that emerged from this conference is that the Application Security industry is clearly committed to ensuring that Application Security stays in step with the massively disruptive and quick-to-change trends in a world of Continuous Delivery. While I was elated at the fact that our team at we45 have been implementing several elements of what was being highlighted in this conferences, with our clients and our workshops, I also took away some great content from some of the smartest people in the security world.I am looking forward to more Security in DevOps and what I am sure, would be rapidly evolving tech in this space. One thing I can say for sure, we45 will be working overtime to deliver the best in Security in DevOps (SecDevOps) for our clients and trainees in 2017 and beyond. I’d like to thank the organizers, volunteers and office bearers at OWASP for bringing us a great conference.