What a refreshing conference….that, in a nutshell, were my thoughts on the final day of AppSec Cali 2019 conference.
The logistics were flawless, thanks to the volunteers, and the location was terrific with the Annenberg Community Beach House overlooking the Santa Monica beach and the calm “winter” Pacific Ocean.
The schedule of the event was also well paced and packed with exciting talks and keynotes that I will briefly summarise in this article.
On reflection those are not the main things that made AppSec Cali stand out from other great conferences, like Black Hat, Defcon and BSides.
What made the difference, aside from the climate and the view, was the small and close nature of the conference.
Throughout the whole event, I felt like I was amongst a group of a friends coming together and discussing ideas and collectively progressing infosec.
Maybe it was the relaxed nature of Southern California, perhaps it was the beach, but whatever it was the conference was a fantastic and relaxed way to network, discuss and share ideas with fellow Infosec professionals.
Speakers:
The organiser Richard Greenberg deserves a special mention as he keeps on putting in the effort to improve cybersecurity, in the application world, by organising events like this and ISSA-LA
The headline speaker lineup was broad and included a wide-range of subject matter experts.
The rest of the speakers were top class too, covering a broad spectrum of topics, so there was something for everyone.
The Conference:
The first day started with sunshine and a short commute along the beach toward the convention centre.
My ride of choice was the Uber electric scooter due to the weather, which was 20 degrees and sunny, so I wanted to take the opportunity to enjoy it, as it was a far cry from London in January.
After a short fun ride, the path to the convention centre ran right through Santa Monica beach, skirting Pacific Coast Highway.
Richard Greenberg kicked off the conference with a nice invite to the various sponsors and a gentle reminder of the OWASP core values and now is a great time to give everyone a little reminder.
Like any other convention, the sponsors and vendors were there but it was not intrusive, and the poolside view was an added bonus.
After an excellent introduction from Richard, the first round of talks started; I’ll offer some highlights on the ones I attended and liked the most.
But please remember they are purely my opinion, and my view does not represent one of my employees (yadda yadda yadda)…
CISO Panel
The CISO panel has a varied makeup: from startups to financials CISO as well as seasoned CISO.
The panel was formed (left to right):
· Bruce Phillips SVP & CISO of Williston Financials
· Martin Mazor Senior VP and CISO at Entertainment Partners
· Shyama Rose CISO at Avant
· Coleen Coolidge Head of security at Segment
The panel, quite flawlessly, explained the modern challenges of CISOs when establishing an AppSec program.
The nice part of the panel was that it mixed up different genders and different organisation sizes (from well established to startups) and Richard did a great job moderating and pacing the questions.
One interesting concept that I got from the whole talk was the struggle with the DEV-SEC-OPS definition that I also believe is a big dilemma.
The DEV-OPS concept is still maturing, and the DEV-SEC-OPS is an evolution along with the natural consequence of the DEV-BIZ-SEC-OPS.
In the latter, proposed in the CISO panel, the business becomes an integral part of the development and operational process.
It is also important to note the gender balance and the efforts AppSec is making to sponsor and highlight women in Cybersecurity.
Adrienne Porter Felt opens with the chrome improvements on web security
2019 marked the year where half of the web pages turned HTTPs on. There is still a lot to do though.
Adrienne Porter Felt Google Engineer and manager for Chrome explained the challenges faced by the public with “secure” web pages.
When HTTPs was introduced the visualisation of the page in the URL was debated. Initially, people thought if the URLs were green, and the color green was long discussed, the page content was safe.
The use of HTTPs guarantees client-server safety of communication not the content of the page.
Also, Google is having a series of phishing test campaign to raise the awareness and are ultimately working to kill the URL (read the interesting wired article for more info).
Nonetheless, there is an inherited perception of safeties of a page when the URL is displayed in green.
Slack had similar challenges when presenting the apps in their store (see my take on Slack’s talk below)
Netflix and the security pizza
William Bengtson and Travis McPeak gave, in my opinion, one of the best presentations.
Their speech on the security layers deployed by Netflix was a step onward from the presentation William gave at Black Hat 2018 on credential compromise detection.
The talk had the pizza analogy, and William was wearing the “you got me at pizza” T-shirt (nice prop).
]The speech had the ingredient analogy for each layer of security and was well paced, while the exchange between Travis and William was smooth.
Considering the challenges of a two-person presentation, I have to say William and Travis handled the introduction calmly and appeared well prepared on their speech.
Sorry for the speech analysis but my Toastmaster Club teaching, nags at me sometimes.
The talk presented the various layers with the metadata proxy and the different scenario of attacks leveraging metadata.
Another interesting topic they covered is the temporary key issued to DEV and the privilege, sometimes higher, but with access control…Netflix almost got on AWS the on-time access that Azure is working on with security center.
The other layer added on top of the security pizza is the collection and reduction of roles and permission one VM has.
Last but not least is that the level of monitoring and alerting Netflix does is terrific.
Rarely I’ve seen an organization that knows their infrastructure to the degree where they can detect so carefully when something deviates from the norm…nonetheless, this comes at a cost.
Aside from the structure of the talk I’ve been amazed by the level of sharing and giving back to the community Netflix is doing.
Flee talks about powerlifting and AppSec
Following the CISO talk, another heavyweight in security Frederick Lee (flee), head of Information Security at Square, had a flawless take on an appsec programme.
Aside from the content, that was easy to understand and well-paced, I have to say I enjoyed the talk as it was well structured.
Flee introduced the topics and key elements at the beginning, narrated them with analogies and concluded with the same themes he started with.
The talk had a nice touch of analogies about powerlifting, Flee passion and an AppSec P
programme.
The talk revolved around the three fundamentals of powerlifting and the appsec programme.
· Code review of the critical code (priorities)
· Training for developers that is specific to their dev language
· Threat modeling of the essential applications
In conclusion, a well structured AppSec program is challenging to kill, just as strong people are.
The honesty of Slack — AppStore security challenges
Nikki Brandt and Kelly Ann presented the problems Slack Security had in introducing their apps to the AppStore.
Like any other startup, Slack faced challenges in security and finding the balance an organisation at inception has to have when doing pentest or bug bounties.
Nonetheless, there is an inherited “trust” of people when selecting an app in a store.
Despite the best disclaimer that might impact the brand of Slack and there was no solution yet…but they are getting there.
Despite the closure on the uncertain note, I appreciate the honesty of the talk and the challenges faced.
Closing Day 1 with Bryan Payne on what improves in appsec
Bryan Payne @bdpsecurity, Netflix’s director of Engineering, Product & Application Security, delivered a remarkable closing note on the history of application security and the learnings.
Netflix offered a lot in this conference, and each talk was polished, well presented and gave something back to the community.
So, we keep on making the same mistakes as we have always been doing, and for one reason the fact that the basic stuff is also the hardest to implement.
Despite that Bryan gave us all a few essential items that did work in the past and will keep on improving in the future.
The two most important lessons I took is, it's important to learn from our mistakes and sharing the knowledge with the community is key to moving forward, and this is one of the critical things that Netflix does brilliantly.
The other important one was improving fixes to the code, and with this Bryan stressed a pragmatic approach to the code: you can’t fix and review it all so prioritise the fixes which are vital and critical.
Bryanalso shared few open source tools that can make the code review an easier job.
One he mentioned was SPIFFE : a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments.
Threat modeling and the game of infosec
Aside from the Capture The Flag (CTF) elemement I also enjoyed the talk on threat modeling and the idea of gamification introduced into threat modeling.
They showed how some processes that could end up being complicated and difficult, like threat modeling, could be turned into something fun with a card game.
AppSec and CTF lots of other talks in appsec Cali
Aside from the main talks, Appsec Cali had CTF and pentest basic open to all the skill sets.
Most importantly the conference and the training were oriented to Infosec people but most importantly to DEV. The whole effort is to improve the overall security in the development process.
These are just some of the other talks that I really enjoyed.
The vulnerability management from a Security PM Prospective
Alexandra Nassar and Harshil Parikh (absent) walked us through the challenges of security in an organisation that perceives security as a blocker.
They also revealed how perks personalisation (the logo is her creation) and the branding can massively help an AppSec programme.
William from Netflix on Identifying lost keys in the cloud
William delivered once again the overview of how to prevent AWS credentials exfiltration
Closing Speech from Jim Manico
Jim Manico founder of Manicode Security is a well known and respected contributor to the OWASP chapter.
He delivered the closing talk of the second day about the history of application security.
His stage presence and the way he talks about application security was amazing and showed what a seasoned developer, and most crucial security-oriented developer he is.
Jim has become something of a rockstar with several people asking to have pictures with him (photo taken for Daniel @danielblqz)
Conclusions
Appsec Cali 19 was a refreshing conference and I will definitely be back and possibly send across a Call For Paper next year.
The conference would have never happened without the effort of all the volunteers and Richard pulling the whole thing together.
Aside from the environment, the climate and the people I really appreciate the effort that the OWASP chapter and fellow infosec people have put into improving the overall quality of the code by bringing the DEV community closer to the SEC community.
As well as everything else Santa Monica is a fantastic place for conference and I can't wait to go back again for ISSA XI in May.
Call to action:
I’d love to hear from you! Because your feedback is vital if we are to improve infosec, so leave a comment and engage in the conversation at the bottom of this article.
This report represents my view of the conference, but I’d love to hear your opinion on the other application-specific conferences.
· What conference (Appsec and DEV) did you enjoy this year?
· What do you think of AppSec Cali or similar conferences?
· How do you include DEV teams in the security discussion?
*Most of the pictures on this website are mine, but feel free to reuse them as long as the author and the article are cited.