Is APPSEC CALI 19 CONFERENCE Worth the $?
What a refreshing conference….that’s, in a nutshell, was my thinking on the last day of AppSec Cali 2019 conference. Logistics were flawless, thanks to the volunteers, and the location was terrific with the Annenberg Community Beach House overlooking the Santa Monica beach and the calm “winter” Pacific Ocean. The schedule of the event was well paced and packed with exciting talks and keynote that I will briefly summarise in this article.
Nevertheless, those are not the key things that made AppSec Cali different from other great conferences (like Black Hat, Defcon, BSides ….).
What made the difference, aside from the climate and the view, was the small and collected nature of the conference.
Throughout the whole conference, I felt like I was amongst a group of a friend coming together and discussing ideas and collectively progressing InfoSec.
Maybe it was the relaxed nature of Southern California (read it as SoCal), perhaps it was the beach, but the conference has been a fantastic and relaxed way to network, discuss and share ideas with fellow InfoSec professionals.
This report represents my view of the conference, but I’d love to hear your opinion on the other application-specific conference. Things I’d like to hear from you:
- What do you think about those reports? do you find them useful?
- What conference (Appsec and DEV) did you enjoy this year
- What do you think of AppSec Cali or similar conference
- How to include DEV teams into the Security discussion
Note- Most of the pictures in the conference are mine, but where they are not, I’ll mention the author.
Speakers:
The organiser Richard Greenberg that keeps on putting effort to improve cybersecurity in the application word by organising events like this and ISSA-LA
The speaker lineup was broad with a top line of speakers and subject matter experts
Nonetheless, the other speaker was not less than the headline speakers.
For the full list of speakers refer to Appsec Cali Speakers
The Beginning:
The bright day started with a short commute through the beach toward the convention center. The ride of choice was the Uber electric scooter due to the inclement weather … 20 degrees and sunny…
After a short fun ride, the path to the convention center is through the Santa Monica beach skirting Pacific Coast Highway (PCH)
Richard Greenberg kicked off the conference with a nice invite to the various sponsors.
Also a gentle reminder from Richard of the OWASP core values:
Like any other convention, the sponsors and vendors were there but it was not intrusive, and the poolside view is a nice perk.
Nonetheless, Richard allows time to recognise the effort and the contribution of the various sponsors/vendors.
To cite and thanks just a few sponsors: netsparker , Shiftleft, Checkmark, Qualys, and many others)
After an excellent introduction from Richard, a round of talks started; I’ll offer some highlights on the one that I attended and my opinion on the one I did like the most.
A note for the folks those are purely my opinion, and my view does not represent one of my employees (yadda yadda yadda)…
CISO Panel
The CISO panel had two key ingredients: from startups to financials CISO as well as well seasoned CISO.
As an CISO myself and having supported CISOs in various consulting project with NSC42 in their role i found this panel very insightful.
The panel was formed (left to right):
- Bruce Phillips SVP & CISO of Williston Financials
- Martin Mazor Senior VP and CISO at Entertainment Partners
- Shyama Rose CISO at Avant
- Coleen Coolidge Head of security at Segment
The panel went on quite flawlessly explaining the modern challenges of CISOs establishing an AppSec program. The nice part of the panel is that it mixed up different genders and different organisation sizes (from well established to startups). Richard did a great job moderating and pacing the questions.
One interesting concept that I got from the whole talk was the struggle with the DEV-SEC-OPS definition that I believe is a big dilemma those days. (if you were asking yourself yes that's me in second line so I haven't taken that picture :) )
The DEV-OPS concept is still maturing, and the DEV-SEC-OPS is an evolution on this with a natural consequence of the DEV-BIZ-SEC-OPS. In the latter, proposed in the CISO panel, the Business becomes an integral part of the development and operational process.
Also to note the nice gender balance and the effort AppSec is making to sponsor women in Cybersecurity.
Adrienne Porter opens with the chrome improvements on web security
2019 marked the year where half of the web pages turned HTTPs on. There is still a lot to do though.
Adrienne Porter Felt Google Engineer and manager for chrome explained the challenges faced by the public with “secure” web pages.
When HTTPs has introduced the visualisation of the page in the URL has been debated. Initially, people thought if the URLs is green, and the color green was long discussed, the page content is safe. The use of HTTPs will guarantee client-server safeties of communication not the content of the page.
Also, Google is having a series of phishing test campaign to raise the awareness and ultimately working to kill the URL (read the interesting wired article for more info).
Nonetheless, there is an inherited perception of safeties of a page when the URL is displayed in green.
Slack had similar challenges when presenting the apps in their store (see below my take on Slack’s talk)
Netflix and the security pizza
William Bengtson and Travis McPeak gave, in my opinion, one of the best presentations. As CISO and Cloud Security Architect in different roles with NSC42 this provided tools and insight in AWS that will be precious for my client.
I shared some of the view of Will and Travis on the fast spin of Instance in a DEVOPS world as i've seen this, in a smaller scale, with a number of my clients. The speech on the security layers deployed by Netflix was a step onward from the presentation William gave at Black hat 2018 on credential compromise detection.
The talk had the pizza analogy, and William was wearing the “you got me at pizza” T-shirt (nice prop). The speech had the ingredient analogy for each layer of security. The speech was well paced, and the exchange between Travis and William was smooth.
Considering the challenges of a two-person presentation, I have to say William and Travis handled the introduction calmly and appeared well prepared on their speech.
I apologise for the speech analysis but my toastmaster public speaking club teaching nags at me sometimes.
The talk presented the various layers with the metadata proxy and the different scenario of attacks leveraging metadata.
Another interesting topic is the temporary key issued to DEV and the privilege, sometimes higher, but with access control…Netflix almost got on AWS the on-time access that Azure is working on with security center.
The other layer added on top of the security pizza is the collection and reduction of roles and permission one VM has…
Last but not last the level of monitoring and alerting Netflix does is terrific. Rarely I’ve seen an organisation that knows their infrastructure to the degree where they can detect so carefully when something deviates from the norm…nonetheless, this comes at a cost (and William buzzer in the middle of the night).
Aside from the structure of the talk I’ve been amazed by the level of sharing and giving back to the community Netflix is doing.
Flee talks about powerlifting and AppSec
Following the CISO talk, another heavyweight in security Frederick Lee (flee) head of Information Security at Square had a flawless take on an appsec programme.
Aside from the content, that was easy to understand and well-paced; I have to say I’ve admired the talk as it was well structured. Flee introduced the topics and the key elements at the beginning, narrated them with analogies and concluded with the same themes he started with.
The talk had a nice touch of analogies between powerlifting, Flee passion and an AppSec Programme.
The talk revolved around the three fundamental of powerlifting and the AppSec programme.
- Code review of the critical code (prioritise)
- Training for developers that is specific to their dev language
- Threat modelling of the essential applications
In conclusion, a well structured AppSec program is challenging to kill (as strong people are).
The honesty of slack — AppStore security challenges
Nikki Brandt and Kelly Ann presented the problems slack security had in introducing the apps to the AppStore.
So the Slack App directory:
Like any other startup, there are some challenges in security and the balance an organisation at the inception has to have when doing pentest or bug bounty.
Nonetheless, there is an inherited “trust” of people when selecting an app in a store part of your application…
Despite the best disclaimer that might impact the brand of slack and there was no solution yet…but they are getting there.
Despite the closure on the uncertain note, I appreciate the honesty of the talk and the challenges faced.
Closing Day 1 with Bryan on what improves in AppSec
Bryan Payne @bdpsecurity, Netflix’s director of Engineering, Product & Application Security, delivered a remarkable closing note on the history of application security and the learnings.
Netflix has given a lot in this conference, and each talk was polished, well presented and gave something back to the community.
So we keep on making the same mistakes as we were doing a long time ago…and for one reason, the basic stuff is also the hardest to implement…
Nonetheless, Bryan has given us a few essential items that did work in the past and will keep on improving in the future.
The two most important is learning from mistakes… better and sharing the knowledge with the community (one of the critical thing Netflix does brilliantly).
The other important one was improving fixes to the code, and with this Bryan stressed a pragmatic approach to the code: you can’t fix and review it all so prioritise the fixes what is vital and critical.
Also, Bryan shared few open source tool that can make the code review an easier job. One open source project mentioned was SPIFFE : a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments.
Threat Modelling and the gamification in InfoSec
Aside from the Capture The Flag (CTF) I’ve also appreciated the talk on threat modelling and the idea of gamification introduced into the threat modelling.
The talk is also integrated by the other talk from Adam:
We as security needs better way to engage with the business
Ultimately some process that could end up being complicated and difficult like threat modelling could be turned into something fun with a card game.
AppSec and CTF lots of other talks in AppSec Cali
Aside from the main talks, AppSec Cali had CTF and pentest basic open to all the skill set.
Most important the conference and the training were oriented to InfoSec people but most importantly to DEV.
The whole effort is to improve the overall security in the development process.
Others talks have been remarkable but will just mention them:
The vulnerability management from a Security PM Prospective
Alexandra Nassar and Harshil Parikh (absent) walks us through the challenges of security in an organisation that perceives security as a blocker. Also how perks personalisation (the logo is her creation) and the branding can massively help an AppSec programme.
But also netflix had his own version:
William from Netflix on Identifying lost keys in the cloud
William has delivered once again the overview of how to prevent AWS credentials exfiltration.
Talk was a take on the previous talk from Black hat USA 2018 (video not available)
but the whitepaper is available.
Closing Speech from Jim Manico
Jim Manico founder of Manicode Security is a well known and respected contributor to the OWASP chapter. Jim delivered the closing talk of the second day with the history of application security.
The stage presence and the way Jim talks about application security is amazing and shows what a seasoned developer, and most crucial security-oriented developer he is.
Also, he is funny and solid tough out the talk.
Jim has become kind of a rockstar with people asking to take a picture with him (photo taken for Daniel @danielblqz)
About Francesco the author
Francesco Cipollone is the director NSC42 is a public speaker and attends conferences, this year will report on Appsec California.
For the full list videos refer to the Youtube OWASP Appsec Cali playlist
If you’d like to hear more of this and other conferences get in touch on NSC42 Blog page, Linkedin and medium. Francesco is an active researcher and director of events for the Cloud Security Alliance and part of ISC2.Francesco and NSC42 can help to improve and align your organisation security, cybersecurity strategy cloud and traditional security architecture and DevS offering a range of dedicated consultancy, webinar, guide and other materials. Get in touch with me on Linkedin or via email at Francesco.cipollone @ NSC42.co.uk for collaboration or more information.
Note — most of the picture in this website are mine, but feel free to reuse them under creative common as long as the author and the article are cited.
CC licence — BY-SA — Attribution + ShareAlike
Conclusions
AppSec Cali 19 has been a refreshing conference and will definitely come back and possibly send across a Call For Paper next year.
The conference would have never happened without the effort of all the volunteers and Richard stringing it up.
Aside from the environment, the climate, the people I’ve appreciate the effort that the OWASP chapter and the fellow InfoSec people have put into improving the overall quality of the code by bringing the DEV community closer to the SEC community.
The DEV-OPS concept is still maturing, and the DEV-SEC-OPS is an evolution on this with a natural consequence of the DEV-BIZ-SEC-OPS. In the latter, proposed in the CISO panel, the Business becomes an integral part of the development and operational process.
Aside from everything Santa Monica is a fantastic place for conference and overall for the viewers and will come back for more InfoSec in Santa Monica (see you at ISSA XI in May)
Great write-up Francesco Cipollone! Glad to see one of my pics (Slack) made the cut for this too!
Reduce risk - focus on vulnerabilities that matter - Contextual ASPM - CEO & Founder - Phoenix security - 🏃♂️ Runner - ❤️ Application Security Cloud Security | 40 under 40 | CSA UK Board | CSCP Podcast Host
5yAllan Alford this is one of the conferences report
Reduce risk - focus on vulnerabilities that matter - Contextual ASPM - CEO & Founder - Phoenix security - 🏃♂️ Runner - ❤️ Application Security Cloud Security | 40 under 40 | CSA UK Board | CSCP Podcast Host
5yHugo Marinho David Boda Stephen Owen this might be of interest especially the Netflix talks on AWS Security
Reduce risk - focus on vulnerabilities that matter - Contextual ASPM - CEO & Founder - Phoenix security - 🏃♂️ Runner - ❤️ Application Security Cloud Security | 40 under 40 | CSA UK Board | CSCP Podcast Host
5yJane Frankland - this might be of interest
Reduce risk - focus on vulnerabilities that matter - Contextual ASPM - CEO & Founder - Phoenix security - 🏃♂️ Runner - ❤️ Application Security Cloud Security | 40 under 40 | CSA UK Board | CSCP Podcast Host
5yRichard Greenberg, CISSP - the review of AppSec Cali19 conference, let me know what you think