13 Nov 2019 OWASP AppSec Day 2019
This was to be my first OWASP AppSec day so I was unsure of what to expect. I’m pleased to report that it turned out to be one of the best security-related conferences I’ve attended.
Killin’ the keynote
It started like any normal I.T. conference: lots of coffee and everyone standing around not quite sure what’s going on. However, the talks soon kicked off with a bang in the form of a keynote speech from Tanya Janca!
Tanya managed to give an exciting and engaging talk about why everyone should think about security, and how we can all work together to make everything more secure. She also threatened to stare at me for 9 minutes if I didn’t raise my right hand and swear to not break builds unless I absolutely had to, so the devs on my team can now feel safe for another day.
For those not in the know, Tanya is a Canadian AppSec enthusiast and community leader. She started her local OWASP group, a Women in Security focussed group, a Monday mentor program on Twitter, and just recently starting a security company Sidekick.
Tanya was a charismatic and genuine speaker. Her excitement and enthusiasm for what she does was clearly visible and made her very engaging.
Starting the tracks
After the keynote, the four separate conference tracks began. I’ll talk a little about some of the talks I attended.
First-up for me was “Hunting bugs to extinction with static analysis” by Paul Theriault from Mozilla. It was an interesting talk outlining how a need for static code analysis came about, and how it helped them scale out bug fixes across all apps – not just the ones owned by their team. In was a great demonstration of how the process of finding security bugs in one applications can be extended to improve the security of other applications.
Up next was a super inventive talk named “How do I content security policy?” by Kirk Jackson from Redshield. I loved his delivery style: he turned the presentation into a “chose your own adventure” style book that we had to navigate our way through until we had finished all of the slides. It was a great way to add some interaction to the talk and keep us engaged in what might otherwise become a boring topic. Along the way he made some great points about how to audit and track content security policy violations, and compile that data to help you build/review your policy. I am also wondering if you could log it and do anomaly-detection to help alert when someone is trying to attack your site.
We broke for lunch, and there were surprisingly great food options for everyone. It was all hot, fresh and very enjoyable.
After lunch, I sat in on a talk from the Cruise Automation guys about a new Kubernetes security tool they have just open-sourced, called K-Rail. If you use Kubernetes I would highly recommend giving it a look. It provides fast and detailed info to the end-user if a deployment violates a policy. They also had the live demo god’s on their side and were able to successfully show off the tool in action, along withhow to do some basic config.
Finishing out after the lunch break was “When Bots attack – Mischievous puppets and stolen treasures” by Andrew Logue from REA Group. It was a great talk about bot control and stopping content scrapers. Part of this was a new tool they are using called Kasada. The Kasada guys were able to do some great demos around stopping bots while not impacting real users. They also illustrated why it can be so hard to stop bots, showing how easy it was to spread a little bot over 2000+ IP’s, hundreds of User Agents and do smart rate limiting.
That rounded out my day of talks. I spent the remainder of the afternoon chatting with vendors like Checkpoint and Hackerone, and checking out the lock-picking room. A lot of great products were on display, and Checkpoint looks to be doing some interesting stuff in the WAF space. It was well worth taking the time to have a look around.
This was a great day with fantastic talks, friendly vendors and lots of free coffee. I can’t believe how complete the entire experience was; OWASP events have moved up to “must see!” status for me. It was also very reasonably priced. Finally, I was impressed by the initiatives aimed at encouraging young people and women to move into AppSec. Hopefully, I’ll see you there next year!