• tl;dr sec
  • Posts
  • What I Learned Watching All 44 AppSec Cali 2019 Talks

What I Learned Watching All 44 AppSec Cali 2019 Talks

2 Days | 4 Rooms | ~32 Hours of Talks

Table of Content

Account Security

Blue Team

Cloud Security

Containers / Kubernetes

Keynotes

Misc

Securing 3rd Party Code

Security Tooling

Threat Modeling

Web Security

What I Learned Watching All 44 AppSec Cali 2019 Talks

OWASP AppSec California is one of my favorite security conferences: the talks are great, attendees are friendly, and it takes place right next to the beach in Santa Monica. Not too shabby 😎

One problem I always have, though, is that there are some great talks on the schedule that I end up missing.

So this year I decided to go back and watch all 44 talks from last year’s con, AppSec Cali 2019, and write a detailed summary of their key points.

If I had realized how much time and effort this was going to be at the beginning I probably wouldn’t have done it, but by the time I realized that this endeavor would take hundreds of hours, I was already too deep into it to quit πŸ˜…

What’s in this Post

This post is structured as follows:

  • Stats: Some high level stats and trends- which talk categories were most popular? Which companies gave the most talks?

  • Overview of Talks: A quick rundown of every talk in a few lines each, so you can quickly skim them and find the talks that are most directly relevant to you.

  • Summaries: detailed summaries of each talk, grouped by category.

Note the navigation bar on the left hand side, which will enable you to quickly jump to any talk.

Feedback Welcomed!
If you’re one of the speakers and I’ve left out something important, please let me know! I’m happy to update this. Also, feel free to let me know about any spelling or grammar errors or broken links.

If you find DevSecOps / scaling really interesting, I’d love to chat about what you do at your company / any tips and tricks you’ve found useful. Hit me up on Twitter, LinkedIn, or email.

Stats

In total, AppSec Cali 2019 had 44 talks that were a combined ~31.5 hours of video.

Here are the talks grouped by the category that I believed was most fitting:

We can also see that containers and Kubernetes were fairly popular topics (3).

Some things I found surprising were how many talks there were on threat modeling (4) and account security (4), and how there were only 3 primarily cloud security-focused talks. Perhaps the biggest surprise was that there were 3 talks on securing third-party code, with Slack discussing the steps they took to evaluate Slack bots and Salesforce discussing the review process on their AppExchange.

Here we see Netflix crushing it: they had presence on a panel, gave one of the keynotes, and collectively had 3 other talks. And of these 5 talks, 3 made my top 10 list. Not too shabby πŸ‘

In second place, we see Segment coming in strong!

Netflix, Segment, and Dropbox were on at least one panel, while the rest of the companies listed had separate talks.

Overview of Talks

For your ease of navigation, this section groups all of the talks by category, gives a high description of what they’re about, and provides a link to jump right to their summary.

Note: the talks in each category are listed in alphabetical order, not in my order of preference.

My Top 10 Talks

This section lists my top 10 favorite talks from AppSec Cali 2019 ❀️

It was incredibly difficult narrowing it down to just 10, as there were so many good talks. All of these talks were selected because they are information-dense with detailed, actionable insights. I guarantee you’ll learn something useful from them.


A​ Pragmatic Approach for Internal Security Partnerships
Scott Behrens, Senior AppSec Engineer, Netflix  | Twitter | Linkedin
Esha Kanekar, Senior Security Technical Program Manager, Netflix | Linkedin

How the Netflix AppSec team scales their security efforts via secure defaults, tooling, automation, and long term relationships with engineering teams.


A Seat at the Table
Adam Shostack, President, Shostack & Associates  | Twitter | Linkedin

By having a β€œseat at the table” during the early phases of software development, the security team can more effectively influence its design. Adam describes how security can earn its seat at the table by using the right tools, adapting to what’s needed by the current project, and the soft skills that will increase your likelihood of success.


Cyber Insurance: A Primer for Infosec
Nicole Becher, Director of Information Security & Risk Management, S&P Global Platts | Twitter | Linkedin

A lovely jaunt through the history of the insurance industry, the insurance industry today (terminology you need to know, types of players), where cyber insurance is today and where it’s headed, example cyber insurance policies and what you need to look out for.


(in)Secure Development - Why some product teams are great and others aren’t…
Koen Hendrix, InfoSec Dev Manager, Riot Games | Twitter | Linkedin

Koen describes analyzing the security maturity of Riot product teams, measuring that maturity’s impact quantitatively using bug bounty data, and discusses 1 lightweight prompt that can be added into the sprint planning process to prime developers about security.


Lessons Learned from the DevSecOps Trenches
Clint Gibler, Research Director, NCC Group | Twitter | Linkedin
Dev Akhawe, Director of Security Engineering, Dropbox | Twitter | Linkedin
Doug DePerry, Director of Product Security, Datadog | Twitter | Linkedin
Divya Dwarakanath, Security Engineering Manager, Snap | Twitter | Linkedin
John Heasman, Deputy CISO, DocuSign | Linkedin
Astha Singhal, AppSec Engineering Manager, Netflix | Twitter | Linkedin

Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.

Netflix’s Layered Approach to Reducing Risk of Credential Compromise
Will Bengston, Senior Security Engineer, Netflix | Twitter | Linkedin
Travis McPeak, Senior Security Engineer, Netflix | Twitter | Linkedin

An overview of efforts Netflix has undertaken to scale their cloud security, including segmenting their environment, removing static keys, auto-least privilege of AWS permissions, extensive tooling for dev UX (e.g. using AWS credentials), anomaly detection, preventing AWS creds from being used off-instance, and some future plans.


Starting Strength for AppSec: What Mark Rippetoe can Teach You About Building AppSec Muscles
Fredrick β€œFlee” Lee, Head Of Information Security, Square | Twitter | Linkedin

Excellent, practical and actionable guidance on building an AppSec program, from the fundamentals (code reviews, secure code training, threat modeling), to prioritizing your efforts, the appropriate use of automation, and common pitfalls to avoid.


The Call is Coming From Inside the House: Lessons in Securing Internal Apps
Hongyi Hu, Product Security Lead, Dropbox | Twitter | Linkedin

A masterclass in the thought process behind and technical details of building scalable defenses; in this case, a proxy to protect heterogenous internal web applications.


Startup Security: Starting a Security Program at a Startup
Evan Johnson, Senior Security Engineer, Cloudflare | Twitter | Linkedin

What it’s like being the first security hire at a startup, how to be successful (relationships, security culture, compromise and continuous improvement), what should inform your priorities, where to focus to make an immediate impact, and time sinks to avoid.


Working with Developers for Fun and Progress
Leif Dreizler, Senior AppSec Engineer, Segment | Twitter | Linkedin

Resources that have influenced Segment’s security program (talks, books, and quotes), and practical, real-world tested advice on how to: build a security team and program, do effective security training, successfully implement a security vendor, and the value of temporarily embedding a security engineer in a dev team.

Account Security

Automated Account Takeover: The Rise of Single Request Attacks
Kevin Gosschalk, Founder and CEO, Arkose Labs | Twitter | Linkedin

Defines β€œsingle request attacks,” describes challenges of preventing account takeovers, gives examples of the types of systems bots attack in the wild and how, and recommendations for preventing account takeovers.


Browser fingerprints for a more secure web
Julien Sobrier, Lead Security Product Owner, Salesforce | Linkedin
Ping Yan, Research Scientist, Salesforce | Linkedin

How Salesforce uses browser fingerprinting to protect users from having their accounts compromised. Their goal is to detect sessions being stolen, including by malware running on the same device as the victim (and thus has the same IP address).


Contact Center Authentication
Kelley Robinson, Dev Advocate, Account Security, Twilio | Twitter | Linkedin

Kelley describes her experiences calling in to 30 different company’s call centers: what info they requested to authenticate her, what they did well, what they did poorly, and recommendations for designing more secure call center authentication protocols.


Leveraging Users’ Engagement to Improve Account Security
Amine Kamel, Head of Security, Pinterest | Twitter | Linkedin

Pinterest describes how it protects users who have had their credentials leaked in third-party breaches using a combination of programmatic and user-driven actions.

Blue Team

CISO Panel: Baking Security Into the SDLC
Richard Greenberg, Global Board of Directors, OWASP | Twitter | Linkedin
Coleen Coolidge, Head of Security, Segment | Twitter | Linkedin
Martin Mazor, Senior VP and CISO, Entertainment Partners | Linkedin
Bruce Phillips, SVP & CISO, Williston Financial | Linkedin
Shyama Rose, Chief Information Security Officer, Avant | Linkedin

Five CISOs share their perspectives on baking security into the SDLC, DevSecOps, security testing (DAST/SAST/bug bounty/pen testing), security training and more.


It depends…
Kristen Pascale, Principal Techn. Program Manager, Dell EMC | Linkedin
Tania Ward, Consultant Program Manager, Dell | Linkedin

What a PSIRT team is, Dell’s PSIRT team’s workflow, common chalenges, and how PSIRT teams can work earlier in the SDLC with development teams to develop more secure applications.


On the Frontlines: Securing a Major Cryptocurrency Exchange
Neil Smithline, Security Architect, Circle | Twitter | Linkedin

Neil provides an overview of cryptocurrencies and cryptocurrency exchanges, the attacks exchanges face at the application layer, on wallets, user accounts, and on the currencies themselves, as well as they defenses they’ve put in place to mitigate them.


The Art of Vulnerability Management
Alexandra Nassar, Senior Technical Program Manager, Medallia | Linkedin
Harshil Parikh, Director of Security, Medallia | Linkedin

How to create a positive vulnerability management culture and process that works for engineers and the security team.

Cloud Security

Cloud Forensics: Putting The Bits Back Together
Brandon Sherman, Cloud Security Tech Lead, Twilio | Linkedin

An experiment in AWS forensics (e.g. Does the EBS volume type or instance type matter when recovering data?), advice on chain of custody and cloud security best practices.


Detecting Credential Compromise in AWS
Will Bengston, Senior Security Engineer, Netflix | Twitter | Linkedin 

How to detect when your AWS instance credentials have been compromised and are used outside of your environment, and how to prevent them from being stolen in the first place.

Containers / Kubernetes

Authorization in the Micro Services World with Kubernetes, ISTIO and Open Policy Agent
Sitaraman Lakshminarayanan, Senior Security Architect, Pure Storage | Twitter | Linkedin

The history of authz implementation approaches, the value of externalizing authz from code, authz in Kubernetes, and the power of using Open Policy Agent (OPA) for authz with Kubernetes and ISTIO.


Can Kubernetes Keep a Secret?
Omer Levi Hevroni, DevSecOps Engineer, Soluto | Twitter | Linkedin

Omer describes his quest to find a secrets management solution that supports GitOps workflows, is Kubernetes native, and has strong security properties, which lead to the development of a new tool, Kamus.


How to Lose a Container in 10 Minutes
Sarah Young, Azure Security Architect, Microsoft | Twitter | Linkedin

Container and Kubernetes best practices, insecure defaults to watch out for, and what happens when you do everything wrong and make your container or cluster publicly available on the Internet.

Keynotes

Fail, Learn, Fix
Bryan Payne, Director of Engineering, Product & Application Security, Netflix | Twitter | Linkedin

A discussion of the history and evolution of the electrical, computer, and security industries, and how the way forward for security is a) sharing knowledge and failures and b) creating standard security patterns that devs can easily apply, raising the security bar at many companies, rather than improvements helping just one company.


How to Slay a Dragon
Adrienne Porter Felt, Chrome Engineer & Manager, Google | Twitter | Linkedin

Solving hard security problems in the real world usually requires making tough tradeoffs. Adrienne gives 3 steps to tackle these hard problems and gives examples from her work on the Chrome security team, including site isolation, Chrome security indicators (HTTP/s padlock icons), and displaying URLs.


The Unabridged History of Application Security
Jim Manico, Founder, Manicode Security | Twitter | Linkedin

Jim gives a fun and engaging history of computer security, including the history of security testing, OWASP projects, and XSS, important dates in AppSec, and the future of AppSec.

Misc

How to Start a Cyber War: Lessons from Brussels-EU Cyber Warfare Exercises
Christina Kubecka, CEO, HypaSec | Twitter | Linkedin

Lessons learned from running EU diplomats through several realistic cyber warfare-type scenarios, and a fascinating discussion of the interactions between technology, computer security, economics, and geopolitics.

Securing Third-Party Code

Behind the Scenes: Securing In-House Execution of Unsafe Third-Party Executables
Mukul Khullar, Staff Security Engineer, LinkedIn | Twitter | Linkedin

Best practices for securely running unsafe third-party executables: understand and profile the application, harden your application (input validation, examine magic bytes), secure the processing pipeline (sandboxing, secure network design).


Securing Third Party Applications at Scale
Ryan Flood, Manager of ProdSec, Salesforce | Twitter | Linkedin
Prashanth Kannan, Product Security Engineer, Salesforce | Twitter | Linkedin

The process, methodology, and tools Salesforce uses to secure third-party apps on its AppExchange.


Slack App Security: Securing your Workspaces from a Bot Uprising
Kelly Ann, Security Engineer, Slack | Twitter | Linkedin
Nikki Brandt, Staff Security Engineer, Slack | Linkedin

An overview of the fundamental challenges in securing Slack apps and the App Directory, the steps Slack is taking now, and what Slack is planning to do in the future.

Security Tooling

BoMs Away - Why Everyone Should Have a BoM
Steve Springett, Senior Security Architect, ServiceNow | Twitter | Linkedin

Steve describes the various use cases of a software bill-of-materials (BOM), including facilitating accurate vulnerability and other supply-chain risk analysis, and gives a demo of OWASP Dependency-Track, an open source supply chain component analysis platform.


Endpoint Finder: A static analysis tool to find web endpoints
Olivier Arteau, Desjardins | Twitter | Linkedin

A new tool to extract endpoints defined in JavaScript by analyzing its Abstract Syntax Tree.


Pose a Threat: How Perceptual Analysis Helps Bug Hunters
Rob Ragan, Partner, Bishop Fox | Twitter | Linkedin
Oscar Salazar, Managing Security Associate, Bishop Fox | Linkedin

How to get faster, more complete external attack surface coverage by automatically clustering exposed web apps by visual similarity.


The White Hat’s Advantage: Open-source OWASP tools to aid in penetration testing coverage
Vincent Hopson, Field Applications Engineer, CodeDx | Linkedin

How two OWASP tools can make penetration testers more effective and demos using them. Attack Surface Detector extracts web app routes using static analysis and Code Pulse instruments Java or .NET apps to show your testing coverage.


Usable Security Tooling - Creating Accessible Security Testing with ZAP
David Scrobonia, Security Engineer, Segment | Twitter | Linkedin

An overview and demo of ZAP’s new heads-up display (HUD), an intuitive and awesome way to view OWASP ZAP info and use ZAP functionality from within your browser on the page you’re testing.

Threat Modeling

Game On! Adding Privacy to Threat Modeling
Adam Shostack, President, Shostack & Associates | Twitter | Linkedin
Mark Vinkovits, Manager, AppSec, LogMeIn | Twitter | Linkedin

Adam Shostack and Mark Vinkovits describe the Elevation of Privilege card game, built to make learning and doing threat modelling fun, and how it’s been extended to include privacy.


Offensive Threat Models Against the Supply Chain
Tony UcedaVelez, CEO, VerSprite | Twitter | Linkedin

The economic and geopolitical impacts of supply chain attacks, a walkthrough of supply chain threat modeling from a manufacturer’s perspective, and tips and best practices in threat modeling your supply chain.


Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team
Izar Tarandach, Lead Product Security Architect, Autodesk | Twitter | Linkedin

Attributes required by threat modelling approaches in order to succeed in Agile dev environments, how to build an organization that continuously threat models new stories, how to educate devs and raise security awareness, and PyTM, a tool that lets you express TMs via Python code and output data flow diagrams, sequence diagras, and reports.

Web Security

An Attacker’s View of Serverless and GraphQL Apps
Abhay Bhargav, CTO, we45 | Twitter | Linkedin

An overview of functions-as-a-service (FaaS) and GraphQL, relevant security considerations and attacks, and a number of demos.


Building Cloud-Native Security for Apps and APIs with NGINX
Stepan Ilyin, Co-founder, Wallarm | Twitter | Linkedin

How NGINX modules and other tools can be combined to give you a nice dashboard of live malicious traffic, automatic alerts, block attacks and likely bots, and more.


Cache Me If You Can: Messing with Web Caching
Louis Dion-Marcil, Information Security Analyst, Mandiant | Twitter | Linkedin

Three web cache related attacks are discussed in detail: cache deception, edge side includes, and cache poisoning.


Inducing Amnesia in Browsers: the Clear Site Data Header
Caleb Queern, Cyber Security Servicies Director, KPMG | Twitter | Linkedin

Websites can use the new Clear-Site-Data HTTP header to control the data its users store in their browser.


Node.js and NPM Ecosystem: What are the Security Stakes?
Vladimir de Turckheim, Software Engineer, Sqreen | Twitter | Linkedin

JavaScript vulnerability examples (SQLi, ReDoS, object injection), ecosystem attacks (e.g. ESLint backdoored), best practice recommendations.


Preventing Mobile App and API Abuse
Skip Hovsmith, Principal Engineer, CriticalBlue | Twitter | Linkedin

An overview of the mobile and API security cat and mouse game (securely storing secrets, TLS, cert pinning, bypassing protections via decompiling apps and hooking key functionality, OAuth2, etc.), described through an example back and forth between a package delivery service company and an attacker-run website trying to exploit it.

Phew, that was a lot!

To read a detailed summary of any of the above talks, click on the talk title above their descriptions or in the table of contents at the top of this post.