• tl;dr sec
  • Posts
  • [tl;dr sec] #20 - What I Learned Watching All 44 AppSec Cali 2019 Talks

[tl;dr sec] #20 - What I Learned Watching All 44 AppSec Cali 2019 Talks

What I Learned Watching All 44 AppSec Cali 2019 Talks

tl;dr sec is a newsletter about AppSec and scaling security, automated bug finding, conference talk and paper summaries, and useful links from around the web. You can subscribe here and see past issues here.

Hey there,

OWASP AppSec California is one of my favorite security conferences: the talks are great, attendees are friendly, and it takes place right next to the beach in Santa Monica. Not too shabby 😎

One problem I always have, though, is that there are some great talks on the schedule that I end up missing.

So this year I decided to go back and watch all 44 talks from last year’s con, AppSec Cali 2019, and write a detailed summary of their key points.

If I had realized how much time and effort this was going to be at the beginning I probably wouldn’t have done it, but by the time I realized that this endeavor would take hundreds of hours, I was already too deep into it to quit 😅

   Post Structure 

The post starts off with some high level


, then an


of the talks (a few line summary per talk), and then a series of detailed summaries, grouped by talk category.


I discuss them more in the post itself, but here are some charts to whet your appetite, as who doesn't like stats?

📚 Talk Topics 

The talks spanned a variety of topics, here are just a few examples:

  • Areas you'd expect, like threat modeling, web security, containers and Kubernetes security

  • How to be an effective first security hire at a startup

  • How to build a strong AppSec program

  • How to scale security with automation, tooling, and partnerships with developers

  • How to build a positive security culture and make security training fun and engaging

  • Netflix's cloud security defense in depth strategy and how they protect AWS creds

  • How Dropbox protects heterogeneous internal web apps

  • How Slack vets Slack Bots and how Salesforce secures the AppExchange

  • How Salesforce protects user accounts via browser fingerprints and how Pinterest protects accounts whose passwords have leaked in third-party breaches

  • Lessons learned running a cyber warfare exercise with UN diplomats

  🚀 Check it Out  

Read the

If you'd like to get a quick skim of the contents + some of the key slides/figures, check out my

that describes each talk in 1 tweet each.

If you find the post useful, any likes, RTs, shares, etc. would be much appreciated


   🗨️ Let's Chat 

What talk did you like most? Was this a useful format to provide summaries in? What would be more useful?

I'd be happy to chat on


, on Reddit, or on


Thanks for reading!