Last week we joined the fabulous OWASP AppSec California 2019 conference in Santa Monica, one of the most prominent Application Security events not only in California, but even at national level. Compared to the RSA conference, which is more vendor-driven, AppSec California is speaker-driven. There is still a well-attended representation of AppSec vendors, but the real spotlight is for the speakers and their talks. It is also a smaller, less hectic, event —around 600 attendees. This allows for plenty of socialization time. The first two days of the four-day event are dedicated to training, while the last two are devoted to the actual talks and panels.
We wanted to summarize, in no particular order, the five key themes we observed during these days supercharged with conversations, presentations, and keynotes.
Pushing Security Left
We are happy to say that we observed a strong emphasis in building apps that are secure from the beginning, as opposed to adding bolt-on perimetral security. Many talks discussed Threat Modelling and Code Review practices. Another hot topic was Vulnerability Management, and how to balance the struggles to communicate effectively developers with security professionals. In general, the idea is to advocate code quality in a broad form. Which necessarily includes adequate security. External protections such as WAFs have passed their peaks.
AppSec Education Is Still Sorely Needed
Conversations often cited a chronic shortage of AppSec professionals. One key reason is the lack of effective college curricula. Another, the broad-and-deep skill set required to practice Application Security. “We are hiring” signs are a constant. According to the participants in the CISO panel, the most important piece of advice to mitigate the shortage is to always drive security conversations inside the organization. The goal is to increase institutional awareness by everyone involved in building software.
Security Is Hard
Far from promising silver bullets, the speakers agreed that security is a tough problem. Starting with the initial keynote, to paraphrase Adrienne Porter Felt, from the Google Chrome team: “Security is full of hard problems and trade-offs. It will be always imperfect; teams must accept imperfection and deal with it.” Moreover, according to Netflix’s Bryan Payne, the key framework to apply in a broad security program is “Fail-Fix-Learn.” This implies, directly, constant failure.
Mainstream ASTs & WAFs Are Ready For Disruption
SAST/DAST and (ng)WAFs are used pretty much in all security practices. Static code analysis is the “example” everyone uses when it comes to proactive security assurance. While awareness reaches saturation, attendees highlighted their shortcomings. As a result, momentum for better AST options is building up. One of the participants in the DevSecOps panel defined, in jest, static testing as “not much more than grep in steroids.”
Slight DevSecOps Fatigue
Present in most presentations, and certainly across all the vendor stands, DevSecOps was one of the keywords of the conference. However, one would say that the term is traversing the Trough of Disillusionment (using Gartner Hype Cycle terminology). The main reasons behind this pushback against DevSecOps seem to be the lack of a clear definition, certain skepticism towards the automation promises that DevSecOps brings to the table, and not enough business-focus. According to the panel “Lessons From The DevSecOps Trenches,” the viability of a DevSecOps practice is directly related to the maturity of the organization.
Did you attend the AppSec California conference? Do you have any take-aways you would like to share? Drop us a note!