I recently had the privilege of attending the Secure Iowa Conference for 2016 in Ankeny, Iowa. The conference was held at the beautiful Future Farmers of America building on the DMACC Campus and featured three tracks: technical, management, and vendor tracks. There were a few dozen vendors and speakers from a broad swath of backgrounds ranging from the State Representative for my district in Iowa to a network security professor from Iowa State University in Ames. The following are some of the things I learned during the conference.
The keynote address was provided by Lt. Col. Yazzie from the Iowa National Guard Cyber Operations unit. Lt. Col. Yazzie briefed the audience on the capabilities of the Iowa National Guard Cyber Operations unit, including the various partnerships his unit has with academia and private industry, as well as with foreign allies. Their mission is strictly defensive in nature, and they are always looking for passionate people to join them in defending Iowa and the nation’s networks.
The next presentation I caught was David Lindner’s mobile app sec talk on the Apple TouchID APIs. David taught us that there are two primary APIs that can be used when working with the TouchID sensor: LAContext and User Presence. David recommended that LAContext be avoided in favor of User Presence, since LAContext can easily be bypassed on a jailbroken device. User Presence is more of a software annotation by which resources can be denoted as requiring TouchID authentication, which then communicates with the secure enclave through a channel brokered by the operating system. One last piece of advice that David had for mobile app developers was to build pure Swift-based applications as the attack tooling is not as sophisticated as it is for ObjectiveC-based applications.
Following David’s presentation, I attended a group presentation by the gentlemen at Webfilings. Their presentation focused on automating security testing for application development by using continuous integration / continuous deployment practices. They advocated using a CI/CD server, such as Jenkins, to run security tools such as Burp Suite and Zed Attack Proxy, amongst others, to perform application and application infrastructure level validation of a software payload as it moves from development to production.
It definitely seems like this is a emerging trend in application security, as there were actually several talks on the subject by different people from different companies. Nathan Gibson also gave a presentation on automating security tooling earlier in the day, but I was unfortunately not able to attend that presentation.
Next was Doug Jacobson’s presentation on applied cryptography. Doug is a professor of information security at Iowa State and leads the ISEAGE project as well as the Iowa State Cyber Defense Competitions. Doug’s presentation focused on the uses of cryptography. The one point that Doug really drove home well was that given an unlimited amount of time or resources, any crypto system can be broken. He reiterated that the primary purpose of cryptography is to keep information secret until that information is no longer valuable.
Talks I wish I could have attended include Alex Hart and Rich Skinner’s presentation on Third Party Risk management, Nathan Gibson’s talk on automating security testing, and Ben Schmidtt’s presentation on using math to move beyond rule-based decisions.
Overall I thoroughly enjoyed the conference. The speakers in both the technical and management tracks where fascinating and it was at times very difficult to decide which presentations to attend at a given time slot. I would encourage the Des Moines ISSA Chapter to continue to include a multi-track schedule at next year’s Secure Iowa Conference as this format worked particularly well this year. If you didn’t attend the conference this year, you really missed out, and I hope to see you there next year!