AppSec Cali 19 — Sun…Beach…Warm and infosec

Francesco Cipollone

Published in

NSC42

12 min readFeb 4, 2019

The article as appears on NSC42 Blog: https://www.nsc42.co.uk/blog/appsec-cali-19-sun-beach-warm-and-infosec

also on LinkdIn: https://www.linkedin.com/pulse/appsec-cali-sunbeachwarm-infosec-francesco-cipollone/

About Francesco the author

Francesco Cipollone is the director NSC42 is a public speaker and attends conferences, this year will report on Appsec California. If you’d like to hear more of this and other conferences get in touch on NSC42 Blog page, Linkedin and medium. Francesco is an active researcher and director of events for the Cloud Security Alliance and part of ISC2.

Francesco and NSC42 can help to improve and align your organisation security, cybersecurity strategy cloud and traditional security architecture and DEVSECOPS offering a range of dedicated consultancy, webinar, guide and other materials. Get in touch with me on Linkedin or via email at Francesco.cipollone @ NSC42.co.uk for collaboration or more information.

Note — most of the picture in this website are mine, but feel free to reuse them under creative common as long as the author and the article are cited.

CC licence — BY-SA — Attribution + ShareAlike

Intro

Picture from Appsec Cali website

What a refreshing conference….that’s, in a nutshell, was my thinking on the last day of AppSec Cali 2019 conference. Logistics were flawless, thanks to the volunteers, and the location was terrific with the Annenberg Community Beach House overlooking the Santa Monica beach and the calm “winter” Pacific Ocean. The schedule of the event was well paced and packed with exciting talks and keynote that I will briefly summarise in this article.

The view from the Santa Monica beach

Nevertheless, those are not the key things that made AppSec Cali different from other great conferences (like Black Hat, Defcon, BSides ….).

What made the difference, aside from the climate and the view, was the small and collected nature of the conference.

Throughout the whole conference, I felt like I was amongst a group of a friend coming together and discussing ideas and collectively progressing infosec.

Maybe it was the relaxed nature of Southern California (read it as SoCal), perhaps it was the beach, but the conference has been a fantastic and relaxed way to network, discuss and share ideas with fellow Infosec professionals.

Sundown from the conference center

Call to actions:

I’d love to hear from you! Only with your feedback, we will improve infosec. Leave a comment and engage in the conversation at the bottom of this article.

This report represents my view of the conference, but I’d love to hear your opinion on the other application-specific conference. Things I’d like to hear from you:

What conference (Appsec and DEV) did you enjoy this year
What do you think of AppSec Cali or similar conference
How to include DEV teams into the Security discussion

Most of the pictures in the conference are mine, but where they are not, I’ll mention the author.

Speakers:

The organizer Richard Greenberg that keeps on putting effort to improve cybersecurity in the application word by organizing events like this and ISSA-LA

The speaker lineup was broad with a top line of speakers and subject matter experts

Nonetheless, the other speaker was not less than the headline speakers.

The Conference:

The bright day started with a short commute through the beach toward the convention center. The ride of choice was the Uber electric scooter due to the inclement weather … 20 degrees and sunny…

One of the many ride options available in Santa Monica

After a short fun ride, the path to the convention center is through the Santa Monica beach skirting Pacific Coast Highway (PCH)

Richard Greenberg kicked off the conference with a nice invite to the various sponsors.

Also a gentle reminder from Richard of the OWASP core values:

Like any other convention, the sponsors and vendors were there but it was not intrusive, and the poolside view is a nice perk

Nonetheless, Richard allows time to recognize the effort and the contribution of the various sponsors/vendors.

To cite and thanks just a few sponsors: netsparker , Shiftleft, Checkmark, Qualys, and many others)

After an excellent introduction from Richard, a round of talks started; I’ll offer some highlights on the one that I attended and my opinion on the one I did like the most.

A note for the folks those are purely my opinion, and my view does not represent one of my employees (yadda yadda yadda)…

CISO Panel

The CISO panel had two key ingredients: from startups to financials CISO as well as well seasoned CISO.

The panel was formed (left to right):

Bruce Phillips SVP & CISO of Williston Financials
Martin Mazor Senior VP and CISO at Entertainment Partners
Shyama Rose CISO at Avant
Coleen Coolidge Head of security at Segment

The panel went on quite flawlessly explaining the modern challenges of CISOs establishing an AppSec program. The nice part of the panel is that it mixed up different genders and different organisation sizes (from well established to startups). Richard did a great job moderating and pacing the questions.

One interesting concept that I got from the whole talk was the struggle with the DEV-SEC-OPS definition that I believe is a big dilemma those days.

The DEV-OPS concept is still maturing, and the DEV-SEC-OPS is an evolution on this with a natural consequence of the DEV-BIZ-SEC-OPS. In the latter, proposed in the CISO panel, the Business becomes an integral part of the development and operational process.

Also to note the nice gender balance and the effort AppSec is making to sponsor women in Cybersecurity.

Adrienne Porter opens with the chrome improvements on web security

2019 marked the year where half of the web pages turned HTTPs on. There is still a lot to do though.

Adrienne Porter Felt Google Engineer and manager for chrome explained the challenges faced by the public with “secure” web pages.

When HTTPs has introduced the visualisation of the page in the URL has been debated. Initially, people thought if the URLs is green, and the color green was long discussed, the page content is safe. The use of HTTPs will guarantee client-server safeties of communication not the content of the page.

Also, Google is having a series of phishing test campaign to raise the awareness and ultimately working to kill the URL (read the interesting wired article for more info).

Nonetheless, there is an inherited perception of safeties of a page when the URL is displayed in green.

Slack had similar challenges when presenting the apps in their store (see below my take on Slack’s talk)

Netflix and the security pizza

William Bengtson and Travis McPeak gave, in my opinion, one of the best presentations. The speech on the security layers deployed by Netflix was a step onward from the presentation William gave at Black hat 2018 on credential compromise detection.

William’s Presentation at blackhat USA 2018

The talk had the pizza analogy, and William was wearing the “you got me at pizza” T-shirt (nice prop). The speech had the ingredient analogy for each layer of security. The speech was well paced, and the exchange between Travis and William was smooth.

Considering the challenges of a two-person presentation, I have to say William and Travis handled the introduction calmly and appeared well prepared on their speech.

Sorry for the speech analysis but my toastmaster club teaching nags at me sometimes.

The talk presented the various layers with the metadata proxy and the different scenario of attacks leveraging metadata.

Another interesting topic is the temporary key issued to DEV and the privilege, sometimes higher, but with access control…Netflix almost got on AWS the on-time access that Azure is working on with security center.

The other layer added on top of the security pizza is the collection and reduction of roles and permission one VM has…

Last but not last the level of monitoring and alerting Netflix does is terrific. Rarely I’ve seen an organization that knows their infrastructure to the degree where they can detect so carefully when something deviates from the norm…nonetheless, this comes at a cost (and William buzzer in the middle of the night).

Aside from the structure of the talk I’ve been amazed by the level of sharing and giving back to the community Netflix is doing.

Flee talks about powerlifting and AppSec

Following the CISO talk, another heavyweight in security Frederick Lee (flee) head of Information Security at Square had a flawless take on an appsec programme.

Aside from the content, that was easy to understand and well-paced; I have to say I’ve admired the talk as it was well structured. Flee introduced the topics and the key elements at the beginning, narrated them with analogies and concluded with the same themes he started with.

The talk had a nice touch of analogies between powerlifting, Flee passion and an AppSec Programme.

The talk revolved around the three fundamental of powerlifting and the appsec programme.

Code review of the critical code (prioritize)
Training for developers that is specific to their dev language
Threat modeling of the essential applications

In conclusion, a well structured AppSec program is challenging to kill (as strong people are).

The honesty of slack — AppStore security challenges

Nikki Brandt and Kelly Ann presented the problems slack security had in introducing the apps to the AppStore.

Like any other startup, there are some challenges in security and the balance an organization at the inception has to have when doing pentest or bug bounty

Nonetheless, there is an inherited “trust” of people when selecting an app in a store part of your application…

Despite the best disclaimer that might impact the brand of slack and there was no solution yet…but they are getting there

Despite the closure on the uncertain note, I appreciate the honesty of the talk and the challenges faced.

Closing Day 1 with Bryan on what improves in appsec

Bryan Payne @bdpsecurity, Netflix’s director of Engineering, Product & Application Security, delivered a remarkable closing note on the history of application security and the learnings.

Netflix has given a lot in this conference, and each talk was polished, well presented and gave something back to the community.

So we keep on making the same mistakes as we were doing a long time ago…and for one reason, the basic stuff is also the hardest to implement…

Nonetheless, Bryan has given us a few essential items that did work in the past and will keep on improving in the future.

The two most important is learning from mistakes… better and sharing the knowledge with the community (one of the critical thing Netflix does brilliantly)

The other important one was improving fixes to the code, and with this Bryan stressed a pragmatic approach to the code: you can’t fix and review it all so prioritize the fixes what is vital and critical.

Also, Bryan shared few open source tool that can make the code review an easier job. One open source project mentioned was SPIFFE : a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments.

Threat Modeling and the game of infosec

Aside from the Capture The Flag (CTF) I’ve also appreciated the talk on threat modeling and the idea of gamification introduced into the threat modeling.

Ultimately some process that could end up being complicated and difficult like threat modeling could be turned into something fun with a card game.

AppSec and CTF lots of other talks in appsec Cali

Aside from the main talks, appsec Cali had CTF and pentest basic open to all the skill set.

Most important the conference and the training were oriented to Infosec people but most importantly to DEV.

The whole effort is to improve the overall security in the development process.

Others talks have been remarkable but will just mention them:

The vulnerability management from a Security PM Prospective

Alexandra Nassar and Harshil Parikh (absent) walks us through the challenges of security in an organization that perceives security as a blocker. Also how perks personalization (the logo is her creation) and the branding can massively help an appsec programme.

William from Netflix on Identifying lost keys in the cloud

William has delivered once again the overview of how to prevent AWS credentials exfiltration

Closing Speech from Jim Manico

Jim Manico founder of Manicode Security is a well known and respected contributor to the OWASP chapter. Jim delivered the closing talk of the second day with the history of application security.

The stage presence and the way Jim talks about application security is amazing and shows what a seasoned developer, and most crucial security-oriented developer he is.

Also, he is funny and solid tough out the talk.

Jim has become kind of a rockstar with people asking to take a picture with him (photo taken for Daniel @danielblqz)

Conclusions

Appsec Cali 19 has been a refreshing conference and will definitely come back and possibly send across a Call For Paper next year.

The conference would have never happened without the effort of all the volunteers and Richard stringing it up

Aside from the environment, the climate, the people I’ve appreciate the effort that the OWASP chapter and the fellow infosec people have put into improving the overall quality of the code by bringing the DEV community closer to the SEC community.