SlideShare a Scribd company logo

OWASP AppSecUSA Recap

Todd Grotenhuis
Todd Grotenhuis

AppSecUSA 2105 recap, presented to the Indianapolis Chapter

Technology
1 of 28
Download to read offline
OWASP Update [@/+]toddgrotenhuis
AppSecUSA: The best infosec conference [@/+]toddgrotenhuis
Keynotes -Alex Stamos - Facebook -Phyllis Schneck - DHS -Troy Hunt - HIBP [@/+]toddgrotenhuis
Opening Keynote → Understand your userbase → Focus on real vs potential harm → Stop whining and do good at the margins [@/+]toddgrotenhuis
Accept non-optimal solutions in non-optimal situations — Alex Stamos [@/+]toddgrotenhuis
Security As Code: A New Frontier → RuggedSoftware.org → DevSecOps.org [@/+]toddgrotenhuis
Rugged Manifesto I am rugged and, more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary and I am up for the challenge. [@/+]toddgrotenhuis
DevSecOps → Leaning in over Always Saying “No” → Data & Security Science over Fear, Uncertainty and Doubt → Open Contribution & Collaboration over Security- Only Requirements → Consumable Security Services with APIs over Mandated Security Controls & Paperwork [@/+]toddgrotenhuis
Security as Code → what all can you define in software? → what can you automate? → even "traditional" stuff? → even "non-boring" stuff? [@/+]toddgrotenhuis
Rant Time Do you like to talk about how old attacks continue to work on customers? This says at least as much about your effectiveness as a consultant as it does about your clients' effectiveness as an organization (note: you are the common denominator) [@/+]toddgrotenhuis
Strengthening the Weakest Link: How to manage security vulnerabilities in 3rd party libraries used by your application → OWASP Dependency Check → Sonatype Nexus → Palamida → Black Duck Hub → Others [@/+]toddgrotenhuis
→ Use fewer and better suppliers → Use only the highest quality parts → Track what is used and where → Use repository managers over direct downloads [@/+]toddgrotenhuis
Practical Application Security Management: How to Win an Economically One-Side War → costs are not just money, but time, people, complexity → the business will always come first [@/+]toddgrotenhuis
→ actual sign-off from product owners on issues reduces those that go through → satisfy people’s creative urges to make → security days: employees shadow for a day → reward reporting/submissions [@/+]toddgrotenhuis
Delayed launch is a denial of service — Dheeraj Bhat [@/+]toddgrotenhuis
The End of Security as We Know It: why this might be a good thing → sometimes security is the only group with an overall view → avoid “perfection complex” → MTTRemediate -> MTTRestore → “fuzz” non-technical things (e.g. processes) [@/+]toddgrotenhuis
→ Data Driven Decisions → Smaller Changes → Faster Failure → If It Hurts, Do It More [@/+]toddgrotenhuis
Tool Requirements → sufficient logging → appropriate encryption → APIs / software definable / scriptable → test & abuse before purchase → take the bluecoat pledge [@/+]toddgrotenhuis
Keynote 2 redacted [@/+]toddgrotenhuis
Future Banks Live in the Cloud: building a usable cloud with uncompromising security → security around money used to be physical → “extract value” as a better way of thinking about attackers → empower engineers and help them choose [@/+]toddgrotenhuis
Consensus-Based Deployment 1. anyone can propose a change 2. a non-involved party must approve the change 3. anyone can apply the change [@/+]toddgrotenhuis
No one person should be able to “accidentally the company” — Rob Witoff [@/+]toddgrotenhuis
Don’t partner with vendors without a clear whitehat program. — Rob Witoff [@/+]toddgrotenhuis
Doing AppSec at Scale: taking the best of DevOps, Agile, and CI/CD into AppSec → AppSec Pipeline → Gauntlt → Threadfix → Bag of Holding [@/+]toddgrotenhuis
In application security, personnel are the critical resource, so design for optimizing them — Aaron Weaver [@/+]toddgrotenhuis
If I can do it with a UI, I want to do it with an API — Matt Tesauro [@/+]toddgrotenhuis
Closing Keynote “50 Shades of AppSec” with Troy Hunt [@/+]toddgrotenhuis
OWASP.org 2015.appsecusa.org Talks YouTube Playlist OWASP Board Elections Safecode Free Courses [@/+]toddgrotenhuis

Recommended

Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 Sites
Pantheon
 
Practical security in a DevOps World
Practical security in a DevOps WorldPractical security in a DevOps World
Practical security in a DevOps World
Hinse ter Schuur
 
Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption
Razi Rais
 
Let's Encrypt! Wait. Why? How? - WC Pune
Let's Encrypt! Wait. Why? How? - WC PuneLet's Encrypt! Wait. Why? How? - WC Pune
Let's Encrypt! Wait. Why? How? - WC Pune
Nancy Thanki
 
Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?
Nancy Thanki
 
Real world blockchains
Real world blockchainsReal world blockchains
Real world blockchains
Dmitry Meshkov
 
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Edureka!
 
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 

Recommended

Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 Sites
Pantheon
 
Practical security in a DevOps World
Practical security in a DevOps WorldPractical security in a DevOps World
Practical security in a DevOps World
Hinse ter Schuur
 
Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption
Razi Rais
 
Let's Encrypt! Wait. Why? How? - WC Pune
Let's Encrypt! Wait. Why? How? - WC PuneLet's Encrypt! Wait. Why? How? - WC Pune
Let's Encrypt! Wait. Why? How? - WC Pune
Nancy Thanki
 
Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?Let's Encrypt! Wait. Why? How?
Let's Encrypt! Wait. Why? How?
Nancy Thanki
 
Real world blockchains
Real world blockchainsReal world blockchains
Real world blockchains
Dmitry Meshkov
 
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Edureka!
 
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
Matt Johansen
 
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
FITC
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
HighCloud Security
 
A hybrid cloud approach for secure authorized deduplication
A hybrid cloud approach for secure authorized deduplicationA hybrid cloud approach for secure authorized deduplication
A hybrid cloud approach for secure authorized deduplication
LeMeniz Infotech
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
a hybrid cloud approach for secure authorized reduplications
a hybrid cloud approach for secure authorized reduplicationsa hybrid cloud approach for secure authorized reduplications
a hybrid cloud approach for secure authorized reduplications
swathi78
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
 
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor AgreementsNTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
North Texas Chapter of the ISSA
 
Blockchain Interview Questions and Answers | Blockchain Technology | Blockcha...
Blockchain Interview Questions and Answers | Blockchain Technology | Blockcha...Blockchain Interview Questions and Answers | Blockchain Technology | Blockcha...
Blockchain Interview Questions and Answers | Blockchain Technology | Blockcha...
Edureka!
 
Testing in the blockchain
Testing in the blockchainTesting in the blockchain
Testing in the blockchain
Craig Risi
 
[JSDC 2021] Blockchain 101 for Frontend Engs
[JSDC 2021] Blockchain 101 for Frontend Engs[JSDC 2021] Blockchain 101 for Frontend Engs
[JSDC 2021] Blockchain 101 for Frontend Engs
Lucien Lee
 
Security is a process, not a plugin (WordCamp Torino 2018)
Security is a process, not a plugin (WordCamp Torino 2018)Security is a process, not a plugin (WordCamp Torino 2018)
Security is a process, not a plugin (WordCamp Torino 2018)
Thomas Vitale
 
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
North Texas Chapter of the ISSA
 
Cassandra
CassandraCassandra
Cassandra
rezabehzadi3
 
Introduction to Security Vulnerabilities
Introduction to Security VulnerabilitiesIntroduction to Security Vulnerabilities
Introduction to Security Vulnerabilities
vodQA
 
Things will Change - Usenix Keynote UCMS'14
Things will Change - Usenix Keynote UCMS'14Things will Change - Usenix Keynote UCMS'14
Things will Change - Usenix Keynote UCMS'14
Erica Windisch
 
Global bigdata conf_01282013
Global bigdata conf_01282013Global bigdata conf_01282013
Global bigdata conf_01282013
HPCC Systems
 
11 4-16
11 4-1611 4-16
11 4-16
Muhammad Younis
 
What is Fundraising Success? by Matt Kupec
What is Fundraising Success? by Matt KupecWhat is Fundraising Success? by Matt Kupec
What is Fundraising Success? by Matt Kupec
Matt Kupec
 
Ensayo bases de datos DAMARIS
Ensayo bases de datos DAMARISEnsayo bases de datos DAMARIS
Ensayo bases de datos DAMARIS
liliananaa
 
Ppt 21 9-15
Ppt 21 9-15Ppt 21 9-15
Ppt 21 9-15
Muhammad Younis
 
Sistemas operativos
Sistemas operativosSistemas operativos
Sistemas operativos
LuciaMart
 

More Related Content

What's hot

Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
Matt Johansen
 
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
FITC
 
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor AgreementsNTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
North Texas Chapter of the ISSA
 
Security is a process, not a plugin (WordCamp Torino 2018)
Security is a process, not a plugin (WordCamp Torino 2018)Security is a process, not a plugin (WordCamp Torino 2018)
Security is a process, not a plugin (WordCamp Torino 2018)
Thomas Vitale
 
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
North Texas Chapter of the ISSA
 

What's hot (17)

Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
 
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
 
A hybrid cloud approach for secure authorized deduplication
A hybrid cloud approach for secure authorized deduplicationA hybrid cloud approach for secure authorized deduplication
A hybrid cloud approach for secure authorized deduplication
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
a hybrid cloud approach for secure authorized reduplications
a hybrid cloud approach for secure authorized reduplicationsa hybrid cloud approach for secure authorized reduplications
a hybrid cloud approach for secure authorized reduplications
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
 
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor AgreementsNTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
 
Blockchain Interview Questions and Answers | Blockchain Technology | Blockcha...
Blockchain Interview Questions and Answers | Blockchain Technology | Blockcha...Blockchain Interview Questions and Answers | Blockchain Technology | Blockcha...
Blockchain Interview Questions and Answers | Blockchain Technology | Blockcha...
 
Testing in the blockchain
Testing in the blockchainTesting in the blockchain
Testing in the blockchain
 
[JSDC 2021] Blockchain 101 for Frontend Engs
[JSDC 2021] Blockchain 101 for Frontend Engs[JSDC 2021] Blockchain 101 for Frontend Engs
[JSDC 2021] Blockchain 101 for Frontend Engs
 
Security is a process, not a plugin (WordCamp Torino 2018)
Security is a process, not a plugin (WordCamp Torino 2018)Security is a process, not a plugin (WordCamp Torino 2018)
Security is a process, not a plugin (WordCamp Torino 2018)
 
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
 
Cassandra
CassandraCassandra
Cassandra
 
Introduction to Security Vulnerabilities
Introduction to Security VulnerabilitiesIntroduction to Security Vulnerabilities
Introduction to Security Vulnerabilities
 
Things will Change - Usenix Keynote UCMS'14
Things will Change - Usenix Keynote UCMS'14Things will Change - Usenix Keynote UCMS'14
Things will Change - Usenix Keynote UCMS'14
 
Global bigdata conf_01282013
Global bigdata conf_01282013Global bigdata conf_01282013
Global bigdata conf_01282013
 

Viewers also liked

Orido Vincent Akpomefure
Orido Vincent AkpomefureOrido Vincent Akpomefure
Orido Vincent Akpomefure
vincent orido
 
Fall 2015 MN AAHAM Newsletter
Fall 2015 MN AAHAM NewsletterFall 2015 MN AAHAM Newsletter
Fall 2015 MN AAHAM Newsletter
John Brindley
 
Fred Swenson Research Paper
Fred Swenson Research PaperFred Swenson Research Paper
Fred Swenson Research Paper
Fred Swenson
 

Viewers also liked (20)

11 4-16
11 4-1611 4-16
11 4-16
 
What is Fundraising Success? by Matt Kupec
What is Fundraising Success? by Matt KupecWhat is Fundraising Success? by Matt Kupec
What is Fundraising Success? by Matt Kupec
 
Ensayo bases de datos DAMARIS
Ensayo bases de datos DAMARISEnsayo bases de datos DAMARIS
Ensayo bases de datos DAMARIS
 
Ppt 21 9-15
Ppt 21 9-15Ppt 21 9-15
Ppt 21 9-15
 
Sistemas operativos
Sistemas operativosSistemas operativos
Sistemas operativos
 
intellectual property rights
intellectual property rightsintellectual property rights
intellectual property rights
 
Institution analysis final
Institution analysis finalInstitution analysis final
Institution analysis final
 
Evitar las enfermedades
Evitar las enfermedadesEvitar las enfermedades
Evitar las enfermedades
 
Les prépositions
Les prépositionsLes prépositions
Les prépositions
 
Orido Vincent Akpomefure
Orido Vincent AkpomefureOrido Vincent Akpomefure
Orido Vincent Akpomefure
 
Tools: Five Capitals
Tools: Five CapitalsTools: Five Capitals
Tools: Five Capitals
 
Fall 2015 MN AAHAM Newsletter
Fall 2015 MN AAHAM NewsletterFall 2015 MN AAHAM Newsletter
Fall 2015 MN AAHAM Newsletter
 
Plastic labware models set
Plastic labware models setPlastic labware models set
Plastic labware models set
 
การกำเนิดเทคโนโลยีสารสนเทศ
การกำเนิดเทคโนโลยีสารสนเทศการกำเนิดเทคโนโลยีสารสนเทศ
การกำเนิดเทคโนโลยีสารสนเทศ
 
AGNES'S PORTFOLIO
AGNES'S PORTFOLIOAGNES'S PORTFOLIO
AGNES'S PORTFOLIO
 
Legal issues in_the_music_industry
Legal issues in_the_music_industryLegal issues in_the_music_industry
Legal issues in_the_music_industry
 
Grass-4_rus
Grass-4_rusGrass-4_rus
Grass-4_rus
 
6 a brandiepratt
6 a brandiepratt6 a brandiepratt
6 a brandiepratt
 
Winter drawing how_tos
Winter drawing how_tosWinter drawing how_tos
Winter drawing how_tos
 
Fred Swenson Research Paper
Fred Swenson Research PaperFred Swenson Research Paper
Fred Swenson Research Paper
 

Similar to OWASP AppSecUSA Recap

Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
Service2Media
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
abnmi
 
#CU12: Another cloud is possible - Allen Gunn at Connecting Up 2012
#CU12: Another cloud is possible - Allen Gunn at Connecting Up 2012#CU12: Another cloud is possible - Allen Gunn at Connecting Up 2012
#CU12: Another cloud is possible - Allen Gunn at Connecting Up 2012
Connecting Up
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 

Similar to OWASP AppSecUSA Recap (20)

Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
How A-Core Concrete Sets a Solid Foundation for Preemptive Security
How A-Core Concrete Sets a Solid Foundation for Preemptive SecurityHow A-Core Concrete Sets a Solid Foundation for Preemptive Security
How A-Core Concrete Sets a Solid Foundation for Preemptive Security
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant
 
AEPWP09292016
AEPWP09292016AEPWP09292016
AEPWP09292016
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
 
#CU12: Another cloud is possible - Allen Gunn at Connecting Up 2012
#CU12: Another cloud is possible - Allen Gunn at Connecting Up 2012#CU12: Another cloud is possible - Allen Gunn at Connecting Up 2012
#CU12: Another cloud is possible - Allen Gunn at Connecting Up 2012
 
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Security in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your DataSecurity in the Cloud: Tips on How to Protect Your Data
Security in the Cloud: Tips on How to Protect Your Data
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Staying Safe - Overview of FREE Encryption Tools
Staying Safe - Overview of FREE Encryption ToolsStaying Safe - Overview of FREE Encryption Tools
Staying Safe - Overview of FREE Encryption Tools
 
Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)
 
Security for AWS: Journey to Least Privilege
Security for AWS: Journey to Least PrivilegeSecurity for AWS: Journey to Least Privilege
Security for AWS: Journey to Least Privilege
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

OWASP AppSecUSA Recap

  • 3. Keynotes -Alex Stamos - Facebook -Phyllis Schneck - DHS -Troy Hunt - HIBP [@/+]toddgrotenhuis
  • 4. Opening Keynote → Understand your userbase → Focus on real vs potential harm → Stop whining and do good at the margins [@/+]toddgrotenhuis
  • 5. Accept non-optimal solutions in non-optimal situations — Alex Stamos [@/+]toddgrotenhuis
  • 6. Security As Code: A New Frontier → RuggedSoftware.org → DevSecOps.org [@/+]toddgrotenhuis
  • 7. Rugged Manifesto I am rugged and, more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary and I am up for the challenge. [@/+]toddgrotenhuis
  • 8. DevSecOps → Leaning in over Always Saying “No” → Data & Security Science over Fear, Uncertainty and Doubt → Open Contribution & Collaboration over Security- Only Requirements → Consumable Security Services with APIs over Mandated Security Controls & Paperwork [@/+]toddgrotenhuis
  • 9. Security as Code → what all can you define in software? → what can you automate? → even "traditional" stuff? → even "non-boring" stuff? [@/+]toddgrotenhuis
  • 10. Rant Time Do you like to talk about how old attacks continue to work on customers? This says at least as much about your effectiveness as a consultant as it does about your clients' effectiveness as an organization (note: you are the common denominator) [@/+]toddgrotenhuis
  • 11. Strengthening the Weakest Link: How to manage security vulnerabilities in 3rd party libraries used by your application → OWASP Dependency Check → Sonatype Nexus → Palamida → Black Duck Hub → Others [@/+]toddgrotenhuis
  • 12. → Use fewer and better suppliers → Use only the highest quality parts → Track what is used and where → Use repository managers over direct downloads [@/+]toddgrotenhuis
  • 13. Practical Application Security Management: How to Win an Economically One-Side War → costs are not just money, but time, people, complexity → the business will always come first [@/+]toddgrotenhuis
  • 14. → actual sign-off from product owners on issues reduces those that go through → satisfy people’s creative urges to make → security days: employees shadow for a day → reward reporting/submissions [@/+]toddgrotenhuis
  • 15. Delayed launch is a denial of service — Dheeraj Bhat [@/+]toddgrotenhuis
  • 16. The End of Security as We Know It: why this might be a good thing → sometimes security is the only group with an overall view → avoid “perfection complex” → MTTRemediate -> MTTRestore → “fuzz” non-technical things (e.g. processes) [@/+]toddgrotenhuis
  • 17. → Data Driven Decisions → Smaller Changes → Faster Failure → If It Hurts, Do It More [@/+]toddgrotenhuis
  • 18. Tool Requirements → sufficient logging → appropriate encryption → APIs / software definable / scriptable → test & abuse before purchase → take the bluecoat pledge [@/+]toddgrotenhuis
  • 20. Future Banks Live in the Cloud: building a usable cloud with uncompromising security → security around money used to be physical → “extract value” as a better way of thinking about attackers → empower engineers and help them choose [@/+]toddgrotenhuis
  • 21. Consensus-Based Deployment 1. anyone can propose a change 2. a non-involved party must approve the change 3. anyone can apply the change [@/+]toddgrotenhuis
  • 22. No one person should be able to “accidentally the company” — Rob Witoff [@/+]toddgrotenhuis
  • 23. Don’t partner with vendors without a clear whitehat program. — Rob Witoff [@/+]toddgrotenhuis
  • 24. Doing AppSec at Scale: taking the best of DevOps, Agile, and CI/CD into AppSec → AppSec Pipeline → Gauntlt → Threadfix → Bag of Holding [@/+]toddgrotenhuis
  • 25. In application security, personnel are the critical resource, so design for optimizing them — Aaron Weaver [@/+]toddgrotenhuis
  • 26. If I can do it with a UI, I want to do it with an API — Matt Tesauro [@/+]toddgrotenhuis
  • 27. Closing Keynote “50 Shades of AppSec” with Troy Hunt [@/+]toddgrotenhuis
  • 28. OWASP.org 2015.appsecusa.org Talks YouTube Playlist OWASP Board Elections Safecode Free Courses [@/+]toddgrotenhuis