Abstract image of a woman sitting on books and studying on a laptop

OWASP AppSecUSA Recap

Todd Grotenhuis, profile picture
Todd Grotenhuis

This document summarizes the AppSecUSA security conference. It includes that the keynote speakers were Alex Stamos from Facebook, Phyllis Schneck from DHS, and Troy Hunt from HIBP. Some of the topics discussed were managing third party library vulnerabilities, practical application security management, and doing application security at scale through DevOps practices. The closing keynote was titled "50 Shades of AppSec" given by Troy Hunt.

Technology
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
OWASP Update [@/+]toddgrotenhuis
AppSecUSA: The best infosec conference [@/+]toddgrotenhuis
Keynotes -Alex Stamos - Facebook -Phyllis Schneck - DHS -Troy Hunt - HIBP [@/+]toddgrotenhuis
Opening Keynote → Understand your userbase → Focus on real vs potential harm → Stop whining and do good at the margins [@/+]toddgrotenhuis
Accept non-optimal solutions in non-optimal situations — Alex Stamos [@/+]toddgrotenhuis
Security As Code: A New Frontier → RuggedSoftware.org → DevSecOps.org [@/+]toddgrotenhuis
Rugged Manifesto I am rugged and, more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary and I am up for the challenge. [@/+]toddgrotenhuis
DevSecOps → Leaning in over Always Saying “No” → Data & Security Science over Fear, Uncertainty and Doubt → Open Contribution & Collaboration over Security- Only Requirements → Consumable Security Services with APIs over Mandated Security Controls & Paperwork [@/+]toddgrotenhuis
Security as Code → what all can you define in software? → what can you automate? → even "traditional" stuff? → even "non-boring" stuff? [@/+]toddgrotenhuis
Rant Time Do you like to talk about how old attacks continue to work on customers? This says at least as much about your effectiveness as a consultant as it does about your clients' effectiveness as an organization (note: you are the common denominator) [@/+]toddgrotenhuis
Strengthening the Weakest Link: How to manage security vulnerabilities in 3rd party libraries used by your application → OWASP Dependency Check → Sonatype Nexus → Palamida → Black Duck Hub → Others [@/+]toddgrotenhuis
→ Use fewer and better suppliers → Use only the highest quality parts → Track what is used and where → Use repository managers over direct downloads [@/+]toddgrotenhuis
Practical Application Security Management: How to Win an Economically One-Side War → costs are not just money, but time, people, complexity → the business will always come first [@/+]toddgrotenhuis
→ actual sign-off from product owners on issues reduces those that go through → satisfy people’s creative urges to make → security days: employees shadow for a day → reward reporting/submissions [@/+]toddgrotenhuis
Delayed launch is a denial of service — Dheeraj Bhat [@/+]toddgrotenhuis
The End of Security as We Know It: why this might be a good thing → sometimes security is the only group with an overall view → avoid “perfection complex” → MTTRemediate -> MTTRestore → “fuzz” non-technical things (e.g. processes) [@/+]toddgrotenhuis
→ Data Driven Decisions → Smaller Changes → Faster Failure → If It Hurts, Do It More [@/+]toddgrotenhuis
Tool Requirements → sufficient logging → appropriate encryption → APIs / software definable / scriptable → test & abuse before purchase → take the bluecoat pledge [@/+]toddgrotenhuis
Keynote 2 redacted [@/+]toddgrotenhuis
Future Banks Live in the Cloud: building a usable cloud with uncompromising security → security around money used to be physical → “extract value” as a better way of thinking about attackers → empower engineers and help them choose [@/+]toddgrotenhuis
Consensus-Based Deployment 1. anyone can propose a change 2. a non-involved party must approve the change 3. anyone can apply the change [@/+]toddgrotenhuis
No one person should be able to “accidentally the company” — Rob Witoff [@/+]toddgrotenhuis
Don’t partner with vendors without a clear whitehat program. — Rob Witoff [@/+]toddgrotenhuis
Doing AppSec at Scale: taking the best of DevOps, Agile, and CI/CD into AppSec → AppSec Pipeline → Gauntlt → Threadfix → Bag of Holding [@/+]toddgrotenhuis
In application security, personnel are the critical resource, so design for optimizing them — Aaron Weaver [@/+]toddgrotenhuis
If I can do it with a UI, I want to do it with an API — Matt Tesauro [@/+]toddgrotenhuis
Closing Keynote “50 Shades of AppSec” with Troy Hunt [@/+]toddgrotenhuis
OWASP.org 2015.appsecusa.org Talks YouTube Playlist OWASP Board Elections Safecode Free Courses [@/+]toddgrotenhuis

More Related Content

PDF
Defense in Depth: Lessons Learned Securing 200,000 Sites
Pantheon
 
PDF
Practical security in a DevOps World
Hinse ter Schuur
 
PPTX
Improving privacy in blockchain using homomorphic encryption
Razi Rais
 
PDF
Let's Encrypt! Wait. Why? How? - WC Pune
Nancy Thanki
 
PDF
Let's Encrypt! Wait. Why? How?
Nancy Thanki
 
PDF
Real world blockchains
Dmitry Meshkov
 
PDF
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Edureka!
 
PDF
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Pantheon
 
Practical security in a DevOps World
Hinse ter Schuur
 
Improving privacy in blockchain using homomorphic encryption
Razi Rais
 
Let's Encrypt! Wait. Why? How? - WC Pune
Nancy Thanki
 
Let's Encrypt! Wait. Why? How?
Nancy Thanki
 
Real world blockchains
Dmitry Meshkov
 
Hashgraph vs Blockchain | Hedera Hashgraph Tutorial | Hashgraph Technology | ...
Edureka!
 
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 

What's hot (17)

PPTX
Top 10 Web Hacks 2013
Matt Johansen
 
PDF
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
FITC
 
PPTX
Top 10 Encryption Myths
HighCloud Security
 
PDF
A hybrid cloud approach for secure authorized deduplication
LeMeniz Infotech
 
PDF
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
DOCX
a hybrid cloud approach for secure authorized reduplications
swathi78
 
PPTX
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
 
PDF
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
North Texas Chapter of the ISSA
 
PDF
Blockchain Interview Questions and Answers | Blockchain Technology | Blockcha...
Edureka!
 
PPTX
Testing in the blockchain
Craig Risi
 
PDF
[JSDC 2021] Blockchain 101 for Frontend Engs
Lucien Lee
 
PDF
Security is a process, not a plugin (WordCamp Torino 2018)
Thomas Vitale
 
PDF
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
North Texas Chapter of the ISSA
 
PPTX
Cassandra
rezabehzadi3
 
PDF
Introduction to Security Vulnerabilities
vodQA
 
PDF
Things will Change - Usenix Keynote UCMS'14
Erica Windisch
 
PDF
Global bigdata conf_01282013
HPCC Systems
 
Top 10 Web Hacks 2013
Matt Johansen
 
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
FITC
 
Top 10 Encryption Myths
HighCloud Security
 
A hybrid cloud approach for secure authorized deduplication
LeMeniz Infotech
 
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
a hybrid cloud approach for secure authorized reduplications
swathi78
 
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
 
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
North Texas Chapter of the ISSA
 
Blockchain Interview Questions and Answers | Blockchain Technology | Blockcha...
Edureka!
 
Testing in the blockchain
Craig Risi
 
[JSDC 2021] Blockchain 101 for Frontend Engs
Lucien Lee
 
Security is a process, not a plugin (WordCamp Torino 2018)
Thomas Vitale
 
NTXISSACSC4 - Business Geekdom: 1 = 3 = 5
North Texas Chapter of the ISSA
 
Cassandra
rezabehzadi3
 
Introduction to Security Vulnerabilities
vodQA
 
Things will Change - Usenix Keynote UCMS'14
Erica Windisch
 
Global bigdata conf_01282013
HPCC Systems
 
Ad

Viewers also liked (20)

PPTX
11 4-16
Muhammad Younis
 
PDF
What is Fundraising Success? by Matt Kupec
Matt Kupec
 
DOCX
Ensayo bases de datos DAMARIS
liliananaa
 
PPTX
Ppt 21 9-15
Muhammad Younis
 
PPT
Sistemas operativos
LuciaMart
 
PPTX
intellectual property rights
mam141931
 
PPTX
Institution analysis final
wojstarrr123
 
DOCX
Evitar las enfermedades
ErikaHorcajo
 
PPT
Les prépositions
agostick
 
DOC
Orido Vincent Akpomefure
vincent orido
 
PPTX
Tools: Five Capitals
Corporate Responsibility & Sustainability in Practice
 
PDF
Fall 2015 MN AAHAM Newsletter
John Brindley
 
PPTX
Plastic labware models set
Rohit Sabharwal
 
PPTX
การกำเนิดเทคโนโลยีสารสนเทศ
Sa'Laoy Krissada
 
PDF
AGNES'S PORTFOLIO
Agnes Koresy
 
PDF
Legal issues in_the_music_industry
Felicia "Lady Rayne" McCloud
 
PPTX
Grass-4_rus
MarketSense_RF
 
PDF
6 a brandiepratt
ddpratty
 
PDF
Winter drawing how_tos
LisaRicciardelli
 
DOC
Fred Swenson Research Paper
Fred Swenson
 
11 4-16
Muhammad Younis
 
What is Fundraising Success? by Matt Kupec
Matt Kupec
 
Ensayo bases de datos DAMARIS
liliananaa
 
Ppt 21 9-15
Muhammad Younis
 
Sistemas operativos
LuciaMart
 
intellectual property rights
mam141931
 
Institution analysis final
wojstarrr123
 
Evitar las enfermedades
ErikaHorcajo
 
Les prépositions
agostick
 
Orido Vincent Akpomefure
vincent orido
 
Tools: Five Capitals
Corporate Responsibility & Sustainability in Practice
 
Fall 2015 MN AAHAM Newsletter
John Brindley
 
Plastic labware models set
Rohit Sabharwal
 
การกำเนิดเทคโนโลยีสารสนเทศ
Sa'Laoy Krissada
 
AGNES'S PORTFOLIO
Agnes Koresy
 
Legal issues in_the_music_industry
Felicia "Lady Rayne" McCloud
 
Grass-4_rus
MarketSense_RF
 
6 a brandiepratt
ddpratty
 
Winter drawing how_tos
LisaRicciardelli
 
Fred Swenson Research Paper
Fred Swenson
 
Ad

Similar to OWASP AppSecUSA Recap (20)

DOCX
Webinar Security: Apps of Steel transcription
Service2Media
 
PDF
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
Dana Gardner
 
PDF
Broken by design (Danny Fullerton)
Hackfest Communication
 
PDF
How A-Core Concrete Sets a Solid Foundation for Preemptive Security
Dana Gardner
 
PDF
So... you want to be a security consultant
abnmi
 
PDF
AEPWP09292016
Demi Washington
 
PDF
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
PDF
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Mighty Guides, Inc.
 
PPT
#CU12: Another cloud is possible - Allen Gunn at Connecting Up 2012
Connecting Up
 
PDF
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA
 
PDF
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
PDF
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
PDF
Security in the Cloud: Tips on How to Protect Your Data
Procore Technologies
 
PPTX
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Black Duck by Synopsys
 
PPTX
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
ODP
Staying Safe - Overview of FREE Encryption Tools
Micky Metts
 
PPTX
Security for AWS : Journey to Least Privilege (update)
dhubbard858
 
PDF
Security for AWS: Journey to Least Privilege
Lacework
 
PPTX
Teensy Programming for Everyone
Nikhil Mittal
 
PPTX
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Webinar Security: Apps of Steel transcription
Service2Media
 
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
Dana Gardner
 
Broken by design (Danny Fullerton)
Hackfest Communication
 
How A-Core Concrete Sets a Solid Foundation for Preemptive Security
Dana Gardner
 
So... you want to be a security consultant
abnmi
 
AEPWP09292016
Demi Washington
 
Why isn't infosec working? Did you turn it off and back on again?
Rob Fuller
 
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
Mighty Guides, Inc.
 
#CU12: Another cloud is possible - Allen Gunn at Connecting Up 2012
Connecting Up
 
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA
 
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Security in the Cloud: Tips on How to Protect Your Data
Procore Technologies
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Black Duck by Synopsys
 
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Staying Safe - Overview of FREE Encryption Tools
Micky Metts
 
Security for AWS : Journey to Least Privilege (update)
dhubbard858
 
Security for AWS: Journey to Least Privilege
Lacework
 
Teensy Programming for Everyone
Nikhil Mittal
 
Security engineering 101 when good design & security work together
Wendy Knox Everette
 

Recently uploaded (20)

PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PDF
Two-dimensional Klein-Gordon and Sine-Gordon numerical solutions based on dee...
IAESIJAI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
PPTX
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
Configure Apache Mutual Authentication
Antonino Piraino
 
What is a Computer? Input Devices /output devices
GulJan8
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Abstractive summarization using multilingual text-to-text transfer transforme...
IAESIJAI
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Modernising the Digital Integration Hub
Daniel Toomey
 
The various Industrial Revolutions .pptx
bandileshozi3
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
Two-dimensional Klein-Gordon and Sine-Gordon numerical solutions based on dee...
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 

OWASP AppSecUSA Recap

  • 3. Keynotes -Alex Stamos - Facebook -Phyllis Schneck - DHS -Troy Hunt - HIBP [@/+]toddgrotenhuis
  • 4. Opening Keynote → Understand your userbase → Focus on real vs potential harm → Stop whining and do good at the margins [@/+]toddgrotenhuis
  • 5. Accept non-optimal solutions in non-optimal situations — Alex Stamos [@/+]toddgrotenhuis
  • 6. Security As Code: A New Frontier → RuggedSoftware.org → DevSecOps.org [@/+]toddgrotenhuis
  • 7. Rugged Manifesto I am rugged and, more importantly, my code is rugged. I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged. I am rugged because I refuse to be a source of vulnerability or weakness. I am rugged because I assure my code will support its mission. I am rugged because my code can face these challenges and persist in spite of them. I am rugged, not because it is easy, but because it is necessary and I am up for the challenge. [@/+]toddgrotenhuis
  • 8. DevSecOps → Leaning in over Always Saying “No” → Data & Security Science over Fear, Uncertainty and Doubt → Open Contribution & Collaboration over Security- Only Requirements → Consumable Security Services with APIs over Mandated Security Controls & Paperwork [@/+]toddgrotenhuis
  • 9. Security as Code → what all can you define in software? → what can you automate? → even "traditional" stuff? → even "non-boring" stuff? [@/+]toddgrotenhuis
  • 10. Rant Time Do you like to talk about how old attacks continue to work on customers? This says at least as much about your effectiveness as a consultant as it does about your clients' effectiveness as an organization (note: you are the common denominator) [@/+]toddgrotenhuis
  • 11. Strengthening the Weakest Link: How to manage security vulnerabilities in 3rd party libraries used by your application → OWASP Dependency Check → Sonatype Nexus → Palamida → Black Duck Hub → Others [@/+]toddgrotenhuis
  • 12. → Use fewer and better suppliers → Use only the highest quality parts → Track what is used and where → Use repository managers over direct downloads [@/+]toddgrotenhuis
  • 13. Practical Application Security Management: How to Win an Economically One-Side War → costs are not just money, but time, people, complexity → the business will always come first [@/+]toddgrotenhuis
  • 14. → actual sign-off from product owners on issues reduces those that go through → satisfy people’s creative urges to make → security days: employees shadow for a day → reward reporting/submissions [@/+]toddgrotenhuis
  • 15. Delayed launch is a denial of service — Dheeraj Bhat [@/+]toddgrotenhuis
  • 16. The End of Security as We Know It: why this might be a good thing → sometimes security is the only group with an overall view → avoid “perfection complex” → MTTRemediate -> MTTRestore → “fuzz” non-technical things (e.g. processes) [@/+]toddgrotenhuis
  • 17. → Data Driven Decisions → Smaller Changes → Faster Failure → If It Hurts, Do It More [@/+]toddgrotenhuis
  • 18. Tool Requirements → sufficient logging → appropriate encryption → APIs / software definable / scriptable → test & abuse before purchase → take the bluecoat pledge [@/+]toddgrotenhuis
  • 20. Future Banks Live in the Cloud: building a usable cloud with uncompromising security → security around money used to be physical → “extract value” as a better way of thinking about attackers → empower engineers and help them choose [@/+]toddgrotenhuis
  • 21. Consensus-Based Deployment 1. anyone can propose a change 2. a non-involved party must approve the change 3. anyone can apply the change [@/+]toddgrotenhuis
  • 22. No one person should be able to “accidentally the company” — Rob Witoff [@/+]toddgrotenhuis
  • 23. Don’t partner with vendors without a clear whitehat program. — Rob Witoff [@/+]toddgrotenhuis
  • 24. Doing AppSec at Scale: taking the best of DevOps, Agile, and CI/CD into AppSec → AppSec Pipeline → Gauntlt → Threadfix → Bag of Holding [@/+]toddgrotenhuis
  • 25. In application security, personnel are the critical resource, so design for optimizing them — Aaron Weaver [@/+]toddgrotenhuis
  • 26. If I can do it with a UI, I want to do it with an API — Matt Tesauro [@/+]toddgrotenhuis
  • 27. Closing Keynote “50 Shades of AppSec” with Troy Hunt [@/+]toddgrotenhuis
  • 28. OWASP.org 2015.appsecusa.org Talks YouTube Playlist OWASP Board Elections Safecode Free Courses [@/+]toddgrotenhuis