By Alexandre Racine, | Image source for OWASP banner image.
Software Developer – Resolute Technology Solutions
Security professionals from around the world converged in downtown Washington, DC for this year’s OWASP (Open Web Application Security Project) sponsored AppSecUSA event. The premiere event attracted over 75 speakers including keynotes from four visionary leaders in the industry, more than 40 vendors and event sponsors and around 1000 security specialists or developers. On top of the two-day conference, specialized instructors led a two-day training program providing training in over half a dozen topics. Over 50 conference sessions were offered spanning a total of five different core tracks including Builder, Breaker, Devops, Mobile, and IoT. A career fair, Women in AppSec events, bug bounty activities, a social event at the International Spy Museum and an EFF Q&A made this one of the year’s top application security conferences to attend.
Exploring Washington, DC
Overall, I had a tremendous experience. Not only was this the first conference I attended on the topic of application security (and one of my first real exposures to the industry), this was my first experience attending any type of conference.
The weather was fantastic all week which gave attendees the chance to explore and sample some of downtown DC’s finest, including restaurants, cocktail bars, entertainment venues, historical sites and monuments and finally, some of the most amazing museums on the continent.
The Renaissance Hotel where the conference was taking place (and where I was lucky enough to stay the week) was a top venue not only in amenities, but also in location. Not even ten minutes walking distance from the White House, I had the ability to explore nearly all of the top sites in the region by foot.
Training Sessions
The conference itself started on the Thursday, but Tuesday and Wednesday were scheduled for optional training sessions. Topics such as Internet of Things exploitation, secure java development, building a secure DevOps pipeline and mobile application exploitation were given by industry leading specialists. With my mobile app development background it made sense for me to join the mobile application exploitation training sessions. In those sessions we covered most of the common techniques used to exploit mobile applications such as:
- reverse engineering
- runtime code modifications
- local storage exploitation
- memory dumping
- static analysis, etc.
Since time was very limited, most of the sessions consisted of the students setting up tools and environments to be ready to test and exploit apps, with exercises and training material to cover in the future on our own time. Overall, I found these two days pretty interesting, however the depth of the material was a little bit underwhelming – hard to expect any more over a short two-day period. As a mobile developer, I found that this training gave me a much better understanding of the various things we need to look at and be careful for when developing for those platforms.
APPSEC Conference
Thursday and Friday were for the conference proper. Four keynotes were spread out during these two days; one at the start of each day and one at the end. I found these to be more high-level than I expected. What was interesting to me was to see exactly where the industry stands in regards to certain topics such as cryptography and secure DevOps. It was nice to see the pain points organizations in the world are having and then to also be able to see what some of the best are doing right now in order to mitigate those pain points as best as possible. Overall, I did find that these were left a little open-ended: problems and past issues were well detailed; however concrete solutions to these were not explained in detail (or simply may not exist).
Other than the keynotes, the attendees were not short of options when it came to the rest of the presentations available. I attended talks about Docker and container technologies. Chenxi Wang enlightened me on several good techniques during her talk about protecting containerized apps with system call profiling. I now have several new ideas to help harden Docker containers and hosts to potential attacks.
I also attended a talk about threat modelling. Stephen de Vries described a complex system where developers can receive immediate feedback about which types of threats they need to deal with when working on certain application components (such as a user login API). Such a system would take out a lot of the boiler plate work required to come up with these (sometimes insanely complex) threat models would help reduce the number of meetings between security teams, architects, developers and project managers. It would allow developers the chance to incorporate them right away when developing new features instead of in an ad-hoc manner we are so used to do add these in.
At a talk about web application penetration testing by Jason Gillam and Kevin Johnson, and specifically SPAs by Dan Kuykendall, I learned several strategies that should become the basis of any security professional’s testing plan when it comes to testing for vulnerabilities in web apps.
Finally, during a presentation and demo about malware infested mobile applications, Yair Amit explained and demonstrated how hackers and malware developers are taking advantage of poorly written applications and unmanaged app stores across the world to infect devices everywhere.
Bonus Perks
During the entire week, attendees were spoiled with gourmet lunches and coffee breaks, exclusive lounge areas for OWASP members, access to a career fair and a great and all-inclusive social evening to mingle with not only vendors, but other specialists in the domain. I got the chance to meet people from all over the world, including some real nice folks I met from Minneapolis and Japan!
Verdict: Would Recommend
As a young developer just starting his career, this conference was a very good experience. I learned a ton of new stuff that I’ll be able to apply directly in my day-to-day work back home. I am very appreciative of Resolute Technology Solutions who not only decided to allow me time away from the office, but to cover all of the costs necessary to attend such an event. I would never have been able to enjoy this experience without them backing me up.
Of course, these events wouldn’t exist without the organizers. OWASP showed me in four days why they are one of the leading application security organizations in the world. The conference was a top-notch success that I would recommend to any security specialist looking to meet people, learn new things, get up to speed with industry trends, and ultimately pad their knowledge base with the latest and greatest industry expertise.