The OWASP AppSec Global event held recently was one of the better OWASP events I’ve been to and succeeded at bringing together AppSec professionals, researchers, and industry experts from around the world. I loved that it had a healthy mix of attendees ranging from DevSecOps to Red Team, AppSec consultants to developers, and experienced engineers to students.
The DryRun Security team had a booth there and we had a great time meeting friends, old and new alike. Being able to do fast code reviews for developers resonated with many of the attendees. Most AppSec pros feel inundated with requests, unable to deal with all the pull requests that make it to their desks, and feel that they don’t have the tools in place to move quickly. Also, no one can be an expert in every lang/framework out there, so they feel like most code reviews end up as a rubber stamp exercise.
We showed off how DryRun Security was built to reveal risky code changes and scale AppSec to devs, right where they work. In addition to showing off the product to attendees, we gave out swag, and invited attendees to try out the product. If you didn’t go to the event, but you’d like a product invite, signup at dryrun.security and we’ll get one heading your way soon.
The Buzz
Here are some of the main themes we noticed in the hallway track and conference talks at the event.
1. Emphasis on Proactive Measures: There's a strong focus on taking proactive measures against security threats. This includes the implementation of security practices in the early stages of the software development lifecycle (SDLC), as reflected in the discussions about secure coding, threat modeling, and the integration of security into DevOps practices.
2. Data-Driven Approaches: Utilizing data to guide security measures was a key theme and I was happy to hear how the OWASP Top Ten has grown to encompass the use of historical data as the research grows. When the talk by Brian Glas becomes available, watch it!
3. Addressing Software Supply Chain Security: Security of the software supply chain is a hot topic. Not too much of a surprise here, but we continue to see this area grow, the talk by Jeremy Long is a must-see and it was the talk that had the most buzz. He also stopped by the booth and I convinced Jeremy and Ken to pose for a picture.
4. Beyond Tool Implementation: There's a recognition that simply implementing security tools is not sufficient. The human aspect of security, the need for organizational change management, and the focus on creating collaborative, security-aware cultures are being highlighted. This suggests a trend towards more holistic, people-centric security approaches.
5. Security as a Driver for Performance: Security is being linked to overall organizational performance, with an indication that teams with integrated security practices are also the ones that perform better in terms of software delivery and operations.
6. Continuous Improvement: The best security teams, as noted, are those that focus on continuous improvement and collaboration. This reinforces the agile mindset, even in the realm of security, suggesting that incremental and iterative improvements are key to keeping pace with the evolving threat landscape.
We won an award!
In a field of 50+ incredible vendors, we were honored to win an award from Latio. We were named Most Innovative Startup! Latio did a nice writeup on the event and I’d say it’s worth checking out even if we didn’t win an award.
The Replay
I mentioned a few talks in the buzz section above, but below I’ve listed a few more I think would be worth checking out when the videos drop. This is just a sampling of talks I’m interested in either because of the topic, or the speaker, or both! If your fav talk isn’t listed here, let me know that I should check it out and add it. Shoot me a DM on LinkedIn.
Moving Forward By Looking Back: Data Collection and Analysis at OWASP
This talk by Brian Glas brings up the ongoing quest for answers to questions regarding performance, comparison, future actions, and improvement, emphasizing the use of data as a tool for learning from the past. His session covers insights from OWASP Top 10 and OWASP SAMM data analysis and introduces a new project dedicated to data collection across various OWASP projects, including governance, legal, data processing, analytics, and visualization—all for bringing context in to improve your organization and the discipline of information security.
The State of Secure DevOps - Security Enables Velocity
Nathen Harvey and Michele Chubirka highlighted something near and dear to our hearts here at DryRun Security: how to rise to the challenge of increasing security threats without slowing software delivery velocity. Nathen and Michele show how teams that met or exceeded their reliability targets were twice as likely to have security integrated into their software development process.
DevSecOps Worst Practices
Not every part of DevOps is intuitive and often when we’re instructed on best practices we aren’t told why those are the best practices. Tanya Janca dove into “DevSecOps Worst Practices” showing what to do to avoid them and why it’s important to do so.
OWASP DefectDojo
Matt Tesauro gave an in-depth look at his open source vulnerability management tool, DefectDojo, that streamlines the testing process by offering templating, report generation, metrics, and baseline self-service tools. If you’ve been thinking, “where’s the open source ASPM”, then this talk’s for you!
OWASP Top Ten for Kubernetes
As we all know, when we implement Kubernetes, we introduce new risks to our applications and infrastructure. Jimmy Mesta discusses The OWASP Kubernetes Top 10, aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. Jimmy also got named as best talk by Latio!
A Security Department of Yes
Timothy Lisko and Ari Kalfus discuss how to leverage several key concepts of “influencing without authority” to successfully partner with non-security stakeholders and drive the strategic objectives of a security organization. Instead of security teams being seen as obstructions, as sometimes is the case, they propose a shift towards a "Department of Yes" approach, promoting collaboration, contextual security achievements, and overcoming bureaucracy.
They also give practical examples of influencing without authority and offer strategies for enhancing relationships, establishing credibility, and forming coalitions with other stakeholders.
Coraza WAF
José Carlos Chavez gives a great presentation on how to enforce good cybersecurity behavior with OWASP Coraza, a golang enterprise-grade Web Application Firewall framework that supports Modsecurity's seclang language and is 100% compatible with OWASP Core Ruleset.
Reflections on Trust in the Software Supply Chain
Jeremy long explores the current state of software supply chain security and the challenges organizations face in ensuring the security and trustworthiness of their software. He also gives a demonstration highlighting how some of the current efforts to secure the software supply chain may just be security theater and ends with a discussion of a promising solution: binary-source validation.
The Future Looks Bright
The OWASP 2023 Global AppSec conference seems to reflect an industry moving towards a more integrated, data-informed, and people-focused approach to security. This integrates security into the culture and processes of software development, rather than treating it as a separate or final step.
Overall, OWASP gave me a great sense that our industry is focused on the need for agility and adaptation in security practices to meet the demands of rapid technological evolution and increasingly sophisticated cyber threats.
This made me feel that our product is driving full speed in the right direction! Find out more about what we’re doing by dropping me an email at james@dryrun.security or sign up to join our early beta.
