What I Learned Watching All 44 AppSec Cali 2019 Talks

OWASP AppSec California is one of my favorite security conferences: the talks are great, attendees are friendly, and it takes place right next to the beach in Santa Monica. Not too shabby 😎

One problem I always have, though, is that there are some great talks on the schedule that I end up missing.

So this year I decided to go back and watch all 44 talks from last year’s con, AppSec Cali 2019, and write a detailed summary of their key points.

If I had realized how much time and effort this was going to be at the beginning I probably wouldn’t have done it, but by the time I realized that this endeavor would take hundreds of hours, I was already too deep into it to quit 😅

This post is structured as follows:

• Stats: Some high level stats and trends- which talk categories were most popular? Which companies gave the most talks?

• Overview of Talks: A quick rundown of every talk in a few lines each, so you can quickly skim them and find the talks that are most directly relevant to you.

• Summaries: detailed summaries of each talk, grouped by category.

Note the navigation bar on the left hand side, which will enable you to quickly jump to any talk.

Feedback Welcomed!
If you’re one of the speakers and I’ve left out something important, please let me know! I’m happy to update this. Also, feel free to let me know about any spelling or grammar errors or broken links.

If you find DevSecOps / scaling really interesting, I’d love to chat about what you do at your company / any tips and tricks you’ve found useful. Hit me up on Twitter, LinkedIn, or email.

In total, AppSec Cali 2019 had 44 talks that were a combined ~31.5 hours of video.

Here are the talks grouped by the category that I believed was most fitting:

We can also see that containers and Kubernetes were fairly popular topics (3).

Some things I found surprising were how many talks there were on threat modeling (4) and account security (4), and how there were only 3 primarily cloud security-focused talks. Perhaps the biggest surprise was that there were 3 talks on securing third-party code, with Slack discussing the steps they took to evaluate Slack bots and Salesforce discussing the review process on their AppExchange.

Here we see Netflix crushing it: they had presence on a panel, gave one of the keynotes, and collectively had 3 other talks. And of these 5 talks, 3 made my top 10 list. Not too shabby 👍

In second place, we see Segment coming in strong!

Netflix, Segment, and Dropbox were on at least one panel, while the rest of the companies listed had separate talks.

For your ease of navigation, this section groups all of the talks by category, gives a high description of what they’re about, and provides a link to jump right to their summary.

Note: the talks in each category are listed in alphabetical order, not in my order of preference.

This section lists my top 10 favorite talks from AppSec Cali 2019 ❤️

It was incredibly difficult narrowing it down to just 10, as there were so many good talks. All of these talks were selected because they are information-dense with detailed, actionable insights. I guarantee you’ll learn something useful from them.

A Seat at the Table
Adam Shostack, President, Shostack & Associates  | Twitter | Linkedin

By having a “seat at the table” during the early phases of software development, the security team can more effectively influence its design. Adam describes how security can earn its seat at the table by using the right tools, adapting to what’s needed by the current project, and the soft skills that will increase your likelihood of success.

Cyber Insurance: A Primer for Infosec
Nicole Becher, Director of Information Security & Risk Management, S&P Global Platts | Twitter | Linkedin

A lovely jaunt through the history of the insurance industry, the insurance industry today (terminology you need to know, types of players), where cyber insurance is today and where it’s headed, example cyber insurance policies and what you need to look out for.

Lessons Learned from the DevSecOps Trenches
Clint Gibler, Research Director, NCC Group | Twitter | Linkedin
Dev Akhawe, Director of Security Engineering, Dropbox | Twitter | Linkedin
Doug DePerry, Director of Product Security, Datadog | Twitter | Linkedin
Divya Dwarakanath, Security Engineering Manager, Snap | Twitter | Linkedin
John Heasman, Deputy CISO, DocuSign | Linkedin
Astha Singhal, AppSec Engineering Manager, Netflix | Twitter | Linkedin

Learn how Netflix, Dropbox, Datadog, Snap, and DocuSign think about security. A masterclass in DevSecOps and modern AppSec best practices.

Netflix’s Layered Approach to Reducing Risk of Credential Compromise
Will Bengston, Senior Security Engineer, Netflix | Twitter | Linkedin
Travis McPeak, Senior Security Engineer, Netflix | Twitter | Linkedin

An overview of efforts Netflix has undertaken to scale their cloud security, including segmenting their environment, removing static keys, auto-least privilege of AWS permissions, extensive tooling for dev UX (e.g. using AWS credentials), anomaly detection, preventing AWS creds from being used off-instance, and some future plans.

Startup Security: Starting a Security Program at a Startup
Evan Johnson, Senior Security Engineer, Cloudflare | Twitter | Linkedin

What it’s like being the first security hire at a startup, how to be successful (relationships, security culture, compromise and continuous improvement), what should inform your priorities, where to focus to make an immediate impact, and time sinks to avoid.

Working with Developers for Fun and Progress
Leif Dreizler, Senior AppSec Engineer, Segment | Twitter | Linkedin

Resources that have influenced Segment’s security program (talks, books, and quotes), and practical, real-world tested advice on how to: build a security team and program, do effective security training, successfully implement a security vendor, and the value of temporarily embedding a security engineer in a dev team.

Browser fingerprints for a more secure web
Julien Sobrier, Lead Security Product Owner, Salesforce | Linkedin
Ping Yan, Research Scientist, Salesforce | Linkedin

How Salesforce uses browser fingerprinting to protect users from having their accounts compromised. Their goal is to detect sessions being stolen, including by malware running on the same device as the victim (and thus has the same IP address).

Contact Center Authentication
Kelley Robinson, Dev Advocate, Account Security, Twilio | Twitter | Linkedin

Kelley describes her experiences calling in to 30 different company’s call centers: what info they requested to authenticate her, what they did well, what they did poorly, and recommendations for designing more secure call center authentication protocols.

CISO Panel: Baking Security Into the SDLC
Richard Greenberg, Global Board of Directors, OWASP | Twitter | Linkedin
Coleen Coolidge, Head of Security, Segment | Twitter | Linkedin
Martin Mazor, Senior VP and CISO, Entertainment Partners | Linkedin
Bruce Phillips, SVP & CISO, Williston Financial | Linkedin
Shyama Rose, Chief Information Security Officer, Avant | Linkedin

Five CISOs share their perspectives on baking security into the SDLC, DevSecOps, security testing (DAST/SAST/bug bounty/pen testing), security training and more.

It depends…
Kristen Pascale, Principal Techn. Program Manager, Dell EMC | Linkedin
Tania Ward, Consultant Program Manager, Dell | Linkedin

What a PSIRT team is, Dell’s PSIRT team’s workflow, common chalenges, and how PSIRT teams can work earlier in the SDLC with development teams to develop more secure applications.

The Art of Vulnerability Management
Alexandra Nassar, Senior Technical Program Manager, Medallia | Linkedin
Harshil Parikh, Director of Security, Medallia | Linkedin

How to create a positive vulnerability management culture and process that works for engineers and the security team.

Cloud Forensics: Putting The Bits Back Together
Brandon Sherman, Cloud Security Tech Lead, Twilio | Linkedin

An experiment in AWS forensics (e.g. Does the EBS volume type or instance type matter when recovering data?), advice on chain of custody and cloud security best practices.

Detecting Credential Compromise in AWS
Will Bengston, Senior Security Engineer, Netflix | Twitter | Linkedin 

How to detect when your AWS instance credentials have been compromised and are used outside of your environment, and how to prevent them from being stolen in the first place.

Can Kubernetes Keep a Secret?
Omer Levi Hevroni, DevSecOps Engineer, Soluto | Twitter | Linkedin

Omer describes his quest to find a secrets management solution that supports GitOps workflows, is Kubernetes native, and has strong security properties, which lead to the development of a new tool, Kamus.

How to Lose a Container in 10 Minutes
Sarah Young, Azure Security Architect, Microsoft | Twitter | Linkedin

Container and Kubernetes best practices, insecure defaults to watch out for, and what happens when you do everything wrong and make your container or cluster publicly available on the Internet.

Fail, Learn, Fix
Bryan Payne, Director of Engineering, Product & Application Security, Netflix | Twitter | Linkedin

A discussion of the history and evolution of the electrical, computer, and security industries, and how the way forward for security is a) sharing knowledge and failures and b) creating standard security patterns that devs can easily apply, raising the security bar at many companies, rather than improvements helping just one company.

How to Slay a Dragon
Adrienne Porter Felt, Chrome Engineer & Manager, Google | Twitter | Linkedin

Solving hard security problems in the real world usually requires making tough tradeoffs. Adrienne gives 3 steps to tackle these hard problems and gives examples from her work on the Chrome security team, including site isolation, Chrome security indicators (HTTP/s padlock icons), and displaying URLs.

BoMs Away – Why Everyone Should Have a BoM
Steve Springett, Senior Security Architect, ServiceNow | Twitter | Linkedin

Steve describes the various use cases of a software bill-of-materials (BOM), including facilitating accurate vulnerability and other supply-chain risk analysis, and gives a demo of OWASP Dependency-Track, an open source supply chain component analysis platform.

Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team
Izar Tarandach, Lead Product Security Architect, Autodesk | Twitter | Linkedin

Attributes required by threat modelling approaches in order to succeed in Agile dev environments, how to build an organization that continuously threat models new stories, how to educate devs and raise security awareness, and PyTM, a tool that lets you express TMs via Python code and output data flow diagrams, sequence diagras, and reports.

Preventing Mobile App and API Abuse
Skip Hovsmith, Principal Engineer, CriticalBlue | Twitter | Linkedin

An overview of the mobile and API security cat and mouse game (securely storing secrets, TLS, cert pinning, bypassing protections via decompiling apps and hooking key functionality, OAuth2, etc.), described through an example back and forth between a package delivery service company and an attacker-run website trying to exploit it.

To read a detailed summary of any of the above talks, click on the talk title above their descriptions or in the table of contents at the top of this post.