After attending both Defcon and HOPE, I thought I should open my mind to other, more traditional security conferences.  Since it was a short flight and of modest cost, I choose AppSec California, put on by OWASP.  It was great!

tl;dr

Good:

• 11 of the 13 speakers/subjects I heard were great!
• Santa Monica makes for a good venue: walkable, good coffee, good food and bike sharing program!
• I fully grok CSP now
• No big snafus by OWASP organizers: schedule, venue and food was well planned
• Plenty of chance to meet and chat with folks
• Two days was just long enough to pack in lots of good info, but not too long to be overwhelmed
• Low cost registration

Just one here, but the Bad:

• 2 of the 13 talks were bad.  One was a vendor pitch, the other was a possibly OK keynote, but speaker was a royal dick to the AV staff at the start of his talk

Santa Monica

This was my first time to Santa Monica (though maybe there was a trip when I was 18!?), and I liked it.  Biggest hits are it was highly walkable and had a bike share program. This meant I could walk to close by dinner and then the next morning take a ride along the beach to the conference:

As well, if you want to get your snooty 3rd wave coffee on, then you can bop over to Demitasse on 3rd street. Tasty! Another nice feature of the town is that they have a nice collection of trails along the beach.  The first night I was there I took a lovely 6 mile run on them well into the Pacific Palisades right from my hotel doorstep. Sunsets of the ocean are nice too (and I know I’m playing into OWASP’s desired PR For the location of the conference ;)

Conference highlights

Overall this was a great conference! I ended seeing 3 talks which heavily focused on Content Security Policy (CSP), which I’d only lightly heard about before.  When done right, and thoroughly, it removes the JavaScript attack vector including, but not limited to, click jacking and XSS.  Ilya Nesterov’s talk, “CSP: The Good, the Bad and the Ugly” really did a great job in describing how to implement it.  Specifically, he spoke about a lot of the pitfalls (no inline scripts vs inline scripts all having a nonce), browser adoption rate as compared to CSP Levels (eg full adoption of CSP 1) and interesting things about the CSP Level 3 draft.

I enjoyed Sun Hwan Kim and Julien Sobrier’s talk, “HSTS, TLS, HPKP, CSP: putting them all together to move to HTTPS” not only for the in the field experience of securing a large site, but for the audience questions as well.  While he didn’t have a talk at the conference, Scott Helmeott Helme had some great comments and questions.

Though her talk was a bit less organized than I’d hoped, I very much enjoyed hearing Yan’s talk, “Dissecting Browser Privacy“.  I’ve been following her blog for some years now so I it was nice to meet her in person.  Her talk wasn’t pitching Brave browser where she works, but Yan did reference it often in her talk.  I think it maybe the best browser for my laptop because it supports touch so well!

Not a highlight, but noteworthy, Gary McGraw did the opening keynote.  Before he could get started he choose to be demeaning in a very public way to the AV person.  It was 3-5 minutes of him being just shy of cursing out the staff about why the microphone wouldn’t work.  I later told the AV staff that she was awesome and I really appreciated being professional throughout the ordeal.  The other minor hiccup in the speakers was Jack Bicer’s talk, “Want to be secure? Eliminate passwords. If you don’t have a password, it can’t be stolen!”.  This ended up being 15 minutes of fear mongering about how your password can get hacked all while ignoring password managers. I left early, but heard later that, unsurprising, the “solution” to all these fears was to adopt Mr. Bicer’s product :(

Being a one man web dev shop, it was painfully obvious how important automation is. Static analysis of code, feature and regression checks, pentests and more can be run in an automated fashion even if you have to manually kick off the automated tests. This provides the equivalent of many man hours of manual tests all done at no time-cost. The conundrum is that it can take months to set this automation up and that’s time when you you’ll be releasing no new features and fixing no bugs.  Matt Tesauro’s talk, “AppSec Pipelines and Event-based Security: Moving beyond a traditional security test” was a good reminder about this.

Talks

These are the talks I attended with a few notes where applicable:

• Opening Keynote: Scaling a Software Security Initiative: Lessons from the BSIMM – Gary McGraw – the “not nice about the mic” guy
• The Physical Web, interact with anything –  Scott Jenson
• Serverless is teh Hawtness for Defenders and DevOps – James Wickett
• Dissecting Browser Privacy – Yan
• The Road to Free Certificates is Paved with Good Intentions –  Jillian Karner
• Essential TLS Hardening for Better Web Security – Justin Mayer
• Day 2 Keynote: Machine Learning — Cybersecurity Boon or Boondoggle – Dr. Zulfikar Ramzan
• AppSec Pipelines and Event-based Security: Moving beyond a traditional security test – Matt Tesauro
• Want to be secure? Eliminate passwords. If you don’t have a password, it can’t be stolen! – Jack Bicer – left early
• HSTS, TLS, HPKP, CSP: putting them all together to move to HTTPS – Sun Hwan Kim & Julien Sobrier
• CSP: The Good, the Bad and the Ugly – Ilya Nesterov
• Life of a Password – Arvind Mani
• Closing Keynote: Hide and Seek just got harder, the anatomy of modern deceptive technologies – Chris Roberts