I spent the week at OWASP AppSec California in Santa Monica and had a great time! This is the 2nd year of having the event at this location, and even as a southern California native, it is a beautiful location. There were a good number of people from the east coast that I didnt see at AppSec USA last September. I can imagine for those that need to choose one or the other, its an easy choice to turn down Denver in September in favor of southern California beaches in January!
I thank all the organizers for their hard work and for lining up a great roster of speakers. It was a very good event!
On Monday the great folks at Riot Games invited the speakers to a tour of their offices and a chance to play League of Legends in their in-house PC bang. When I got the invite, I asked Angela if I could bring my 16yr old son with me, and she said yes. I got very happy about this because, I saw on source: gamingbuff.com that LoL was the most played and popular game right now! My son has been taking Comp Sci classes in school and is interested in software development, so I figured it would be a great chance for him to what its like to be a game developer at one of the hottest gaming companies in the industry. Not to mention, its a good chance to make his League of Legends friends jealous. The tour was very cool, and both my son and I were really impressed. He made me laugh when he commented on all the beers covering the developers desks!
After the tour we headed into the PC Bang to play LoL and got some coaching from the Riot games staff. I was able to hold my own well enough, but my son was “The Carry” and lead us to victory! Nice job Matthew 😉
I had planned to be at the conference nice and early to hear the keynote, but after my 3 hour drive home on Monday night, I needed to work on my slides for Wednesday, so I waited till traffic died down. So I didn’t arrive till a little after noon, and as a result, I regretfully missed Alex Stamos’s keynote, which I heard was very good. I also missed “Fixing XSS with Content Security Policy” by Ksenia Dmitrieva which was later referred to in several other talks, which made me feel like I I better go back and watch both of these talks when released on video when it gets posted.
12:00: I arrived in the middle of the noon sessions, and couldn’t make a choice between “No Better ROI: HTTP Headers for Security” by Caleb Queern and “Hacking Management: Why Stop at Domain Admin?” by Adam Brand, so I ended up heading to lunch a little early and taking the opportunity to chat with some old friends and meet a few new ones. I also later asked each for the short version of what they covered, and now have 2 more talks to add to my video queue.
1:45pm: “Levelling up an application security program” by David Rook from Riot Games – I really enjoyed David’s talk and the way he has lead the security team at Riot to create an open culture at Riot where the developers are able to have security come alongside them and they help the developers at the pace of their interest. It seems to be a much better approach than how many organizations end up shoving security down developers throats.
2:45pm: “API = Authentications Poorly Implemented” by Zach Lanier from Accuvant – Sadly it wasn’t a onesie, but Zach wore the awesome sweater! I enjoyed seeing someone else talking about this web service issue, and Zach had several really good examples of vulnerabilities/exploits that have been publicized recently. He also did a great job covering WSDL 2.0 for REST, WADL and Swagger. I might have to steal his slides!
4:15pm: “Making SSL Warnings Work” by Adrienne Porter Felt – I did ask her about the topic of security notification for mobile apps (analogous to how browsers show a lock icon to let users know the site is using encryption). She said her preference would be to disable unencrypted communication in android altogether! Someone move her from Chrome to the Android project!! Her talk was even more interesting than expected. I really had never considered the challenges with SSL Warnings. I really suggest watching this if you get a chance.
As I still had some significant work to do on my slides and prep for Wednesday, I decided to skip the 5:15pm talks and home at 5:30pm. Of course I ended up in another 3 hour journey home and was reminded how lucky I am to be able to telecommute most of the time.
I actually ended up driving in early and arrived at 9am. However, I still needed to make some last minute improvements on my presentation, so I sadly had to skip Katie Moussouris‘s keynote. I’m sure she great, and its another for my video queue.
10:30am: I had planned to watch “Chrome Security Health & Wellness” by Parisa Tabriz but there was nowhere to sit that had a power outlet, and I was still working on my presentation. So I moved over to “Caspr and Friends (Content-Security-Policy Reporting and Aggregation)” by Stuart Larsen and got a nice place by an outlet. This worked out because I had missed out on Ksenia Dmitrieva‘s talk the day before, so I was eager to hear some CSP talk. The product that Stuart created looks very useful, and really makes it possible to start doing useful analytics on CSP data.
11:30am: With my sides complete and my live demo environment actually working, I did my first showing of “Hackazon – Stop hacking like its 1999”. The talk was well attended, there were some great questions at the end and overall I think it went well.
Lunch – Another fun time hanging out with old and new friends. We got to discuss the history of WebGoat and OWASP with Jeff Williams, and of course Jim Mainco had to pop in for a sales pitch!
2:00pm: “Building a Modern Security Engineering Organization” by Zane Lackey from Signal Sciences – I only watched the first half of Zane’s talk, and not because I wasn’t enjoying it, the talk was going great. But I couldn’t stomach the idea of another 3 hour drive home, and decided to leave early to get a jump on the traffic. So I headed home, and was able to get home in an 1 1/2 hours! Much better.
I hope the organizers post the videos soon, because I am eager to see Matt Tesauro’s talk as well as Charlie Miller’s closing keynote. There are a few others that I need to watch, including the one about SQLViking, which I spoke with Ken Toler about, and his work and tool look very interesting. Greg Foss’s talk about Wi-Fi Hacking, which I saw a couple parts of, and spoke with him about… he’s doing some very interesting research and hopefully I will be able to spend some time with him to learn more.
I thank everyone for making the event such fun. I am sorry I cannot mention everyone and all the great talks, but I will say that this is a conference I highly recommend and its well worth watching every talk from this years event and start making plans to be there next year!