July 13, 2018
The security team at WORTH recently attended the annual OWASP Appsec Europe event in Europe. We value knowledge sharing, especially in the security field, because this is a very dynamic environment so this conference is an important one for us. From a developer’s perspective, it is critical to stay up-to-date with the latest defense mechanisms and from a security tester’s perspective, it is important to be informed about the latest exploits and tools. It can be difficult to stay up-to-date with the latest application security technologies without attending conferences, so we make it a priority to attend events like this. When planning to attend this event, keep the following tips in mind:
1. Know where you're going
The annual OWASP Appsec Europe conference is an event where developers and security experts come together to share their knowledge. The main conference (on Thursday 5th & Friday 6th of July 2018) offers talks for pentesters and ethical hackers alike, as well as developers and security engineers, DevOps practices and Security Management talks for executives.
For those of you who not know what DevSecOps means: Security must fully blended in Developers and Operations, not separated hence the word DevSecOps.
- 4 main tracks: “DevSecOps”, “Hacking”, “CISO” and “Development”
- 50+ presentations with speakers from over 30 different countries
- 700 attendees
- 3 training days, 2 conference days
When planning to attend the conference, take note of the location, and make travel arrangements in advance to avoid any surprises - especially if you have been given a limited budget. The hotel we selected for the 2018 conference was just 10 min. from the conference location using public transport, making travel to and from straightforward.
2. Set your goals, plan your talks
Ask yourself: are you here for networking, learning new things, sharing your own knowledge, or for falling asleep during presentations and enjoying the food and drinks?
As mentioned previously, up-to-date security knowledge is valuable, so your main goal here is to learn from new experiences from the field as much as possible. This year, we were interested in the Secure Development talks but we were also interested in new web vulnerabilities and defense mechanisms.
There are many presentations divided into four tracks. A few of your interesting picks will most certainly overlap each other. The same issue applies when attending a music festival, you cannot split yourself in two. Lucky for us, we attended in a group of three so we could easily split up and discuss the presentations during the breaks.
Grab a floor plan booklet which you can use to navigate inside the conference centre and schedule ahead.
3. Learn from presentations and ask questions
Take notes, but remember all presentations and slides will be published online. OWASP values an open transparent community where information sharing is key. If you have a burning question but don’t feel like posing it in front of the crowd, take note and try to catch up with the speaker after the presentation.
Here is a short summary of one the interesting talks from this year's event:
Deconstructing threat modeling
Ciaran Conliffe shared his experiences and ideas regarding Threat Modeling. Threat modeling is an architectural risk analysis method used in every Secure Software Development program.
He discussed the many methods and practical approaches of threat modeling. Contradictory methodologies and advice are everywhere, and it often seems like no two people have the same definition of threat modelling; however, he emphasised that each organization should apply their own flavor rather than applying a “one size fits all” approach. This confirmed our atypical approach, which is rather a simplified process of threat modeling. This underlines how important it is to maintain the collaboration and awareness level across the whole team during the workshops.
Building Developers into Security Champions (Peter Chestna)
This talk from Peter Chestna was a good one as he discussed the process of introducing security champions within the organization. As a matter fact we are currently in the same process. So we are very curious about the tips, tricks and pitfalls. Peter emphasised that through careful selection and good training, it is possible to build your own security champions guild from the very people who own the development process.
Although we did not learn anything new specifically, this information confirmed that we are on the right track, with the same approach regarding recruitment and maintaining interest also being adopted by many other companies.
4. Consume your brainfood
Yes, the OWASP Appsec Europe conference entrance fee included lunch and drinks and I must say it was very well organized. Everything in miniature format; mini hamburgers, sandwiches and even a mini fish ‘n chips basket. One word of advice: don’t eat too much, otherwise you might fall asleep during the afternoon presentations.
5. Expand your business network
At the conference centre itself, the crowd and vendors are quite friendly. The main expo is a social event space where people come together to socialise. It's a great space and time to catch up with one of the expert lecturers to discuss a question you have about threat modelling, for example.
In the security world, sometimes it’s who you know rather than what you know. Being a reliable expert in security can go a long way! Share your Linkedin or contact details as you might need each other in the future.
In the conference areas there are various vendor booths to promote the latest advances in application security technology. It is a good idea to talk to vendors about their latest features and problem solving solutions.
In the end
Much to our liking, the OWASP Appsec Europe conference is naturally quite security-oriented and sometimes very technical in relation to hacking. This year, we managed to attend almost all of the technical talks - at least the ones that interested us most.
At the end of the day we learned a lot of new security-related tips. And who knows? Maybe next time we will step up and make a contribution to the community with our own presentation!