Tuesday, August 27, 2013

OWASP AppSec EU 2013 Trip Report


OWASP AppSec EU 2013 was held in Hamburg Germany at the Emporio.  The session line-up featured key speakers from all over the world.  As usual, the OWASP conference provides terrific value for your money.  OWASP is also noteworthy among security conferences since it focuses heavily on defending web applications.

The longer I'm in the business of security, the more I appreciate speakers who communicate in terms of solutions as opposed to raising conundrums.  Now that's not to say pointing out problems is unimportant.  Conferences that teach offensive techniques help us all understand better how to defend our assets.  They also serve well to shock the entire industry to change.   Still after 0-day sensations fade away, it's up to the defenders to pick up the pieces and secure their application assets.  This is where OWASP comes in.  While OWASP dabbles a little on both sides of the fence with both offensive and defensive session content, I see its real value in defensive measures -- helping an entire community solve tough security challenges.  Along the lines of defense, a couple of sessions standout from among the pack.

OWASP Top 10 Proactive Controls by Jim Manico (Twitter: @manicode), White Hat Security.  Many security professionals are familiar with the OWASP Top 10.  The Top 10 brings attention common security problems or "gotchas" many organizations encounter writing software.  The OWASP Top 10 Proactive Controls are somewhat the converse, security measures we should apply to protect our information systems.  From a security maturity perspective, OWASP Top 10 helps us spot common security problems and Top 10 Proactive Controls helps us address our security concerns.  I really like follow through and where this effort is heading.  Especially, thinking in terms of positive action we can all take helps move the industry forward.

New OWASP ASVS 2013 by Sahba Kazerooni (Twitter: @ShahbaKaz), Security Compass.  For those not familiar, the OWASP Application Security Verification Standard (ASVS) project, establishes security test cases by major domain.  Specifically, ASVS defines the security requirement areas or major domains of security as: Authentication, Session Management, Access Control, Input Validation, Cryptography (at Rest), Error Handling and Logging, Data Protection, Communication Security, HTTP Security, Malicious Controls, Business Logic, Files and Resources, and Mobile.  Within each of the domains various security tests cases are provided.  The idea is that you can choose the domains applicable to your product and review the test cases so you don't overlook any.  Sahba's presentation covers a refresh of the ASVS standard to bring it current to 2013 challenges.  If your charged with creating security test cases or even implementing security controls the document is a helpful resource worth a review.

Aside from the conference sessions, I take some time out to talk with colleagues.  The security landscape changes fast so it's good to keep up to date.  In this conference, I spoke with Dinis Cruz (Twitter: @DinisCruz) the O2Platform project lead.  O2 provides some really cool means to generate security test scripts fast.  An ancillary platform feature I really liked is you can take these scripts and compile them to standalone Windows executables.  This is great if you want to share a binary you create with others without requiring a grab bag of supporting components or even the O2 platform.
Photo: OWASP AppSec EU from left,
Dinis Cruz, Steven van der Bann, and Milton Smith

In considering scripting features, the O2 platform seems to have some practical uses even if your not interested in security.  I'm still learning about O2 but it's interesting technology I would like to investigate further.  Ok, a couple of tips if you get to meet Dinis.  Be up on your coffee since he talks really fast.  Next, Dinis does not wear shoes so don't step on his toes.  Steven van der Bann (Twitter: @vdbaan) joined our discussion.  Steven helps organize OWASP Capture The Flags (CTF).  He will be heading up a CTF at AppSec USA in NYC.

On Friday, I provided a session at the conference on Java security, Making the Future Secure with Java.  In my session I covered some background around Oracle security policies.  Covering policies is not very exciting but I have discovered if omit it entirely I inevitably receive questions like, "Hey why don't you guys discuss X,Y,Z with the public"?  I also provided an overview of remediation progress and recent security features delivered since many are unaware of our progress.  I believe the OWASP events team is planning to make session media available to the public but I'm not sure when.

A few thoughts on the location.  Hamburg is a refreshingly beautiful port town and bustling center of commerce.  In the summer, the climate is very similar to San Fransisco California and made complete by occasional fog.   While residents are quick to report winters are cold the conversation is warm and the people are inviting. 
Photo:  Hamburg panoramic from 23rd floor of Emporio

You will be challenged without a command of the German language but you will not be lost.  A significant number of signs provide an English translation less prominently under the primary German message.  ATMs and public transit ticket machines are localized in English.  There's a significant population that understand some English and remainder are surprising tolerant of visitors like me who don't know anything about the language.  It's always humbling to be immersed in a room full of people where you don't understand the discussion.  

Photo: OWASP AppSec EU from left,
Dalibor Topic and Milton Smith
Thanks to Dalibor Topic (Twitter: @robilad) for taking time away from his evening and family to show me around the city.  Dalibor is local to Hamburg so it's always great to visit a new place with a friend -- many thanks!  Dalibor is a leader in the OpenJDK project.  If you want to see what Dalibor's up to check out the OpenJDK project. 

Also perhaps only loosely related but the timing seems appropriate.  Thanks to Jim Manico and Michael Coates (Twitter: @_mwc) for assisting me with reviewing JavaOne session submissions for our new security track, Securing Java and for your participation.  J1 is almost here, phew time fly's.  I should have mentioned this in my presentation.

Share It!