Industry Observations-Web Application Security-WhiteHat HackerKast

Mile-High AppSec

I just returned from AppSec USA last week in Denver. Many of you are likely familiar with this conference: it’s when our good friends over at OWASP pick a lucky city and converge on it, bringing together some of the world’s best-known application security practitioners, experts and hackers. WhiteHat Security had about 10 people floating around between sessions, booths, and several fun after-hours endeavours. As per past years, last week Denver was the place to be if you work in application security.

I had the good fortune of being a panelist in one session discussing the use of Open Source software in the Enterprise. The panel was moderated by Sonatype’s Derek E. Weeks (@weekstweets) who helped put together the Open Source Security survey we were discussing. Other panelists included Josh Corman (@joshcorman), Damon Edwards (@damonedwards), and Jeff Williams (@planetlevel), who were all fantastic contributors and really bright guys in general. We had some really interesting takeaways from our conversation which were eye-opening:

  1. Open Source Security policies are rare and when they exist, they are even more rarely followed.
  2. Most companies still rely on *manual* testing of their codebase, including the Open Source libraries.
  3. Even when manual testing occurs it tends to happen mostly in production.
  4. Nobody knows what Open Source libraries they use or where they live.
  5. Responsibility for security of Open Source libraries is very varied (IT, Compliance, Risk, Security).
  6. -10. Heartbleed sucked hard.

Here is a video of the panel.

After the panel I also got a chance to present the Top 10 Web Hacking Techniques of 2013 with my esteemed colleague Johnathan Kuskos (@johnathankuskos). For those of you who follow the WhiteHat blog, this should be old hat for you (we ran this presentation via a webinar and living blog post here earlier this year). The content is fantastic, the researchers we pay homage to are all top-notch, and the hacks this year were really creative and some went very deep into the technical nitty gritty.

If you want to see some of the AppSec talks check out the OWASP YouTube channel which they are updating daily as they process these recordings. I’m sure the Top 10 will pop up there in the next few days.

Other than talks, you can all join me in congratulating Johnathan Kuskos in winning this year’s WaspNestCTF, developed by the OWASP Boulder, Colorado chapter. Johnathan tied for first place against a team of three… all by himself. This also means he won some additional prizes for most flags captured by a single person. Congrats Kuskos!

We also took the opportunity to launch our new WhiteHat HackerKast web series while in Denver, after all it’s not often that three of us are in the same room together! You can view the first episode below. HackerKast will be a weekly conversation between three of us at WhiteHat in which we discuss the latest news that people are talking about on Twitter, latest news headlines or interesting pieces of research that we believe the industry will benefit from. In this first episode, Jeremiah Grossman (@jeremiahg), Robert Hansen (@RSnake) and I talk about interesting topics from the show floor.

In general, we had a blast in Denver trying out some craft beer during the OWASP pub crawl, hanging out with the awesome team from BugCrowd who hosted a Bug Smash, and mingling with some of the top AppSec people in the world. Next year’s AppSecUSA is in San Francisco so we can all go bug Michael Coates (@_mwc) in his backyard. Hope to see many of you there!

And now… HackerKast Episode 1: