#appsecusa

I put this list together after attending AppSec USA 2016 here in DC this October, but had to wait to send it out until I was able to get links to the videos of the talks (OWASP took their sweet time on this).

Key trends noted at the conference from people, vendors, talks and topics in general

   DevOps - next evolution in the sdlc; refer to the Rugged Manifesto; DevOps/CICD focuses on automating everything and applying people to perform analytics to improve the tasks in the pipeline; AppSec activities can and should be automated as much as possible, we have tons of activities that we do repeatedly (or should be doing repeatedly) that can be done by a machine. Tools exist now to take over most of these things, we just need to orchestrate that pipeline of activities.

   Software Supply Chain - Also referred to as Open Source testing. We need to know what goes into our products. The libraries that our developers use, the tools that our vendors use, and the libraries those tools include all are potential weak points. These libraries and software have licenses that must be respected, but we also must be able to track what we are using so that application of fixes for CVEs can be pushed quickly and directly to software that is vulnerable.

   REST APIs - Nothing new here, we know what these are but we need to recognize that more and more teams are building RESTful APIs for their systems to use. AppSec needs to test these, but how can we possibly do that when there is no interface and (almost always) little to no documentation? AppSec needs to push developers to write REST APIs in a more mature way (read: with good documentation). APIs produce an excellent format for fully automated testing; can we supply development teams with good test cases and test tools that can be integrated into their build/test process so that we don't need to be engaged?

Vendors that we should network with to run tech demos or proof of concept testing:

   OpenSource Library Scanning - BlackDuck, CodeDx, Sonatype, Palamida

   WAF-ish Protection - Signal Sciences, Shape

   Recruiting - Identify

   JS Self-Protection - JScrambler

   Static Analysis - Checkmarx

Tools that AppSec/GRC should look into hosting/using:

   Vuln Mgmt / Tracking / Merging - Threadfix, Norad (Cisco), Bag of Holding, Defect Dojo, Scumblr

   Testing Tools - FuzzAPI, JJEncode, OWASP WTE, Arachni, vuls, lynis, nikto, serverspec, sslyze

   Input Validation - Language-Theoretic Security (LangSec)

   Orchestration - SlackCat, botkit

Talks that everyone should take some time to watch, some are about tools, some are just interesting / great speakers:

   SPArring with the Security of Single Page Applications - Dan Kuykendall

   LANGSEC 101: Taking the Theory Mainstream - Kunal Anand (or the other one)

   Using language-theoretics and runtime visibility to align AppSec with DevOps - Kunal Anand

   Cleaning your Applications' Dirty Laundry With Scumblr - Scott Behrens, Andrew Hoernecke

   HTTPS & TLS in 2016: Security practices from the front lines - Eric Mill, Kenneth White

   The Less Hacked Path - Samy Kamkar

   Where bits & bytes meet flesh & blood: Devops, Cybersafety, and the internet of things - Joshua Corman (or the other one)

   Continuous Security: DevOps and Ongoing Authorization - Joshua Corman

   Automating API Penetration Testing using fuzzapi - Abhijeth Dugginapeddi, Srinivas Kotipalli