Last week we were fortunate enough to be a sponsor of the AppSec California conference (@AppSecCali) in Santa Monica, literally down the road from Prevoty HQ. First off, congrats to all the organizers and volunteers who put in a lot of work to make it a truly exceptional event.
After speaking to many delegates and other sponsors at the conference, I came to one simple but overwhelming conclusion: enterprise application security is set to truly break out in 2015.
The event was sold out and the crowd was no longer just the industry insiders and pen testers that make up the local OWASP chapter faithful. This year, there was significant representation from Fortune 500 security teams and, despite the fact that this was targeted as a California event, I met many people from across the country as well as from Korea, Japan and Australia. In fact, many delegates were attending an appsec conference for the very first time, and a number of companies were there simply looking to recruit appsec specialists. Always a good sign of growth!
Of course, content is king and there were some terrific sessions. My favorites were some of the keynotes:
Alex Stamos (@alexstamos), VP of Information Security at Yahoo!, gave the opening keynote and, as an opening keynote is supposed to do, really set the tone for the entire event. One of his main messages was that network-based security simply cannot keep up with the requirements for modern application security, from both performance and efficacy standpoints.
Charlie Miller (@0xcharlie) from Twitter was his usual entertaining self, outlining the ongoing battle between security engineers and the bad guys. He articulately berated the security community and our friends in the media for the terrible job we all do of promoting the real threats to the public. Apparently there is more mileage in a good “stunt hacking” story than in covering the actual threats and consequences that people are facing.
For me personally, the most educational session was by Katie Moussouris (@k8em0), Chief Policy Officer at HackerOne, on Security Development Lifecycles (SDL’s) and bug bounty programs. Katie also advocated for the audience to reach out to their members of Congress to push for a carve-out for security research in the Computer Fraud and Abuse Act (CFAA) update being proposed by President Obama. Hear, hear! If you’ve never heard Katie speak before, I highly recommend checking out her schedule and finding a way to attend one of her sessions. She was awesome.
The only bad news from the conference is that, with the dramatic increase in interest in appsec, I cannot see any way we will be able to squeeze all the delegates into the same amazing location for next year’s event…