Congrats to OWASP, who just put on a great event in Santa Monica last week! This seventh year of all things AppSec saw more sponsors than ever before. And there were lots of smart conversations happening around a slew of AppSec topics, such as the potential issues of AI and machine learning. Think facial recognition, consumer IoT devices and emerging privacy standards like CCPA and GDPR. Another prevalent topic—how OWASP can help in the context of privacy (such as secure coding standards). And so much more.
As representatives of ZeroNorth, we were pumped to be part of this event and are pleased to announce, it didn’t disappoint. For those who couldn’t make it, we want to share some of the great insight, advice and anecdotes we heard in the sessions we attended.
Keynote by the First CISO of Atlanta
Taiye Lambo talked about his first 100 days in his role as Atlanta’s first-ever CISO. For those of you who don’t already know, Atlanta is home to the world’s busiest airport, Hartsfield-Jackson. But did you also know, 70% of the world’s payment processing goes through Atlanta? It’s a big, bustling and important city.
As a new CISO in public government, Lambo worked to align cybersecurity with the mayor’s vision and top strategies for the city. For example, with public safety a key priority, it was important to consider how a data breach would affect the city’s 500,000 residents. One of his first actions, which is good advice for any new security leader coming into an organization, was to execute a security maturity assessment to identify the highest areas of probable risk.
Lambo told one interesting anecdote that offers an important moral. In any organization, whether in the private or public sector, you have to work with people who aren’t fluent in cybersecurity. He discovered that when you work for a city, people are very focused on things like potholes. So, he started using the term “pothole” when discussing security issues to make his points resonate. That’s a great tip we can all benefit from in any sector, even outside the security realm.
Purple is the New Black
Tanya Janca, security consultant at SheHacksPurple.dev and co-founder of the international women’s organization WoSec, gave a talk on modern approaches to application security. The title refers to the need to address both offensive (red team) and defensive (blue team) approaches, which means a purple team that has the right mindset and the right tools.
First, the mindset. Modern applications require modern security approaches, which start with zero trust. But it doesn’t begin at the application level; you can’t even trust all the individual components of an application. Each must be analyzed individually for security. Of course, the software supply chain is critical, because if you include an un-secure third-party component in an application, the entire application is un-secure. And, in only-the-paranoid-survive guidance, she says you must design with the assumption that a breach will occur.
On the tools front, Janca advocates using multiple scanning tools, since they each use different vulnerability rating schemes, etc. She also recommends scanning throughout the entire CI/CD process, noting that adding security solutions to your DevOps pipeline is both a new tooling and tactical area for security teams. (If you’re wondering how you will manage all these tools, ZeroNorth can help.)
An Opinionated Guide to Scaling Your Company’s Security
Clint Gibler, Research Director at NCC Group, created a guide he distilled from research, talks and discussions with security engineers. Here are some of his best pearls of wisdom for taking your security program to the next level:
- Automate as much as possible. Security is perennially resource- and time-constrained, so automation is critical to enable you to scale.
- If you’re on a security team, you need to treat developers as your customers. You need to think about how security fits into their existing tools and workflows.
- All vulnerabilities should be managed through a single, centralized system. (ZeroNorth can help here, too.)
- Continuous scanning is important—and scans should be fast and provide feedback in the systems that developers use. Two other important things in this area: capturing metrics and having logic for deduping issues.
- You must have an inventory of assets—code, servers, etc.—and you need to understand how they connect to each other. You should aim to track code from end to end, that is from repository to QA/staging to production.
Meanwhile, Back at the Booth…
We loved connecting with the many AppSec professionals who stopped by the ZeroNorth booth to see how our risk-based vulnerability orchestration platform can help them secure their applications and infrastructure in this age of digital transformation. And we look forward to continuing those conversations. If you didn’t get a chance to talk to us at the show, or if you weren’t able to attend, hit us up to schedule a discussion soon!