We were all up sensibly early for the trek over to the conference centre. I didn’t mention it on the first day, but negotiating the route from the hotel to the conference centre meant crossing a road/tram/bike lane junction-thing where it wasn’t clear where it was safe to stand and your best bet is to get across as fast as possible and hope nothing hits you. Like Dutch Frogger.

Friday Morning

More fruit, coffee and juice were had before the first talk, given by Colonel Hans Folmer, CO of NLD Defence Cyber Command.

I have to say, this was one of the less enjoyable talks for me, more so because it was a keynote and I think those should generally be of a higher standard than even regular conference slots. The discussion was very high level and pretty slow moving for an infosec-literate crowd and, because the Colonel had suggested it was okay to ask questions at any time, it was derailed by some … bizarrely off topic questions asked from the audience.

There was a system of red and green cards you could leave in a box by the door, as a way of voting to have more or less of those kinds of talks in the future, and there were a lot of red cards in the box.

Next, I went to Rory McCunes ‘Security and “Modern” Software Deployment’, which I enjoyed. The main gist was that modern software development (and deployment) builds on dozens of libraries, often sourced from untrusted or semi-trusted repositories, and the security of any application depends (a) on what it depends and (b) on how those dependencies are fulfilled.

That is, there’s twin threats: you may be depending on software which does things you don’t expect, and may have backdoors included by the author and if you’re not verifying that the software that you’re getting is the software that you’re expecting, you may be deploying code which isn’t even by that original author.

Traditional DNS hijacking and insecure HTTP man-in-the-middle attacks were mentioned, but also the surprisingly simple attack of just writing a library with a similar name to a different, more popular, one and hoping people accidentally install you vulnerable one instead.

Even though I took it for granted, he also spelled out that packages on these repositories go through absolutely no quality checks: just because something is on PyPI or RubyGems is no signifier of quality all. In PHP-land, 80 new packages per day are added to composer, with absolutely no checks as to their quality.

Scary stuff.

(More Coffee)

After coffee, all of us went to Christian Schneider’s “Security DevOps” talk – there were some good references to automated tools and a maturity model for “SecDevOps”. Aside from the tool tips, the maturity model part of the talk was actually really interesting – having gone to last year’s AppSec in Cambridge, we walked away excited by the things that we’d learned, but finding it hard to fit a lot of what we learned into our projects: How much security is enough when you know that any flaw could lead to a total compromise?

Well Christian’s talk introduced levels, similar to the levels of SAQs that you might fill in during a PCI audit, starting with basic, untrained automated tests and progressing through to specific automated tests and penetration testing.

It was a great way to see that you could do something without worrying about doing everything – you simply say “this is red belt-level” – better than nothing while clearly explaining the limitations of the approach. This seems like a good way of communicating to management that just because you’ve done some security work, does not mean that every avenue is accounted for.

Sadly, work kind of crept in after this talk. I missed the next speaking slot, but did get to grab some lunch. This is the downside of sending the whole operations team to a conference: sometimes you need to miss things to react to events back at the office.

This work carried on through some of Steve Lord’s “Securing the Internet of Things” talk, which is a pity: the parts I did catch were humorous (in a very British way) and completely on track with so much of my thinking about who should own data and what we should be allowed to do with devices that we’ve purchased (spoiler: we should own our own data, and do what we want with our own things).

He also repeated the above advice, one of my favourite mantra’s for limiting the damage of a breach: if you consider that a breach will probably happen at some point, you don’t want to have to explain to your users that you’ve been keeping a whole load of surplus sensitive data that you didn’t need and that it’s now effectively been made public.

I’d love a code of conduct for websites and services that I’ve signed up for to cover how long they will keep my data or even my account, after it’s been inactive. There’s nothing worse than hearing about a break-in in the news, and finding out you had long-dormant account on that service that was affected. (See: Adobe, SourceForge).

The next talk I caught was Thibault Koechlin’s talk on Naxsi – a web application firewall developed at NBS Systems (who are also the authors of the popular Nitrogento Magento caching plugin). Naxsi is interesting because the use-case is securing third-party applications that you don’t control.

NBS Systems are a large hosting provider and host thousands of Magento, WordPress and Joomla installs. They can’t necessarily patch everyone’s installations, or make changes to those customer applications, but they still want to provide a basic level of security to their customers.

His way of explaining the situation that they are in was … graphic:


It uses a statistical approach to classifying traffic as probably-good or probably-bad rather than large lists of rules which need to updated with the latest signatures. This is fundamentally different approach than things like mod_security, and Thibault did a great job explaining why, for his employer’s particular use-case, these were the trade-offs that they needed to make.

I particularly liked that the questions after the talk were of the “but how can it protect against *this* kind of attack” variety – to which his responses were pretty clear: it doesn’t. If you have *that* problem, you’ll need a different product.

The very final talk before closing was by Brenno De Winter, Journalist of the Year in 2011. He has made news in the Netherlands by showing (sometimes glaring) problems with how security works in practice in everyday systems.

This includes gaining entrance to several Dutch and European government buildings with fake (clearly fake) ID and riding the trams for free by exploiting the fact that the travel cards are the source of truth for if you can ride, and not a central database.

As someone who has based part of his career on showing that humans are often the weak part of any security solution, he went on to explain how increasingly software is becoming the weakest link, a course he believes we strongly need to reverse.

The closing was succinct, sponsors were thanked and prizes were drawn. None of us won anything, but a bit of light entertainment was provided by the fact that the person from the HP booth (who had the prize) had left without drawing a winner. Her partner was left apologetic on the stage until she came back and they were able to make the drawing, a few minutes later.

We high-tailed it to the nearest train station (which was really near, actually), where we crammed onto a train where other AppSec attendees were easily spotted because they had blue foam rockets poking out of their pockets and luggage.

We got to Schiphol with plenty of time to spare, which was handy, because our flight spent the next couple of hours being slowly delayed further and further. Everyone went hunting for Miffy’s and tulips to bring home to their partners and children, when Darren mentioned “I think that’s Keith Vaz, over there.”


It was! He was disappointed that I didn’t have a Selfie Stick, and had to take the photo the old-fashioned way. Hours passed. Neil tried to entertain us:

Who would have known that he’s an accomplished yo-yo trickster?

The plane eventually taxied over to our gate, was turned around quickly and we were back in BHX with the minimum of fuss. It was a really, really useful experience and I would gladly go to Amsterdam and to AppSec EU again, if I have the chance.