It’s been a couple of weeks since I got back from the AppSec conference in Amsterdam, so this conference report is a little overdue! Following on the success of sending (most of) the operations team and (some of) the development team to AppSec in Cambridge last year, iWeb graciously offered to send us further a-field to learn more about application security – something that’s increasingly important to how we do business.

For people who may not be familiar, application security deals with all aspects of security which form part of the software application and development lifecycle – it doesn’t cover things like firewalls (which are network security) or intrusion detection systems (which are generally host-level security features). It recognises that the biggest threats to security come from software itself, specifically how it’s developed.

I believe that every year’s conference is larger than the year before but with 2014 being the year of the “branded vulnerability”, it felt especially vibrant this year. The biggest headline of last year, Heartbleed, was a simple bug in a piece of software that just happens to be critical to the security of over half of the web. Given that programmers are fallable, what can be done to keep the web safe? Given that software is everywhere, what can be done to keep everything safe?

Well, the good news is “more than we’re doing now”. As well as discussing the threats, the conference dealt with many practical approaches to managing the software-development life-cycle, automating testing and catching bugs before they enter production or can be exploited by “bad actors”.

The talks were nominally “builder”, “breaker” and “defender” oriented, but this year had been explicitly split up by target audience: “operations”, “management” (well, CISO), “hackers” and “developers”. I thought this worked really well – when a title or abstract was too vague at what level it was pitched at then we could figure out who should go to what talks, just based on the room it was in.

The conference was overwhelmingly male. Definitely the least diverse conference I’ve been to, but there was a Women in AppSec session and it looks like the organisers had made efforts to make the conference more welcoming to female attendees.

Rounding out some other important points about the trip, before doing a blow-by-blow of the talks that I found most interesting:

  • The venue (RIA Amsterdam) was great. We were constantly plied with pastries, coffee, juice and water. It was clean and easy to find, and all of the lecture theatres had great facilities.
  • The vendor areas were on-topic for the event and generally interesting. They were also kept separate from the food area, though they weren’t out of the way, either. There was a prize-draw for people who visited every vendor and got their “conference passport” stamped, but otherwise the sales were low-pressure.
  • There were some great retro games, lock-picking demonstrations and a pair of on-site masseuses. I took advantage of two of these three things.

Thursday Morning

We opened with application security super-star Troy Hunt talking about 50 Shades of AppSec. This was a keynote and a packed house- it was an incredibly slick talk and covered a large range of current topics in application security, with appropriate funny bits thrown in. Favourite bit: bad “best practices” recommending the use of Base64 to encrypt credit card numbers.

The next one that I went to was Johnathan Kuskos and Matt Johanson’s “Top Web Hacks of 2014” – there wasn’t too much that was new in this list, after all it was the year that brought us Heartbleed and Misfortune Cookie, but again, the presentation was great and it set the stage for the rest of the conference.

Several later talks would presume knowledge of these notorious attacks, so it would a good refresher. Best bit: an explanation of how Misfortune Cookie works. It’s nerdy, but it should never have been allowed out there, and now it’s in hundreds of thousands of devices. Matt Tesauro’s “Taking DevOps practices into your AppSec Life” was the first talk that I attended this year to press home how automation, continuous integration and the concept of a “pipeline” are critical to modern appsec – the approach of testing things after they are done is no longer tenable.

Yossi Daya’s “Rise of the Machines” gave us a run-down of what bots are doing on the web. His position as a Senior Researcher at Akamai’s cloud security unit gives him access to a large corpus of data. He showed some of the techniques that he uses to identify bot traffic, to classify different bot behaviour, and presented different ideas on how to “deal with” bots.

What I personally found interesting was that he didn’t advocate blocking bots at any point – many of these are a legitimate part of the Internet landscape, and if they were malicious, blocking them outright may lead to more advanced attacks. If you must react, then slowing them down and deprioritising them over humans was the recommended approach. At this point we stopped for lunch, and for an excited discussion about directed graphs and how we could profile iWeb’s data (we collect a lot) and use it to identify bots and “bad actors”.

Thursday Afternoon

The afternoon keynote was Frank Breedyck’s talk “Red Team, Blue Team or White Cell?”. This was a much higher-level talk, the first of a few calls to arms for people to rally around this topic. It was addressing long-time security professionals and stating that the old way of dealing with security – where red teams come in, find an exploit and declare an application “insecure” and a cycle of building, breaking and repairing goes on – isn’t going to work any more.

It’s not just about preventing a breach from happening: breaches will happen, the odds are totally in favour of them. The focus should turn to detecting them, containing them and minimising the fallout from the inevitable.

After this, the first session of Lightning Talks could practically be considered a break. The leaders of OWASP projects (there are a lot of OWASP projects) gave 10 minute talks on what they have been working on – either an introduction to what their project covers, or a status update on what’s happened with it lately. I was particularly interested in the Application Security Verification Standard and the OWASP Testing Guide. They both seem like good frameworks for testing your application and development processes, rather than just saying “the following things are bad”, like the OWASP Top Ten does.

I skipped the next round of session talks. With the entire operations team out of the country (and a chunk of the developers), we checked in with the office and caught up with things that needed to be dealt with that day.

The last talk of the day, and talk of the conference for me was Josh Corman’s talk on “Continuous Acceleration”. The title doesn’t do the talk justice. The abstract calls out Software Development for not learning from the supply chain quality controls that physical industries have – we’re making our own version of some very old mistakes. One of the major risks he identified (and he wasn’t the only one) was trust in third party software. The amount of libraries required to build a modern web application is ballooning. A typical Rails or Django application will have dozens of dependencies in their gem or requirements files, and those things will have their own dependencies, and no one is really checking that all of this software that we’re building everything on top of is actually that good.

The other big part of his talk, which introduces “I am the Cavalry” and the “Rugged Software Manifesto” is a proper, civic minded wake-up call to developers: software is in everything. Phones, televisions, tablets. Fair enough. But also: X-Ray machines, car safety systems, aeroplane avionics, insulin pumps.

The risks of bad software are increasing, while the volume of bad software is also increasing. It’s up to software developers as a semi-professional class to stand up and stop this happening. Reeling from that, and half ready to charge into the streets and fix software, while also being half ready to hide in a cave until society collapses, we got changed and got ready for our boat trip through Amsterdam’s canals to Science Centre Nemo.

As we learned, the canals are a UNESCO protected world heritage site, and the number of (incredibly, incredibly expensive) house-boats are limited to stop them ruining the traditional beauty. It wasn’t all postive spin though, as our guide explained how endemic bike theft is in Amsterdam, and where you can go to buy stolen bikes for a few Euro from some drug addicts. Useful information, maybe next time!

We got to Nemo in the first of a half-dozen boats. This was great (we had the run of the bar before the white beer ran out) but also bad (we had the longest wait for food). We took to exploring the science museum, three of us getting locked into a manual elevator, requiring I-don’t-know how many turns from us until we got to the top and were unlocked.

The food and music were great and, despite some Twitter fun with the Staffs Web Meetup, we carried on discussing how application security could fit better into our Magento workflow at iWeb for a couple of hours before the big demonstration:

Then it was just a quick walk back through the city to our hotel to grab some rest before a similarly full day on Friday!