The Roundup: AppSec

MC: Bill Sempf
Topic: AppSec
Price: $0 (Free to Attendees)
Date: January 21, 2021
Time: Noon to 6PM EST
Click here to register

Applications are the front line for attackers. That fence around the cattle is stretching and stretching with more and more contractors and outsiders in your code, external library use, IoT, and BYOD (“bring your own device”). These days, the applications–be they web, mobile, or service endpoints–are the first place attackers look for a leg up.

This means developers are the front line. They need to know how to find security flaws, fix them, and not code them into the system in the first place. Securing applications requires a broad set of skills. AppSec is what we call it, and it stands for Application Security. It’s complicated, hard to check, hard to fix, and hard to prevent, but we didn’t get into this field to fix easy problems. Let’s fix the hard problems.

Join Bill Sempf for this January’s Roundup event.

Pieter Danhieux, CEO of Secure Code Warrior

Pieter Danhieux is a globally recognized security expert, with over 12 years’ experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA – Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.

Simon Bennetts, Distinguished Engineer at StackHawk

Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Project Leader and a Distinguished Engineer at StackHawk, a company that uses ZAP to help users fix application security bugs before they hit production. He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac. Prior to making the move into security he was a developer for 25 years and strongly believes that you cannot build secure web applications without knowing how to attack them.

Mike Woolard, Risk and Compliance Manager

Mike is a risk and compliance manager who has worked in the IT field for 15+ years. He has a broad background from helpdesk to sysadmin, system engineer, networking, DB and development work. Most of Mike’s work the last 8 years has centered around ISO compliance, application testing, and risk assessments, but an integral part will always be awareness training. Mike is an active member in various local NEO security groups including NEOISF, OWASP, infragard and the Information Security Summit.

Jamie Dicken, Manager, Applied Security at Cardinal Health

Jamie Dicken is the manager of Applied Security at Cardinal Health, leading a team focused on Continuous Security Validation and Security Chaos Engineering. Formerly a software engineer and technical manager at two Fortune 15 healthcare companies, Jamie focused on designing, building, and delivering new features to the market. She now focuses on protecting systems like the ones she used to build.

Her professional passions include leading high-performing teams, executing on high-profile strategic initiatives, championing employee growth and development, and mentoring women in technology. At Cardinal Health, she is a steering committee member of both Women in Technology (WIT) and RISE, the IT emerging leadership development program. In the community, she also serves as a member of the International Consortium of Minority Cybersecurity Professionals (ICMCP) and ISSA.

Outside of work, Jamie has lots of adventures with her two mischievous little boys and amazingly supportive husband Chris. She enjoys spending time outdoors and experimenting with her hobbies of cooking and sewing.

Kevin Johnson, CEO at Secure Ideas

Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises, and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute.


Sebastian Boutin Blomfield, Developer at InfoSec Innovations

Sebastian Boutin Blomfield is a game and web developer who loves to learn about different technologies and try out new ideas. Outside of work he plays in two bands and dabbles in audio engineering when he isn’t playing videogames.


Mick Douglas, Managing Partner at InfoSec Innovations

Mick Douglas is the Managing Partner of InfoSec Innovations, a SANS instructor, and a member of the IANS Faculty. He likes to hack in PowerShell, Python, and do hardware hacking. In his spare time he likes to go on hikes and do photography.


Time Speaker Presentation
12:00PM to 12:45PM ET Simon Bennetts Title: Automating OWASP ZAP

Abstract: ZAP is the world’s most frequently used web app scanner in no small part due to its support for automation. In the talk Simon will explain the options you have for automating ZAP and the advantages and disadvantages of each. He will explain how you can get quickly and easily get started with ZAP automation and then tune the process so that ZAP can test your applications as effectively as possible. 

1:00PM to 1:45PM ET Sebastian Boutin Blomfield and Mick Douglas Title: That’s Fantastic! Automation, Gamification, & Incremental Improvements

Abstract: Building, maintaining, and securing resilient networks is tough… and well beyond the skills and budgets for most orgs. But it doesn’t have to be that way! Project Fantastic is a framework which makes complex tasks much more doable. It gives the power of the command line to those who can’t or won’t allocate the time it takes to learn it. But unlike other abstraction frameworks, Fantastic does NOT hide what’s happening or worse yet… prevent you from understanding what it’s doing… instead Fantastic exposes these inner workings so you can more easily extend the tool, or just directly access the CLI if and when you need it. Attendees of this talk will be introduced to Fantastic, learn how it works, how it can be enhanced, and most importantly, how you can immediately start using this tool to make your life easier. 

2:00PM to 2:45PM ET Jamie Dicken Title: Why Developers “Don’t Care” About Security

Abstract: Security conversations with development teams don’t have to be an uphill battle. In this compelling session, we will discover the underlying challenges app teams face that cause them to seemingly dismiss security concerns, and we will collaboratively find solutions to those problems.

To us as Information Security professionals, it can certainly feel like dev teams don’t care about security. That seems clear in those moments when they proceed with a production deployment despite poor static code analysis results or when they hesitate to add a high-priority security remediation to the product roadmap. However, as a former software engineering manager, I have a different perspective. While I did sometimes postpone security endeavors or push for policy exceptions, I did care about security. The reality was that I faced extreme challenges that my InfoSec team did not see or understand.

Now as an InfoSec leader myself, I realize there is a better way. We must understand the realities in which our app teams live so we can address their core concerns that cause them to push back on us. In this session, we will learn from my experiences on both sides of the table. There are ways we can partner effectively with application teams to achieve the business’s goals and keep the company safe, and together we will learn how.

3:00PM to 3:45PM ET Mike Woolard Title: Automating ZAP to Deliver On Demand Application Assessment Reports

Abstract: My company has built dozens of web applications that are regularly updated and pushed through the development process. Policy calls for the workflow to include a scan of any application moving between environments. This was becoming an increasingly laborious task, so we did what we had to do, we automated it. In this talk I will talk through the various parts of the automation process, walk through python scripts, cron jobs, and database calls, I will then wrap it up with a front end php page that allows the most basic user to simply click a button and kick off an application scan that will report back the findings, saving teams hours of back and forth communication and headaches. 

4:00PM to 4:45PM ET Pieter Danhieux Title: “Stop Calling My Baby Ugly!”: Why We Must Take a Different Approach with Developers for DevSecOps Success

Abstract: Imagine pouring your heart and soul into a software build, crafting a new piece of our digital world with all the features, functionality, and user experience that has made modern life so darn convenient. Your work is the envy of your peers, and the code shipped without a hitch. Excellent.

… and then, the gloomy presence of a security specialist tears it all down. They’ve found an exploitable security bug, it’s not ready to ship, and you have to fix your no-good code right away. How dare they call your baby ugly, especially after all your hard work, and despite there being so many non-security elements that were awesome.

For many developers, this is the harsh reality of their experience not just with the AppSec team, but with cybersecurity in general. “Security” has negative connotations for them, and it really isn’t a priority when feature-building must take center stage.

However, catastrophic breaches are only getting worse and more frequent, and the traditional approach of throwing endless AppSec tooling at a human problem clearly isn’t working. Developers need an olive branch from the security team, and they need it yesterday.

In this presentation, Pieter Danhieux will have a look at the current skills from 100,000 developers, revealing the current state of developer-driven security, and how smart organizations can help every engineer avoid the “ugly baby” conversation for good.

5:00PM to 5:45PM ET Kevin Johnson Title: Daleks Performing a Jedi Mind Meld: Communicating Risk and Issues

Abstract: This presentation will explore the problems embedding security within our applications and organizations because of communication issues. It will also discuss the methods to help fix this important issue.