OWASP @ RSA
Friday, May 5, 2023
OWASP was invited to RSA this year and given both a table in the exhibitor hall and a whole morning track upstairs from the hall. Several board members made the trip out and we manned the booth and presented there.
The booth in the exhibitor hall was not huge and in traditional OWASP style it was not ostentatious, however, it did have loads of OWASP branded swag that turned out to be very popular with the attendees. We had over a 1,000 conversations at RSA this year and (almost) everyone knew who we were,1 and they were all very happy to see us.
Monday afternoon Harold got the OWASP booth (actually more like a basic table and banner deal) set up and the badge scanners sorted. On Tuesday Vandana, Matt and I took turns in keep the booth staffed, with Harold definitely pulling the lion’s share of the booth time. As I said before we had over a thousand conversations (where we actually scanned the badges, something we didn’t always remember to do, unfortunately) and most of those were super positive and very supportive. Some of them were about folks considering membership and I hope that they followed through on that. Next year we definately need to be able to allow folks to sign-up at the booth.
Wednesday morning was the OWASP track, and it was upstairs from the vendor hall in Moscone South. This was important because it actually meant that you didn’t have to have a full conference pass to join us. It did, unfortunately mean that poor Harold was stuck on the booth by himself for a large portion of the day. Before the morning kicked off I did manage to have a discussion with Sebastien Deleersnyder (Seba, the OWASP SAMM Lead) about the project and their plans - it’s going to be fantastic, and I can’t wait to be honest!
The agenda for the rest of the morning looked a little like this:
|8:30 AM - 8:45 AM
|Welcome and Introduction to OWASP
|8:45 AM - 9:30 AM
|Running an AppSec Pipeline with Open Source Tools: OWASP Guide
|9:30 AM - 10:30 AM
|The Future of OWASP
|10:30 AM - 11:00 AM
|11:00 AM - 11:45 AM
|DevSecOps Realized. Reduce Pain. Gain Sanity.
|11:45 AM - 12:00 PM
|RUBFG: OWASP Tools for the Colour Wheel of AppSec
Each of the presentations shared has been linked above as there were lots of requests for them, feel free to use the presentations yourselves, that’s why they were created. Unfortunately, our track did not have recordings, so you’ll just have to imagine how great the presentations were.
Matt’s talk focused on OWASP Defect Dojo and on how you should have a pipeline for the AppSec process within your organisation, one that takes results from tools and allows you to triage and dedupe them before handing them over to developers thereby ensuring that they have the highest quality results possible in the best possible way. Preferably in as automated a fashion as possible, of course. I’m sure he drew plenty of new converts to Dojo, and he got loads of great questions afterwards! Vandana took a more holistic approach and plotted out a number of OWASP tools everyone should consider including in their pipelines, and she walked folks through the AppSec Framework from requirements gathering through to knowledge management. My own presentation closed out the day by highlighting the importance of getting developers involved in appsec by blatantly borrowing from Roald Dahl’s stories while plugging a number of OWASP tools along the way.
There was actually a surprisingly good turn out with folks not seeming to mind the very early start to the day and even though we competed against some excellent keynotes and lunch towards the end we had a pretty decent turn out right through.
The panel discussion “The Future of OWASP” was probably the highlight of the session, however with Jeff Williams (former OWASP Chair and Contrast Security Co-Founder), and Larry Maccherone (the Comcast Lean and Agile impact guy, currently with Contrast doing DevSecOps transformation) joining Vandana, Matt and I on stage to talk about the topic that’s been on everyone’s minds. The discussion pulled in questions and comments from the audience and was very enlightening, underlining some of the discussions I have been having with community and project leaders at OWASP. As much as I can remember and have been able to take away from this discussion will end up in the planning and strategy discussion the board are having.
The rest of Wednesday (for me) was spent representing OWASP at the National Cybersecurity Alliance’s luncheon and CREST International’s dinner. I missed lunch, unfortunately, but managed to arrive well in time for the announcement of Kubikle (a parody highlighting the business nature of cybercrime to create awareness) and the discussions hosted by the NCA with a number of US government agencies primarily discussing the US Cybersecurity Strategy. It was a very interesting discussion especially as they touched on the effects that the strategy will have on the FLOSS (Free/Libre & Open Source Software) communities. I did manage to make dinner, and that was a good thing too as Tom Brennan (CREST USA’s ED and former OWASP board member) pulled out all the stops and ensured that dinner was both enjoyable and allowed a lot of the organisations that CREST works with (like OWASP) to meet each other and find common purposes.
Thursday was the final day at RSA and we all spent a fair amount of that time at the OWASP booth. I did manage to have one meeting with Brian Reed (NowSecure’s CMO and huge MASVS fan) that I hope will lead to more good things in the very near future. But all too soon it was time to pack up the booth (we managed to give away all the swag at that point) and to head out to the airport.
There was one person who didn’t, but he worked AV and was trolling the vendor hall looking for swag. He did leave enlightened however (and with a beach-ball for his kids)! ↩