AppSecDay reflections
Last week, I had the opportunity to attend the awesome AppSecDay. It was such an incredible event where I could present a little of what I know about AppSec and watch many other great talks too. I was so glad to see developers with different levels of security expertise to showing up to improve their security skills. Great shout out to all AppSec organisers!
It was a very inspiring event that made me reflect on many things regarding AppSec and security in general. I didn’t know what kinda of public would attend AppSecDay. In my mind it would be an event attended mostly by security professionals. I was very surprised to see that around 60% in the audience were developers like me!
There were some great talks at the event and I managed to watch a few of them. All of them were recorded, I believe, and will be made available at some point. In this blogspot I want to talk what AppSecDay (and the great talks I’ve watched) made me reflect upon.
AppSec is confusing
DAST, SAST, RAST…so confusing
AppSec, as mentioned by Matt Jones in his brilliant talk, is a very confusing field at the moment. Tooling seems to be such an important topic. DAST, SAST, RAST and so many other acronyms. Matt made a joke about vendors being almost as bad as attackers in this industry. That’s so true! I couldn’t stop laughing! It is very easy to get lost with all those tools and acronyms being thrown out at us and we lose sight of what is important. Build secure products. That is (or should be!) the end goal for any Software/Security engineer.
Tooling is not the goal
Besides confusing, AppSec is also very hard. The balance to get products shipped constantly while having proper security controls is very hard to find. It varies from company to company and the only way to get it right is to work closely with developers. As partners. Treating security as a first class citizen.
This is collaboration right there!
We need to bring security to developers and get them closer to security. We can’t do that by throwing tools at their pipelines like there is no tomorrow. Tooling without proper context and understanding is pointless. Lack of tooling is not the problem most companies face. Collaboration is. Tooling is not going to save your people problem. If security and development teams are working in collaboration, they will find the right tooling, process and whatever else they need. If there is no collaboration, nothing else will work. Tooling or not tooling.
We need more developers in AppSec!
Traditionally, security has always worked in a silo. From a distant place they delivered reports, requirements and blocked features as they seen fit. That clearly did not work at that time and it will not work now. We need to do better than that.
We will only get AppSec right when security gets to understand developers and vice-versa. While I see many security people embracing Agile and DevSecOps I don’t see as many developers. Security is only one part of the equation. We still miss the other part of it. The part who understands SDLC to the heart. The part who is obsessed by delivering value early and often. The part who knows that build applications is much harder than break them. The development part.
Events like AppSecDay are super important to get developers onboard. But we also need to be mindful that we need to talk their language. Metasploit, WAF and whatever tooling is hot at the moment is of little importance on the big picture. Education, security awareness and understanding attack vectors are much more important. At least at the beginning of a security journey. Without a proper base of knowledge and understanding there is no tool who will ever do any good.
I definitely will be attending AppSecDay next year, as well as, submitting other talks. However, next year I will submit talks for developers. From one developer to another.