Global AppSec 2019 - Tel Aviv

Nancy Gariché and I (Tanya Janca), traveled to Tel Aviv, Israel to speak at Global AppSec, the international OWASP conference, which serves as the foundation's main income generating event. The conference concentrates on the topic of application security, which includes DevSecOps, white hat hacking, code review, and so much more. It was prefaced with formal training.

It is no secret that OWASP's AppSec conferences are my favorite, as OWASP is my main professional community that I participate in, so you are not likely to be surprised when I write about how great it was...

I took the training course "An Introduction to Hacking Blockchain Applications and Smart Contracts", with trainer Mick Ayzenberg. I absolutely loved the training, even though I arrived a bit late Mick made sure I was caught up over lunch on the first day. We created our own crypto currency, learned very basic solidity, learned common security vulnerabilities in blockchain (including reentrancy), participated in a custom smart contract CTF, and so much more. Mick is a fantastic teacher; patient, knowledgeable, fun and very open to feedback so that he can improve. No wonder he's so good!

During the training, and throughout the entire conference, we were provided with tasty and high-quality Israeli food: humus, breads, dates, chocolates, fruit, vegetables, cheeses, grilled meats, etc. I'm a huge fan of Israeli food, and I was not disappointed; I've rarely been so well fed at a conference. A+ on food!

Unfortunately I really wasn't feeling well for much of the conference: head colds don't care that I'm at work and doing important stuff, which resulted in me missing the entire first day of the conference as well as several social opportunities. :-/

That said; I still got to see a bunch of kick-ass talks.

Day 2 started with a keynote by Astha Singhal, the head of the AppSec team at Netflix. I happen to think Astha's a pretty awesome human, and you might want to know she's hiring for some cool positions; Security Partner and Security Software Engineer, Application Security.

I skipped the talk "How Online Dating Made Me Better At Threat Modeling" by Isaiah Sarju, but only because I had already seen it at B-Sides Vancouver. It was a great talk, if you have a chance to see a video of it I suggest checking it out. Also, even though Isaiah is a new speaker, he's great on stage; funny, thoughtful and very well spoken. I can't wait to see what his next talk will be about.

The talk I saw instead was "Defending Cloud Infrastructures with Cloud Security Suite" by Jayesh Chauhan; it was really good. His tool that he created for auditing all of the 3 major cloud providers is amazing, I can hardly believe it's free! I definitely plan to try it out. Also, he happens to be in charge of the DefCon Cloud Village, and the CFP is still open in case you were wondering. (Of course I applied!)

Right before my talk with Nancy was "Can We Automate Security?" by Sasha Rosenbaum. Sasha just started at Microsoft a month ago, and already she's on stage being awesome. I was disappointed I didn't get a chance to see her entire talk since Nancy and I were last-minute prepping, but since I work with her now I'm pretty sure she will share her slides with me that detail the inner workings of DevSecOps at Microsoft. :-D

Then came my big talk with Nancy, "DevSecOps with OWASP DevSlop". We demoed the "Patty" module of our OWASP project DevSlop, an Azure Pipelines DevSecOps pipeline, which included; SonarCloud, White Source Bolt, Azure Key Vault, Cred Scan, OWASP Zap, and more. Most of our talk was demo after demo, but we also talked about about our project, OWASP, and what DevSecOps actually is. If I do say so myself: we were great!

The last talk I got to see was "OWASP Serverless Top 10" by Tal Melamed. Tal is the leader of the OWASP Top Ten Serverless project and also someone who I have waited a long time to meet in person; it was worth the wait. We've been submitting talks together, trying to spread the word of serverless security together. If you haven't checked out his project, maybe you should?

At this point I went back to my hotel room and fell asleep for the next 18+ hours. Head colds have no mercy!

I also had the chance to connect with several people who I rarely get to see in person, and what follows are various images from the trip that were already shared publicly on Twitter, so I hope it's okay that I am sharing them here as well.

It has become a tradition for Anne Gauthier, leader of OWASP Montréal, and I to take photos with other female OWASP Leaders at each global event, I think this might be our 5th event together! Right to left: Nancy Gariché, Vandana Verma, Tanya Janca and Anne Gauthier. It should be noted that Anne Gauthier is leading a campaign to host #GlobalAppSec in Montréal, Canada in 2020. You can help her and the Montréal chapter by showing your support on social media, messaging OWASP directly or retweeting and/or liking this tweet.

Nancy and I with Shira Shamban, the chair of the speaker selection committee.

Vandana Verma and I. She travelled all the way from India! It was so wonderful to see her in person again, it had been too long. Vandana taught a penetration testing course which was offered for free to women. She's also the Bangalore OWASP Chapter Leader, active member of WIA (Women in AppSec), InfoSec Kids and InfoSec Girls leader, and WoSEC Bangalore Chapter leader. What can't this woman do?

Nancy Gariché, Dominique Righetto, and I. Dominique is one of the project leaders of the OWASP Cheat Sheets Project!

Final Photo: Astha Singhal, Anne Gauthier, Vandana Verma, Nancy Gariché and Tanya Janca

Thank you for reading, and BIG THANKS to the huge number of volunteers who worked for months to make this wonderful event possible.