Innovation in application security is no longer viewed as a trend, but as a necessity - one which companies can't overlook. To better understand leading application security technologies, experts in security, DevOps and cloud gathered at the OWASP Global AppSec conference in Tel Aviv, in May 2019. Among the attendees was Marc Walzer, Sherpany's Security and Data Protection Officer. Read the short interview to know which were the main security-related topics discussed, and why were they relevant to today's cyber security industry.
Sherpany: What was the OWASP Global AppSec conference about?
Marc: Founded in 2001, the Open Web Application Security Project (OWASP) is today one of the biggest and most influential foundations in the information security industry. It's known for its flagship project, the "OWASP Top Ten" that outlines the ten most critical web application security risks. The foundation also organises the Global AppSec conferences with speakers, sponsors and participants attending from all over the world. This edition of the OWASP Global AppSec conference in Tel Aviv had as the main theme the "Community of Innovation", which was a good fit with the cutting-edge cyber security industry of Israel.
Sherpany: Which were the main security-related topics discussed?
Marc: Except for the keynote speeches, there were six tracks at the event: Breaker, Builder, DevOps, Layer 8, Risk Management and Innovation. The most difficult part was having to decide which sessions to attend since there were three sessions running in parallel at all times. In the end, I opted for a balanced mix between web- and mobile-security, as well as DevSecOps sessions, which are relevant for Sherpany.
One of the sessions that caught my attention was "What do you mean threat model EVERY story?" by Izar Tarandach, lead product security architect at Autodesk. Threat modeling is a process by which potential threats, such as structural vulnerabilities can be identified, enumerated and prioritised, all from a hypothetical attacker’s point of view. The purpose of threat modeling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker. With evaluations based on user stories, Mr. Tarandach proposed an interesting approach to integrate it in an agile development process. In my view, this is an elegant way of pushing security left within the short release cycles of the agile development world.
Sherpany: What was the highlight of the conference?
Marc: Meeting new people from various organisations across different industries and discussing common challenges. In the end, these networking moments resulted in different perspectives on similar problems, which led to sharing and exchanging valuable insights.
Sherpany: Why is it important for Sherpany to keep up with leading application security technologies?
Marc: Our customers entrust us with sensitive data. Thus, security is one of our core competencies. To maintain our leverage and competence in providing high levels of security, we need to keep ourselves up-to-date to make informed decisions and challenge our capabilities to do better. In addition, it is very important to exchange know-how with your peers.
In general, as a professional, I think it's important to regularly exchange know-how with your peers. I enjoy learning new things from industry leaders and getting to know people who have to overcome the same or similar challenges. In the security awareness trainings I manage at Sherpany, I advocate that being vigilant, working together and communicating well enables us to be effective in defending ourselves against various categories of attacks. I truly believe that, and I also see great value in collaborations over organisational borders. Why not learn from the mistakes and experiences of others?