Some observations:
DevOps
I'm a big fan of the DevOps movement, and what it means for security. More cooperation plus more automated testing means more secure systems. Thankfully there were a lot of presentations that focused on how to integrate automated security testing into the continuous deployment pipeline. As the O from OWASP stands for open, mainly open source testing tools were covered, like OWASP ZAP, Arachni and the Gauntlt framework. Some tools still need quite some tweaking to be successful, but the landscape surely is promising.
Dev is running faster than Ops
I'm still under the impression that the DevOps movement is mainly led by developers. The tools that are improving faster are the ones that specifically target a website or application. Although there are a number of automated open source tools for infrastructural testing, like Seccubus or OpenVAS, the changes seem to come from the development side.
Go
Python was the glue-language-of-choice for a lot of operations people. Not anymore, the new go-to language is Go. More and more (DevOps) people seem to choose that nowadays. More minimalistic and faster.
Mind you, these observations are personal and not backed by any scientific measure.
Overall it was a well-balanced conference, with content for builders, breakers and defenders. It seems that OWASP gains more and more traction besides the 'usual security incrowd' - which is a good thing. Learning about breaking security is one thing, but learning how to protect your assets against attackers is more important in my opinion. The more developers join the crusade for a safer Internet the better.
A big thanks to the OWASP AppSec 2015 team for a great conference.
Comments
comments powered by Disqus