Menu Icon
< back to main
 • 17 min read

What you missed at AppSec USA 2017

What you missed at AppSec USA 2017

What you missed at AppSec USA 2017
Caroline Wong
Caroline Wong

Caroline Wong is the Chief Strategy Officer at Cobalt. As CSO, Caroline leads the Security, Community, and People teams at Cobalt. She brings a proven background in communications, cybersecurity, and experience delivering global programs to the role.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

Last week in Orlando I met up with seven of the world’s leading application security experts at AppSec USA 2017. This post outlines an interview with each of the following attendees:

  1. Kevin W. Wall, Wells Fargo

  2. Julia Knecht, Adobe

  3. Michael Gallagher, PayPal

  4. Derek Fisher, Cerner

  5. Lakshmi Sudheer, Adobe

  6. Brian Andrzejewski

  7. Kris Lahiri, Egnyte

Here’s what they had to say about their jobs, their favorite and least favorite things about their work, and their advice for application security enthusiasts.

Kevin W. Wall

“Develop a curiosity about everything and learn the nuts-and-bolts of how stuff works under-the-hood. That is the type of mentality that is a hacker mindset; you have to go below the surface and not take things for granted.” — Kevin W. Wall

Kevin W. Wall, Wells Fargo

What is your current role what do you like best about it?

I perform secure code reviews both of public facing code (e.g., Internet exposed sites / applications / web services) and Android mobile code. I also perform quality assurance on the secure code review reports done by the other InfoSec engineers and serve as our team’s cryptography subject matter expert.

I work with a great group of people. They are very professional, have a passion for learning, and push me to get better. The security culture is also a refreshing change from what I had become used to earlier in my career. I no longer have to explain to development teams why XSS is a serious issue that needs to be addressed. They all already know and thank us for finding it!

What are the key takeaways from your talk at AppSec USA this year?

The key take away is to learn about the most common cryptography related mistakes that I have seen in practice during my past 7 years doing security design and code reviews. I explain what they are and how to avoid them. Most of the mistakes stems from either using the wrong cryptographic primitive to solve a problem or using the correct primitive, but in the wrong way.

What would you say are your favorite and least favorite things about performing secure code reviews?

My least favorite thing would be going through all the insane number of false positives flagged by our various SAST tools every time they encounter the word ‘password’ in source code and those tools think that they have found an instance of a hard-coded password. It’s probably a false positive in 99% of those cases and the findings are so numerous that it is very tedious to vet all the findings.

My favorite thing is the manual code inspection that we perform in parallel to the SAST findings, especially looking for incorrect use of cryptography. That’s in part how I came up with my talk for AppSec USA. SAST tools are very poor at finding bad crypto. (Well, they are better than they were 4 years ago, but they still only find the basics.)

What advice would you give to developers interested in learning more about security?

Develop a curiosity about everything and learn the nuts-and-bolts of how stuff works under-the-hood. That is the type of mentality that is a hacker mindset; you have to go below the surface and not take things for granted.

Learn more than one programming language — at least one from each major paradigm (e.g., imperative, OO, functional, logic, etc.). That broad understanding will help you in more ways than you will realize.

Then study how bad guys break things and just as important, how vulnerabilities should be fixed. Breaking is sexier, I get that, but eventually, it becomes like shooting fish in a barrel. Defending is much more challenging if you are up to it.

Lastly, OWASP has a lot of good resources as well as a great community. Find something that you are interested in and join an OWASP mailing list and hang out at your local OWASP chapter meetings. And never stop learning!


Julia Knecht

“It is so important to enlist the help of the people who will be participating in the security program to make it an integral part of software development, and something that engineers will consistently take part in.” — Julia Knecht

Julia Knecht, Adobe

What is your current role at Adobe and what do you like best about it?

I am a manager of our Security and Privacy Architecture team. At Adobe, I own our Secure Product Lifecycle and Security Champions programs.

I love helping the engineering teams come up with solutions for security and making our security programs scale and run efficiently.

What are the key takeaways from your talk at AppSec USA this year?

My talk is about scaling a Secure Product Lifecycle program in a large engineering organization. The key takeaway from my talk is that technology can solve a lot of problems when scaling a security program, and allow you to run Security as a Service within an organization. At Adobe, to scale, we have Security Champions on each of our engineering teams.

It is so important to enlist the help of the people who will be participating in the security program to make it an integral part of software development, and something that engineers will consistently take part in.

What would you say are your favorite and least favorite things about running a large-scale Secure Product Lifecycle program?

One of the challenges of running our large-scale Secure Product Lifecycle is the diversity of product stack we are responsible for.

One of my favorite things is seeing the security champions take on the role of the security expert on their team and really taking on responsibility for the security of their software.

What advice would you give to junior engineers in the industry who are interested in learning more about security?

Security is a part of writing high-quality software that behaves as it is expected to, even when presented with unexpected variables. Explore some of those unexpected variables when writing software, become familiar with the OWASP Top Ten, check out free trainings with SAFECode, talk to your security team about best practices, or how they can help by being a Security Champion on your own team.


Michael Gallagher

“The best way to learn is to be hands-on. If you want to be a penetration tester, then participating in a Bug Bounty program is a great way to learn.” — Michael Gallagher

Michael Gallagher, PayPal

What is your current role at PayPal?

I am a Senior Manager, Application Security. I manage a team whose primary function is AppSec Ops at PayPal. Included in my portfolio is the application vulnerability lifecycle, Bug Bounty program, application penetration testing services, production application scanning as well as root cause analysis.

What are the key takeaways from your talk at AppSec USA this year?

First, IMO a Bug Bounty program is the most effective control for finding production application vulnerabilities. If you care about the security of your users, you need to implement a program.

Second, the research community includes white hats, black hats and everything in-between. Whether or not you have a Bug Bounty program, this community will be looking at your endpoints. The question is do you want to encourage them to submit their findings to your organization by awarding money and/or recognition or hope that they do the right thing by responsibly disclosing. Unfortunately, if money and/or recognition is the root motivation, then responsible disclosure might not be the course of action an individual takes.

Lastly, be consistent and transparent. Researchers will adjust to your scope, risk tolerance and payment range if you can apply it in a fair way (easier said, than done).

What would you say is your favorite thing about bug bounty programs?

The most exciting part about managing a Bug Bounty program is seeing all of the creative submissions. The research community as a whole will come up with some unique ways of finding and exploiting vulnerabilities. I am constantly learning new approaches to finding vulnerabilities and ways of interpreting risk. I try to soak up as much knowledge as possible from researchers.

What advice would you give to junior engineers in the industry who are interested in learning more about security?

Junior engineers that want to work in the industry are very lucky, as there is opportunity everywhere. The best way to learn is to be hands-on. If you want to be a penetration tester, then participating in a Bug Bounty program is a great way to learn. The bottom line is to learn about the underlining technology. For example, if you want to be in AppSec a great place to start is by coding for a few years and then making the jump to an AppSec team.


Derek Fisher

“The trend I see is more engagement of the security expertise in our organization by the development organization. To me, this speaks to the ability of the development community to see security as a necessary part of their development practices and a willingness to bring in the needed expertise.” — Derek Fisher

Derek Fisher, Cerner

What is your current role at Cerner and what do you like best about it?

My role at Cerner is software architect and manager of the application security team. My team is focused on providing guidance to the development organization as it relates to security.

I really enjoy being able to assist others as we face many challenges in the security space. I would consider our organization mature from a security perspective, but the space is an ever evolving one and each day brings its own set of challenges. Working in this environment is fast paced, exciting and rarely boring. When I look back at the end of a day I not only have a sense of accomplishment but also the feeling that I have done some positive work.

What are the key takeaways from your talk at AppSec USA this year?

Security is hard and most of us in the security space have a good sense of what is right, but a lot of times driving that through an organization can be difficult. With the OWASP ASVS, a set of defined security statements reduces the effort of identifying what a good application security posture looks like.

The ASVS also helps us scale in large organizations. While using existing SDLC process and frameworks, the ASVS can be dropped in to provide a better long term security posture as well as raise awareness among developers and the organization as a whole.

What would you say are your favorite and least favorite things about working with developers on security initiatives?

One of my favorite things about working with developers is their attitude toward security. Many developers recognize the importance of writing secure code, but may not have the expertise or knowledge to do it. The trend I see is more engagement of the security expertise in our organization by the development organization. To me, this speaks to the ability of the development community to see security as a necessary part of their development practices and a willingness to bring in the needed expertise.

One of the more challenging parts of engaging with the development community is placing security above the deadlines and other priorities of the development community. It is also difficult to be “that guy” that is saying no, or causing a stir prior to the release of feature functions. One of our goals with the ASVS is to do more up front to address the security concerns which would potentially reduce these conflicts.

What advice would you give to junior engineers in the industry who are interested in learning more about security?

My first recommendation would be to understand your aspirations. What is your passion? What is your motivation for getting in to security? Being in security can be rewarding, but there is also the toll of always looking at the negative and being suspicious about almost everything. This is part of the job description and is something that any newcomer should consider.

I would also recommend doing your homework on the security field. Security, like many other fields, has a lot of sub-topics which can be overwhelming for new comers. Find something that you are interested in, can be passionate about and, probably most importantly, can be a champion for. Being in security is like any other career choice, you want to make sure that you will be happy with your choice five, ten, twenty years from now.


Lakshmi Sudheer

“Most important of all is developing a security mindset with any work you do. If you are on the offensive side, then think of how you could break in to a particular application/product and if you are on the defensive side again think of how many ways an attacker can break into the system and build defenses around it.” — Lakshmi Sudheer

Lakshmi Sudheer, Adobe

What is your current role at Adobe and what do you like best about it?

I am currently a Security researcher at Adobe. Adobe provides me with challenging opportunities to solve complex security problems.

The team is very supportive and helps each other learn and perform better. This is the best part of being at Adobe.

What are the key takeaways from your talk at AppSec USA this year?

First, I am hoping that attendees walked away with a solid understanding of how the bug bounty process works, as well as some of the challenges inherent in the model.

We then introduced an Open Source tool called ReproNow that Vinayendra Nataraja and I developed to increase efficiency in triaging and reproducing security bugs. We showed how Chrome extension APIs can be used to capture screen and network information and how network data can be inserted inside a video.

What is it like working with the security researcher community?

I find it very encouraging and mentally stimulating working with the researchers in the industry. With so much happening in the technology space right now, there is a lot of knowledge to share and learn from the community.

What advice would you give to junior engineers in the industry who are interested in learning more about security?

My advice would be, be proactive, update yourself reading security blogs of companies, volunteer for conferences, watch security videos to understand the concepts. Also, the most important of all in my opinion is developing a security mindset with any work you do. If you are on the offensive side, then think of how you could break in to a particular application/product and if you are on the defensive side again think of how many ways an attacker can break into the system and build defenses around it.


AppSec USA dinnerThis year’s AppSec USA dinner party took place at Disney’s Epcot

“Play in the secure coding Capture the Flag (CTFs) that are posting on ctftime.org. You will learn way more by doing application security than from what any “death by powerpoint” may be able to teach you.” — Brian Andrzejewski

Brian Andrzejewski

What are the key takeaways from your talk at AppSec USA this year?

Containers are self-contained packages designed to run applications with consistency. Unlike traditional virtualization, containers share their host’s kernel, keep a complete record of file system changes and application dependencies, can run as read-only, and provide continuous deployment from a known good baseline.

It is critical for engineers to know that the defaults for almost all of the container technologies are wide open, typically as root. Knowing what focus on first helps to make the significant benefits of containers worthwhile and secure for your organization’s needs.

What would you say are your favorite and least favorite things about working on application security in a DevOps environment?

My favorite thing to see in DevOps for application security is the significant increase in enforcement of configuration management — including the practice of keep entire infrastructure configurations in code, under version control. I still remember the days of drawing them out in Visio to document and hand jamming configs.

My least favorite thing is the majority of my security toolsets are unable to integrate with a traditional CI/CD pipeline to break/fail builds. It requires significant effort to get the tool to first execute from CI/CD pipeline against a release, and even more work to capture the results of the tool to make a determining factor(s) to fail a release. Only a handful of tools today do any native pipeline execution, and only a few do results to fail builds. Most are stuck as well in traditional SDLC release cycles, not git branch releases before a merge to master for production release.

What advice would you give to developers who are interested in learning more about security?

Play in the secure coding Capture the Flag (CTFs) that are posting on ctftime.org. You will learn way more by doing application security than from what any “death by powerpoint” may be able to teach you.

In addition, work with your local security team on threat modeling your applications — you will learn so much about how to prevent a breach and how to avoid being on the front cover of Wall Street Journal.


Kris Lahiri

“The agility of innovation and deploying code are both my favorite and least favorite things about application security at a SaaS company. The speed is awesome and the results are immediate. This also brings great responsibility across multiple teams to ensure that they are not the weakest link in the security supply chain.” — Kris Lahiri

Kris Lahiri, Egnyte

What is your current role at Egnyte and what do you like best about it?

I am the Chief Information Security Officer at Egnyte. I like how this is truly a cross departmental and cross functional role and it allows me to work with people across the entire company and set the direction of security specific topics both internally and externally.

As our startup has grown to 350 people across multiple offices in the US and Europe and Asia, providing a consistent security posture is an exciting challenge that I am really enjoying.

What are the key takeaways from your talk at AppSec USA this year?

The same benefits that were achieved during the DevOps revolution of the last few years can be seen in merging security into the workflow of the company and embracing the DevSecOps revolution.

Empowering the developers with the right tools and providing the visibility to security related issues right in the same CI/CD pipeline that they are used to, builds unprecedented collaboration between the dev and security teams and sets the foundation for a “security as code” culture.

This talk is a practitioner’s view and shows that there are enough tools and processes available to everyone to get started on this journey and iterate and improve along the way.

What would you say are your favorite and least favorite things about running application security for a SaaS company?

The agility of innovation and deploying code are both my favorite and least favorite things about application security at a SaaS company. The speed at which we are able to impact something is awesome and the results are immediately available for everyone to see.

This also brings great responsibility across multiple teams to ensure that they are not the weakest link in the security supply chain.

What advice would you give to new application security managers who are building new programs?

Just do it.

Don’t get into analysis paralysis with all the different options and tools that are available. Pick what makes most sense right now and get started with the implementation of your security program. Iterate rapidly and adjust along the way, but don’t wait to get started.

Sectalks 2021: faster, smarter, stronger cybersecurity event

Cybersecurity Insights

Related Stories

How We Run Hackathons at Cobalt
How We Run Hackathons at Cobalt
Twice a year, Cobalt arranges a hackathon for all employees.
Read moreArrow Right
Why We Do Hackathons at Cobalt
Why We Do Hackathons at Cobalt
At Cobalt, we want to create a culture of innovation.
Read moreArrow Right
451 Research Takes a Close Look at Cobalt in Latest Report
451 Research Takes a Close Look at Cobalt in Latest Report
Recently, 451 did a deep dive on Cobalt — our business model, differentiators, and value prop — along with a SWOT analysis.
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens