On Monday, I had the opportunity to speak at Nodevember. The title of the talk is, "How to embed security into your process." I've wanted to get out and speak at a developer conference since the beginning of the year. Nodevember was the first conference to accept my talk (CodeMash next month is the second).
I believe developers have a lot of say in regards to the security of an application. I believe that we have a lot to say in regards to application security. I've been speaking on application security for the past couple years at security conferences and local meetups. That's great and it helps teach others in the field about application security. Where I can also make an impact (and potentially more so) is at developer conferences.
Developers have a lot of interest in security. There is proof of that from today. The talk before mine, "The State of Node Core" (good talk) had about a third of the seats filled. By the time my talk started just about all the seats were filled and a couple people were standing in the back. I was both happy and terrified.
My assessment of my talk was okay. I checked the schedule of the talks when I got to the conference. The 40 minutes I thought I had, was actually 30 minutes (my goof). I tried not to freak out. I'm usually quick on practice and I could cut out some things I needed to. By the end of it, I had discussed everything I felt was necessary and still had three minutes to spare.
I missed a couple elaboration points and a rant. I could have gotten those on my final thoughts slide, but my mind was blank. I was doing the talks with just slides and not presenter notes. This was due to me not wanting to waste time switching displays for the demos I was doing. Speaking of demos, I had one fail on me because I didn't practice my talk using my phone hot spot. My VM network settings was set to use Wifi.
Overall, it was okay. I got positive feedback from several people, plus some suggestions on what I could add to the talk (I asked for that specifically and was not disappointed). It was expressed to me that developers would love more security talks at developer conferences. There was some frustration around getting fellow developers to take security more seriously. Something I can sympathize with.
Here's some of the specific feedback and suggestions I got (thank you to those that gave feedback):
- They really liked the OWASP ZAP demo
- securityheaders.io (I did a content security policy demo before my talk)
- Docker Hub Images - static analysis (I need to research this)
- HTTPS - Cloudflare and Lets Encyrpt
- Lateral movements
I don't think all the feedback is in the scope for this talk. It certainly gives me ideas for future talks.
Other talks at Nodevember
I also really like attending developer conferences, because I still have a lot to learn from the development community. I have the same feeling of wonder and inadequacy as I did when I first started going to security conferences. All three talks I attended were great and taught me something new.
Unlocking the Mysteries of Unfamiliar Codebase by Randy Cox touched on diving into an unfamiliar codebase. This is a big thing for application security professionals who need to do code analysis. My confidence was boosted by Randy, because I was already doing a lot of the things he recommends. He also gave me some new ideas for looking at unfamiliar code.
- It's like an investigation
- Make sure everything is in source control
- Where is all the code?
- Git blame
- Document startup sequence and system architecture
- Use "code analysis" instead of "documentation" if management wants you to only code.
- Don't fix things - document and write bug tickets
Using npm scripts as your build tool by Elijah Manor. This talk was a little over my head. The scripts he covered were for automating some of the builds you can do in Node. Lot of cool scripts and ascii art.
The State of Node Core by Colin Ihrig. This talk gave an over view of the Long Term Support (LTS) schedule. Talked about some of the statistics on Node version use. Talked about new features and some other items I hadn't heard of before. Colin also talked about some of the security improvements on the way.
More security people need to get out to non-security conferences to learn, gain an understanding, and contribute.