2 weeks ago I attended RSA Conference 2016 in San Francisco. I had the chance to attend multiple talks in the AppSec track and listen to what the other vendors, thought-leaders and experts had to say. In a nutshell, all talks and discussions revolved around how to get the developers engaged with the security process. Buy them in, get their participation and educate them. I couldn’t help thinking to myself how all of these things have been on Maty’s and Checkmarx’s agenda for over 10 years.
10 years ago, when Maty Siman founded Checkmarx, he approached his new mission from a developer’s point of view. Until today, the core features that we developed back then are a major reason that Checkmarx is the only source code analysis solution that developers adopt willingly. Short scanning cycles, quick mitigation techniques and seamless integration are some of these features.
Of the five sessions I attended, three left an impression on me – some negative, some positive. I will roughly summarize the points discussed in each one of them. This summary is based on my understanding of the sessions and I apologize in advance if I misinterpreted any of the speaker’s points.
A good talk depends greatly on how engaging the speaker is. I would like to start by congratulating Michael on an engaging talk.
As with many talks discussing application security practices, the discussion revolved around processes within the organization and how to improve them. Michael’s talk touched these points on multiple different aspect.
This next session was a panel discussion. The experts on stage are leading personas in today’s application security industry and as such I was expecting some interesting discussion points.
The discussion started off in a laid back approach which I like and believe is ideal to deliver important and sometimes boring ideas to the audience.
Attending the talk with me were two additional colleagues. All three of us decided not to stay for the full session. Why? Well, some initial discussion points such as automation, developer adoption and adaptation to modern development landscapes were touched. The discussion points were touched a bit too briefly in my opinion and there was room for more insights to be delivered by the panel. Aside from that, as I am slightly familiar with at least two of the products the three speakers represent I felt that they were discussing challenges which are a concern which, to the best of my knowledge, are not fully addressed by their offerings, for example the ability to analyze small chunks of code in CICD environments without significantly impacting the development process timelines.
As mentioned, I may have missed the more productive part of this panel. We left after approximately 20 minutes with a slight feeling that the content discussed by the three experts could have been much more detailed.
To sum it up, I usually believe that panel discussions can deliver better information than one-man presentations. This time,however, that was not the case.
Kudos to Laksh Raghavan on a well presented case study of one of the more interesting and significant development organizations globally.
Laksh presented a step-by-step case study of Paypal’s enormous Application security implementation and a shift from waterfall to agile development. It’s always interesting to hear an insider’s point of view rather than a vendor talking about the theory.
Let’s start with the challenges Laksh brought up:
All of the above make the task of shifting the organization’s processes and standards very difficult – if not impossible – especially in a large organization like PayPal.
The fact that PayPal decided to go through this process with one shot is admirable and seems a bit presumptuous however the rest of this summary will consist of a list of items which point to how it was made possible by PayPalis.
The above is a very high level summary. I don’t know if the RSA Conference will deliver recordings of the talks, however if they do, I strongly recommend getting your hands on this one if you are in the process or thinking about performing a security shift within your development organization.
So it seems that the application security and development world are on the right track, with plenty of room for improvement on both teams. We need to close the cultural gap and remove tension between the teams. Security engineers should understand developer pain points and developers should understand that security vulnerabilities are not less and maybe even more important that functionality bugs.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.