4 Key Takeaways from OWASP Global DC

I got to attend OWASP Global DC this week. It was an absolute blast, and here are the key takeaways that left a lasting impression on me:

‍

1. Events are back!

Turnout and engagement for this event was great—loads of attendees and sponsors. Impart API Defender Max Anderson and I had a great time telling our story at the Impart booth, attending talks, and connecting with old friends.  The pandemic seems to be in the rear view mirror, with folks out and about, shaking hands, mingling, and having a nice time.

One of my personal highlights was definitely the event, Havana Nights, we co-hosted with Semgrep, Jit, Oligo, and Pangea.  IMHO, it was the best party of the event with a great turnout, cigar roller, and even a Kahoot game.

‍

2. AI is being used by everyone, but not well productized

‍I walked the expo floor and talked to a bunch of folks about AI, and although every company has now integrated AI messaging into their marketing, I was surprised at just how many companies have actually integrated AI technology into their products.

Within the OWASP crowd, AI is viewed as a a "good enough" solution for many problems like static analysis of code.  Surprisingly, privacy concerns were not as big of an issue as I thought they would be by practitioners on the ground—the perceived value and benefits people are getting from the tools is, so far, outweighing the perceived security risk of data leaking into public LLMs.

That said, the product experience of GenAI still seems pretty rudimentary and derivative.  Retrieval Augmented Generation (RAG) seems to be gaining steam as solution for improving public model relevance and quality, but there still is clear room for improvement in the overall product experience.

For example, I saw a few imitations of in-product chat boxes like ChatGPT, and in IDE recommendations similar to Github Copilot, but to me at least, doesn’t seem to save practitioners very much time.

‍

3. The Great ASPM Rebadge

‍”Everyone is an ASPM now!” I heard this quip from more than a few people. It’s clear there are many different approaches to AppSec (i.e. SCA, SAST/DAST, code review, runtime protection) and many companies in these categories are all marketing themselves as Application Security Posture Management solutions.

I don’t find this messaging helpful to AppSec teams because there are clear trade-offs when it comes to the breadth and depth of app-sec solutions. The wider the coverage of a given tool, the lower quality solution it will be in detecting, analyzing, and coming up with responses to specific threats and issues.

AppSec teams don’t benefit from a tool that offers broad visibility to issues but lacks quality responses to those issues.  In the words of someone I spoke with, these tools become “work generators” rather than “work reducers.”

‍

4. API Security is now a well-understood and accepted problem

‍Gone are the days of asking "what is api security?" Everyone I spoke with at this event knew what the problem was, and furthermore had already tried and failed to secure their APIs using existing solutions like SAST, DAST, and WAF.

Personally, this was exciting because it’s clear to me that there is now an increasing awareness of the problem and a growing opportunity for Impart as practitioners to get more experience in the space.

All in all, the OWASP DC event was a blast! It was an incredible opportunity to connect with fellow cybersecurity enthusiasts, gain valuable insights, and contribute to the community. The industry is evolving at lightning speed, and I’m thankful to be a part of it.

Are you having problems finding the right solution to protect your APIs? We’d love to show you how Impart is doing API security differently. Sign up for a demo today!

‍