I had the chance to attend LoCoMoCoSec this year and had a fantastic time. It was a well-run conference that was extremely focused on being friendly for families and being inclusive of the diverse group of people who make up our community.
It also doesn’t hurt that it was in one of the most beautiful places I have ever seen.
Many of the attendees and speakers had brought their families with them, and this helped the conference have a fantastic family feel to it.
The organizers decided to keep the inclusiveness going by only offering a cash bar and asking anyone who was planning on over drinking to please move to another bar.
LoCoMoCoSec is the only conference I have attended that is hyper-focused on real-world product security. With talk after talk full of actionable or relatable stories that I will take back to work with me to help improve our security posture. I will highlight some of the key takeaways I will be bringing back to work with me.
Open Source Security
Neil and Adam both had amazing presentations on open source security and I had a ton of conversations with people around the subject at this conference.
Neil talked about how Github struggled with getting from an out of date forked version of Rails to the latest current version. It was one of those rare talks where the presenter was open and honest about how hard it was to get up to date even in a technology company. I am looking forward to this presentation video being uploaded to share with my dev teams.
Adam from NPM talked about framework security and how little code is actually written in modern node apps. This slide shows that 97% of modern node apps are made up of underlying frameworks was one of the most talked about at the conference.
Outside of these talks, I spent a lot of time talking with people about how we can better understand and help the security of the many open source frameworks that companies build their applications on. This is a problem that everyone is obviously thinking about but no one has found an answer to yet.
I saw three really good talks about DevSecOps from James Wickett, Tanya Janca, and Dave Lindner all of who I really respect as leaders in our industry. They each had a very unique approach to this topic but they all ended up with
DevSecOps is really hard and we all have a lot of work left to do. I have some thoughts on this topic and am working on a talk that I am hoping to be able to share later this summer.
James Wickett talk was one of the most entertaining of the conference, and he is writing a DevSecOps book that he is looking for material for. You can check out his slide deck here that includes contact information.
Tanya Janca is a high energy presenter and talked about the DevSecOps in sprints. She also talked about how great organizations have a ratio of 100 Devs to 10 Ops to 1 security person.
David Lindner who works at Contrast and is a friend of mine talked on Friday about the challenges of adapting appsec at a startup and balancing that with business needs. I empathized with him as we both come from startups of about the same size.
Bug Bounties are always a touchy subject at these conferences but there was a bunch of great discussions around them and how to improve them to make them more actionable.
Google in their talk about fixing CSP talked about 75% of their web payouts are for XSS bugs and how they are working on fixing that.
Katie Moussouris gave a talk about how bug bounties work and my biggest take away from her talk was that there is likely less than 500 bug bounty hunters who find the majority of all bugs.
Matt Langlois put together an amazing collabrtive CTF for the last day of the confrence and open sourced all the puzzles.
Melanie Ensign from Uber put together an amazing
Dive Track with the ability for people to take a few hours and explore some of the best diving in the world. I took a morning and went out for an amazing drive.
Overall I had an amazing time and I didn’t talk to anyone who wasn’t looking forward to LoCoMoCoSec 20202. I know if at all possible I will be going back. 🤙