The Open Web Application Security Project (OWASP) Los Angeles Chapter has teamed up with the Orange County, Inland Empire, San Diego, and San Francisco Bay Area chapters to bring you another great AppSec California. Join us and your peers for amazing talks and networking on January 22-25, 2019!
Back To Schedule
Thursday, January 24 • 4:20pm - 5:10pm
The Call is Coming From Inside the House: Lessons in Securing Internal Apps

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Locking down internal apps presents unique and frustrating challenges for appsec teams. Your organization may have dozens if not hundreds of sensitive internal tools, dashboards, control panels, etc., running on heterogenous technical stacks with varying levels of code quality, technical debt, external dependencies, and maintenance commitments. How do you tackle this problem scalably with limited resources?

Come hear a dramatic and humorous tale of internal appsec and the technical and management lessons we learned along the way. Even if your focus is on securing external apps, this talk will be relevant for you. You’ll hear about what worked well for us and what didn’t, including:
- Finding a useful mental model to organize your roadmap
- Starting with the basics: authn/z, TLS, etc.
- Rolling out Content Security Policy
- Using SameSite cookies as a powerful entry point regulation mechanism
- Leveraging WAFs for useful detection and response
- Using internal apps as a training ground for new security engineers

avatar for Hongyi Hu

Hongyi Hu

Security Engineer, Dropbox
Hongyi Hu is a security engineer at Dropbox, where he leads the Application Security team and frequently advises the Product and Privacy Counsel teams. He is passionate about solving problems where technology, people, and public policy intersect. Previously, he was a member of the... Read More →

Thursday January 24, 2019 4:20pm - 5:10pm PST
Garden Terrace Room