AppSec and DevOps - What Should Teams Be Focusing On

AppSec California 2015 is just around the corner. I’ve looked at the agenda to get a sense of where attendees will spend their time. Overall, I suspect the top areas of interest will revolve around:

  • OWASP Top 10: SQL Injections, XSS, Chrome, Java, and other web/mobile app vulnerabilities, safeguards, and controls
  • Mobile Devices and Apps: iOS, Android, medical devices, geolocation, mobile SSL, Internet of things, MDM, and more
  • Collection of Best Practices: Development models, cryptography, threat modeling, ROI, policy management, GRC, and incident response

Here are my picks for the “must-see” sessions based on role:

  • Application Developers | Iron-Clad Development : Building Secure Applications (Training)
  • Application Testers and Quality Assurance | Why Your AppSec Experts Are Killing You (Session)
  • Application Project Management and Staff | Scaling Security in Agile Scrum (Session)
  • CIOs, CISOs, and CTOs | Building a Modern Security Engineering Organization (Session)
  • Security Managers and Staff | Enterprise Incident Response (Training)
  • CFOs, IT Risk and Compliance Staff and Auditors | Proactively defending your business against security protocol attacks and implementation flaws (Session)
  • Governance Executives, Managers, and Staff | Misconceptions in the Cloud (Session)
  • IT Professionals Interested in Improving IT Security | OWASP Top Ten Proactive Controls (Session)

I’m curious to know what sessions and trainings would be most interesting and valuable for you and your team. Is the security industry investing in the right topics? What's missing? Does anyone else find it troubling that we continue to discuss SQL injections and XSS as part of the OWASP top 10?