Latio Vendor Awards! Global OWASP Conference
Latio’s OWASP Conference Vendor Awards
The Global OWASP Conference in Washington DC was a ton of fun, getting to hear from many in the industry facing the same application security challenges as one another. The major theme was that AppSec is for everyone - everything from better products to LLMs is allowing smaller teams to have larger impacts on security beyond traditional enterprises. While the industry, as a whole, still seemed largely enterprise driven, there was a real desire for openness and sharing knowledge with newer teams.
I met with about 40 vendors over the course of 1.5 days, and here are some of my thoughts.
Disclaimer: The opinions expressed in this review are my own and based on my personal experiences and observations. I have made every effort to ensure the accuracy of the information provided, but I cannot guarantee its accuracy or completeness. The information is presented without warranty, and I encourage readers to conduct their own research and draw their own conclusions. I was not paid for any of this content and do not own assets in any of the companies mentioned.
Buzzword of the Year: ASPM
Runner Up: CoPilot
Suddenly, everyone this year is an ASPM. No longer is it enough to be a best in class SAST or SCA tool, instead teams are looking to centralize all of their scanning in a single place. Some tools like JIT.io and Legit Security are heavily focused in on getting a sense of pipeline coverage based on tool sprawl, others like Arnica and Cycode are displacing with their own scanning mechanisms instead. The most ambitious (like our best of show winner below) did both.
All in all, it’s clear that these tools are addressing the reality that in the war against vulnerabilities, the vulnerabilities are winning.
Most Innovative Startup: Dry Run Security
Runner Up: Riscosity
While there were plenty of “CoPilots” on the show floor, only Dry Run seemed to be using LLMs in a truly helpful way. I learned a lot about what ChatGPT is good at in my comparison of Snyk and ChatGPT for SAST, and Dry Run seemed to be capitalizing on exactly the right thing: finding context for complex systems to raise the right alerts to the right people. Over the years I’ve built numerous custom scripts to monitor the files that really matter, because often, they aren’t detected at all by SAST tools (such as config files for Django or Kong) - Dry Run seemed to really fix that. Beyond their current implementations, I’m excited about the potential of their workflow and bringing LLM into your pipeline.
Riscosity is also worth mentioning - I need to get a hands on to validate the claim, but crawling your code for third party data sending and combining that with egress proxying is a truly powerful combination for getting insight into where your data is actually going.
OK Boomer Award: Prisma Cloud
Runner Up: VeraCode
While in one sense I was surprised to see Prisma Cloud focusing on application security, they’re betting big on their Darwin platform as a “code to cloud” all in one journey. I’m…not; but that didn’t stop me from grabbing some socks. The pivot is smart for lowering customer churn, but not focused enough to be a challenge to innovators.
Most Runtime-y: Oligo Security
Runner Up: Oxeye, DeepFactor
While there were a few vendors at the show doing “runtime insights,” only Oligo was bold enough to slap the grim reaper on a shirt and call everything else legacy. Oligo’s unwavering commitment to runtime application security as “AppSec 2.0” is what I love to see. I’m a results oriented, DevOps guy at heart, so I have to admit that I’m biased. At the end of the day, what’s more important, seeing a vulnerability, or stopping it? Only Oligo is going from “Runtime Prioritization” to “Runtime Stopping.”
That being said, prioritization wise, Deepfactor seems right up there with Oligo. I appreciated the unique runtime take of Oxeye as well, using runtime insights to make a map of the application with insights very similar to what Bionic was working on (before the Sith Lords took them over).
Best API Security: Impart Security
Runner Up: Pangea
There’s a lot of buzz right now trying to figure out the future of API security. On the one hand, a lot of WAF providers have caught up to provide API level protections, and it’s a lot easier to extend an existing tool than implement a new one. On the other, there’s a lot of power that can be found by extending API detection into code bases and gaining general visibility into your API’s and what they’re doing in action. Impart’s combination of accurate discovery with anomaly detection made them stand out in a crowded space filled with other great tools.
Runner up Pangea was only the runner up because their service doesn’t lend well to a demo environment, but if it works cleanly it’s an elegant solution to the same problem. The essentially work as a CDN for your APIs, and automate their protection through their secure API delivery and offering services like aliasing and detection that can otherwise be hard to achieve.
Best AppSec Advocate: Tanya Janca
While the crowd certainly had plenty of VP’s of marketing, community managers, etc. no single person had a better community effect than Tanya. She was thoroughly dedicated all weekend - from speaking at ThreatModCon to going to the vendor events afterwards, Tanya’s passion for AppSec is as genuine as it is nerdy and certainly worth following on Twitter and Linkedin!
Biggest Presence: Arnica
Runner Up: Semgrep
Arnica had the premium booth in the premium spot, and went all out with everything from popcorn to donuts. More importantly, no one was more excited about their own work than Nir Valtman at Arnica. I went into our demo with my typical skepticism of the “ASPM” pitch, with “workflow management” and “too much noise” front and center, but Nir turned me, and many others, into Arnica believers at the conference.
Arnica is boldly not trying to just integrate with the big players like Snyk and Semgrep, but displace them entirely with scanning that is ultimately much more remediation focused than their competitors. A small but impressive example was the workflow for fixing secrets - anyone who’s tried using the BFG Repo Cleaner can attest to how hard it can be to scale to an organization. Arnica instead elegantly opens a PR that cleans up the commit history and can be merged directly into the code to remediate the issue, all through Slack and Jira workflows. While other vendors may offer better secret scanning in certain ways - Arnica’s focus was on remediation, which is the more challenging problem. Throughout the product, from SAST to SCA, there was a laser focus on making the developer experience seamless and simple.
Semgrep also had a strong presence at the conference, both in terms of attendees and events - it’s no doubt they’re busy taking a bite out of Snyk, and their open source engine is powering half of the other tools on the floor.
Biggest Absence: DAST
Runner Up: Kubernetes Security
It’s regrettable that the sentiment “DAST is dead” has gained traction in the AppSec community. Before I met StackHawk, I would’ve easily agreed with this opinion - the legacy vendors truly suck to use in this area. However, I think the industry has largely missed that good DAST is essential to validating your findings, and their only frustration is how separate the DAST and SAST experiences can be. StackHawk is majorly differentiated by reading your API config files, and then scanning against those with pointed injections that actually bring meaningful detection. I was happy to see that Oxeye had a similar commitment to DAST as a validation method.
Similarly, Besides Jimmy Mesta’s talk on Kubernetes security, very few vendors were represented who focused on kubernetes context. It’s a shame that more appsec vendors aren’t thinking of IaC and kubernetes context as much, but I think in large part the industry, as a whole, is starting to recognize its significance. Additionally, many vendors were no doubt saving their budget for Kubecon.
Talk I Enjoyed the Most: Jimmy Mesta - Kubernetes Security Top 10
While there were many talks I enjoyed, I love two things: talks that dive into detail, and talks that cover a lot of ground. Jimmy gave an awesome overview of the Kubernetes Top 10, drawing from hands on experience from what they’ve seen at KSOC combined with his own experience building the Top 10.
Best in Show: Ox Security
Runner Up: Arnica
Ox Security blew my freaking mind. I’m generally skeptical of vendor claims, but optimistic of what they’re trying to accomplish in focused use cases. My first thoughts are “how are they integrating, and therefore, what would they miss?” followed by, “what does the actual workflow look like?” Ox Security seemed well poised for that: they were tucked into the back corner of the convention hall and their dashboard seemed to cover everything:
You could bring your own vendor or use theirs, they covered static analysis, IaC, and container scanning all the way out to production. I thought there was no way they can trace container scanning from code to production, alongside static analysis and meaningful workflow building. But every step of the way, Neatsun’s only answer was “yes we do that” as he showed me a live demo of them having the essential detail or piece of the puzzle.
Before I left, my only comments were, “How much did you raise?” followed by, “just try to remember me when you’re up as the next Wiz.” If you’re looking for your next application security tool, I couldn’t find a reason to say no to Ox.