BSidesSF 2023: Full Schedule

9:00am PDT

Breakfast

Saturday April 22, 2023 9:00am - 10:00am PDT
Participation Hall

9:00am PDT

Capture the Flag

The CTF is back! As always, everyone is welcome to participate as the competition features a range of challenges at all difficulty levels. In case you find yourself in need of assistance, we have folks onsite who can provide hints and guidance. All that is needed to participate is a laptop.

The server is available all weekend long, and anyone is welcome to play. Server information is at https://bsidessf.org/ctf

At least one player must be onsite to claim any prizes won.

Sponsors

Socket

Capture The Flag

Saturday April 22, 2023 9:00am - 5:00pm PDT
Twin Peaks

CTF, Village

9:00am PDT

Coffee

Sponsors

Opal

Espresso and Coffee

Sprinkles

Espresso and Coffee

Tailscale

Espresso and Coffee, Lanyard

Saturday April 22, 2023 9:00am - 5:00pm PDT
Participation Hall

Food & Drink

9:00am PDT

Badge Village

Badge Village is an interactive experience for all your badge tinkering, programming, and competitive CTF tournaments using a specially designed badge for BSides SF. Join us to learn how to program the chips at your own pace or if you prefer outpacing the world, we have the badge CTF contest too! Each correct flag unlocks the badge features and gives you bragging rights. Badge CTF is based on variety of domains including but not limited to cryptography, steganography, and OSINT challenges.

Attendees will utilize laptops to either learn to program the chips using guided tutorials. Or play badge CTF and try to ace it within record time. The village welcomes anyone and everyone who wants to learn or show off their impeccable CTF skills to make their own piece of creativity with a coveted BSides SF souvenir.

There are limited number of badges available! There are 2 ways to obtain a hardware village BSidesSF badge: Be one of the first 300 to collect a badge at the village. Pre-order your badge (limited stock only) to guarantee you receive one, and pick it up at the village during the conference.

Brought to you by Hackerwares

Sponsors

GitGuardian

Village

Tessian

Village

Saturday April 22, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Bug Bounty Village

Bug Bounty Village is dedicated to help bring web application security engineers, hackers, and security enthusiast together by providing talks, workshops or CTFs!

Bug Bounty Village is organized by NahamSec

Sponsors

GitGuardian

Village

Tessian

Village

Saturday April 22, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Career Village

Career Village is aimed to help attendees navigate a career in cybersecurity and to connect with hiring managers.

At the village, you will have the opportunity to learn about professional branding, resume building, interview best practices, and meet security hiring managers looking to grow their teams.

The Career Village will have recruitment and security experts who have helped people ranging from professionals new to security to security executives continue their career journey.

Sponsors

GitGuardian

Village

Tessian

Village

Saturday April 22, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Cloud Village

As more of the world onboards itself on the Cloud Infrastructures, staying at par with new offensive/defensive research or techniques becomes a mandatory skillset. Cloud Village is an open space to meet folks interested in offensive and defensive aspects of cloud security.

Sponsors

GitGuardian

Village

Tessian

Village

Saturday April 22, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Crypto & Privacy Village

Learn how to secure your own systems while also picking up some tips and tricks on how to break classical and modern encryption. The CPV features workshops and lightning talks on a wide range of crypto and privacy topics from experts. We’ll also have an intro to crypto talk for beginners, some crypto-related games, puzzles, and challenge.

Sponsors

GitGuardian

Village

Tessian

Village

Saturday April 22, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Day of Shecurity

Day of Shecurity Village promotes gender diversity in cybersecurity. In partnership with Secure Diversity, we seek to support diversity in cybersecurity through upskilling, career training, and access to jobs for candidates who are new to security. We invite you to check out our Village to learn more about entering the industry of cybersecurity and upskilling for current industry professionals.

Sponsors

GitGuardian

Village

Tessian

Village

Saturday April 22, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Electronic Frontier Foundation (EFF)

The Electronic Frontier Foundation is the leading nonprofit defending online civil liberties. We promote digital innovation, defend free speech, fight illegal surveillance, and protect rights and freedoms for all as our use of technology grows.

EFF's village will be a place for attendees to come and chat with EFF staff about the latest in their digital rights. Attendees can also donate to EFF and become member, or even purchase some of our latest gear, including t-shirts and stickers.

Sponsors

GitGuardian

Village

Tessian

Village

Saturday April 22, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

IoT Village

IoT Village advocates for advancing security in the Internet of Things (IoT) industry through bringing researchers and industry together. IoT Village hosts talks by expert security researchers, interactive hacking labs, live bug hunting in the latest IoT tech, and competitive IoT hacking contests. Over the years IoT Village has served as a platform to showcase and uncover hundreds of new vulnerabilities, giving attendees the opportunity to learn about the most innovative techniques to both hack and secure IoT. IoT Village is organized by security consulting and research firm, and Independent Security Evaluators (ISE).

Sponsors

GitGuardian

Village

Tessian

Village

Saturday April 22, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Lockpick Village

Lockpick Extreme and TOOOL SF are back once again hosting Lockpick Village. Learn to lockpick from the TOOOL SF volunteers or practice what you already know with their assortment of locks and picks. When you’re done, you can shop the Lockpick Extreme pop-up shop and take your new hobby home with you.

Sponsors

GitGuardian

Village

Tessian

Village

Saturday April 22, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Bar and Chill Out

Take a break from the day’s events with a stop at the Bar and Chill Out Space. Two complimentary drink tickets were provided to you at registration. We already paid for them, so please use them!

Sponsors

Conveyor

Daytime Bar & Chill-Out

Saturday April 22, 2023 9:00am - 5:30pm PDT
Participation Hall

Food & Drink, Bar

9:00am PDT

Lounge

Enjoy the SF skyline from the Lounge. Located on the patio next to the tent, the Lounge includes comfortable places to rest and relax as well as lawn games to play.

Sponsors

Slack

Lounge

Saturday April 22, 2023 9:00am - 5:30pm PDT
City View Terrace

General

9:00am PDT

Registration

Saturday April 22, 2023 9:00am - 5:30pm PDT
Mezzanine (AMC)

General

9:00am PDT

Info Desk

Got a question or comment about the event? Drop by the information desk and chat with us.

Saturday April 22, 2023 9:00am - 6:30pm PDT
Lobby

General

9:00am PDT

Prayer & Mother's Room

Need a quiet place for meditation or mothering duties? Ask at the Info Desk, and we can guide you to a private location.

Saturday April 22, 2023 9:00am - 6:30pm PDT
Lobby

General

9:00am PDT

Coat Check

Sponsors

Netflix

Coat Check

Saturday April 22, 2023 9:00am - 10:00pm PDT
Coat Check

General

10:00am PDT

Opening Remarks

Opening Remarks from Reed Loden, Lead Organizer of BSidesSF

Speakers

Reed Loden

VP of Security, Teleport

Reed Loden is the Vice President of Security at Teleport, a technology company that helps organizations securely access their infrastructure. He is an information security expert, researcher, hacker, and developer. Reed bring over 15+ years of security experience to his role at Teleport... Read More →

Saturday April 22, 2023 10:00am - 10:10am PDT
AMC Theatre 13

Presentation Simulcast

10:00am PDT

Finding Bugs and Scaling Your Security Program with Semgrep

Event locked in Sched to limit confusion. See registration to determine current session availability.
YOU ARE REQUIRED TO REGISTER AT https://bsidessf.regfox.com/2023 TO ATTEND THIS WORKSHOP (i.e. this session cannot be reserved with Sched)
-----
This workshop will be a hands-on masterclass by the creators and maintainers of Semgrep (https://github.com/returntocorp/semgrep), an open source, lightweight static analysis tool which can help enable development teams to scale their SAST efforts.
-----
Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up. We need to move fast, and iterate quickly as new issues emerge. SAST is one piece of a very important puzzle in the SDLC, so using tools effectively is the key to success!

This workshop will be a hands-on masterclass by the creators and maintainers of Semgrep (https://github.com/returntocorp/semgrep), an open source, lightweight static analysis tool which can help enable development teams to scale their SAST efforts

We’ll cover:
Best practices in rolling out continuous code scanning -- what to focus on, what to ignore, and how to maintain good working relationships with development teams

How to use this scanning to enforce secure defaults across your org

How to write custom Semgrep rules -- find anti-patterns and enforce security best practices unique to your organization

We will show you how to use our dataflow (taint) engine, how you can write sources, sinks and sanitizers to identify vulnerabilities

We will show new GA and experimental features we have been working on which are not widely adopted yet, and how you can write rules to fit your needs

Finally, explain how Semgrep can be used like a Swiss army knife for a variety of purposes -- alerting you whenever a new route is added (new attack surface), when new dependencies are added or Dockerfiles are modified (detect potential supply chain risk), or when generally sensitive files are modified, such as core authorization logic or secret management

You’ll leave this workshop with knowledge and skills you can immediately put into practice. For internal security engineers, you’ll have new capabilities for scaling your company’s security. For pen testers and offense-focused security professionals, we’ll up your bug finding game to a new level.

Prerequisites:
You should be familiar reading and writing code in at least one programming language
Bring a laptop with a web browser, IDE, git, and the ability to install CLI tools
Familiarity with common vulnerability classes (e.g. OWASP 10 top) will be helpful but is not required

Speakers

Lewis Ardern

Semgrep

Lewis is a Staff Security Researcher for Semgrep (r2c), a startup working on giving security tools directly to developers. Previously, Lewis was a Lead Security Engineer at Salesforce and spent many years at Cigital and Synopsys as a consultant functioning in every aspect of the SDLC... Read More →

Brandon Wu

Enno Liu

Saturday April 22, 2023 10:00am - 12:00pm PDT
AMC Theatre 10

Workshop

10:10am PDT

The Expanding Universe of Cyber Threats

Security programs are responsible for keeping up with and getting ahead of the rapid growth of cyber threats. Enterprise organizations must monitor for changes in threat actor TTPs, keep track of emerging vulnerabilities, assess gaps related to technological advances that outpace security solutions, and the list goes on. A solution that some organizations are deploying to help manage the expanding threat landscape is cyber threat intelligence. Some enterprise security teams rely on cyber threat intelligence to: prioritize and provide context to threats, dispel FUD (fear, uncertainty, and doubt), and share actionable, relevant, timely, and accurate insights with decision-makers. Join me in exploring cyber threat intelligence and the expanding universe of cyber threats.

Speakers

Dr. Xena Olsen

Threat Intelligence Manager, Fortune 100

Dr. Xena Olsen is a cybersecurity professional focused on cyber threat intelligence at a Fortune 100 company. She enjoys discussing all things cyber threat intelligence and can be found in various threat intelligence sharing groups, such as Curated Intel. She is a SANS Women’s Academy... Read More →

Saturday April 22, 2023 10:10am - 11:00am PDT
AMC Theatre 13

Keynote Simulcast Presentation

11:00am PDT

T-Shirt Sales

Pick up pre-purchased event t-shirts and purchase t-shirts for the current and previous years. Please note, we have limited t-shirt quantities.
Proceeds benefit three charities (which charities are TBD). You select 1 of the 3 charities we've selected by voting and we donate to all of the charities based on the vote percentages.

Saturday April 22, 2023 11:00am - 9:00pm PDT
Coat Check

General

11:05am PDT

No Adversaries: Getting Users on Your Side for Tough Transformations

Technical problems need technical solutions but often require a more human approach to communication and implementation. We’ll look at relating complex technical information to varied audiences, including reluctant ones, and how to reach them using motivations that make sense to them.

Speakers

Breanne Boland

Product security engineer - security partner, Gusto

Breanne Boland is a product security engineer with the Security Partnerships team at Gusto. Before moving into security, she was a site reliability engineer and an infrastructure engineer, working in healthcare and govtech. Prior to that, she was a professional writer, and she still... Read More →

Amy Martin

San Francisco Digital Services- City and County of San Francisco

Amy Martin became a project manager at San Francisco Digital Services after almost 2 decades as a public librarian. She specializes in government website migrations and also likes drawing.

Saturday April 22, 2023 11:05am - 11:30am PDT
AMC Theatre 15

Talk Presentation

11:10am PDT

Stop Committing Your Secrets - Git Hooks To The Rescue!

Committing secrets is a huge problem. By the time GitHub, or other services, scans for secrets, it is far too late. The best way to not push secrets is to never commit them. Git provides a clean path for this and this talk will walk you through making Git your ally in keeping secrets safe.

Speakers

Dwayne McDaniel

Security Developer Advocate, GitGuardian

Dwayne has been working as a Developer Advocate since 2016 and has been involved in tech communities since 2005. He loves sharing his knowledge, and he has done so by giving talks at over a hundred events worldwide. He has been fortunate enough to speak at institutions like MIT and... Read More →

Saturday April 22, 2023 11:10am - 11:20am PDT
AMC Theatre 14

Lightning Presentation

11:10am PDT

Making of the BSides SF Astronaut Badge

Story of the badge making from technical as well as logistics point of view, how the CTF comes together with the design and our groundbreaking innovation in printing the PCBs with colourful artwork.

Speakers

Abhinav SP

Hackerware

Abhinav is on a mission to bring innovation and creativity in electronics, hacking and programming education through artistic hardware badges. He is the founder of Hackerware and over the course of 6 years, he has innovated in the design, manufacturing and assembly of hardware - all... Read More →

Saturday April 22, 2023 11:10am - 11:30am PDT
Après Village (Embarcadero)

Presentation Village

11:10am PDT

Building Production-Grade End to End Encrypted Applications

End-to-end encrypted (E2EE) applications are the gold standard for privacy. But building E2EE apps has its own set of unique challenge in product security, compliance, abuse, availability, and observability. In this talk, we’ll share insights from building E2EE, collaborative products at Skiff

Speakers

Ehsan Asdar

Skiff

Ehsan is a Senior Software Engineer @ Skiff. He architected Skiff's Mail and Calendar products and designed core components of Skiff's E2EE platform. Previously, Ehsan worked in autonomous driving at Ike Robotics and Nuro.

Nishil Shah

Skiff

Nishil is the Director of Security and Founding Security Engineer at [Skiff](https://skiff.com). Skiff is an end-to-end encrypted (E2EE) collaboration platform that offers E2EE document collaboration, email, calendar, and cloud storage functionality. Previously, Nishil was a Staff... Read More →

Saturday April 22, 2023 11:10am - 12:00pm PDT
AMC Theatre 12

Deep Dive Presentation

11:10am PDT

Level Up Your Career: A Panel on Staff+ Engineering

What does it mean to be a Staff+ engineer in security, and how can you get there?

Come hear our panelists discuss what it's really like, how you go from Senior to Staff, or whatever you want to learn more about. Ask Us Anything - seriously, anything, even about putting the cyber in space.

Speakers

Rami McCarthy

Staff Security Engineer, Figma

Rami works on Infrastructure and Cloud Security at Figma. He previously worked as a security consultant and helped scale security for a health-tech unicorn, and infrequently writes about security on tldrsec.com. https://www.twitter.com/ramimacisabird

Lea Snyder

Principal Security Engineer, Microsoft

Lea Snyder is a Principal Security Engineer at Microsoft with over 20 years of experience in technology, focusing on security and security adjacent domains for almost 10 years, working in Identity & Access Management and Application Security. She is an active contributor to the security... Read More →

Hasnain Lakhani

Hasnain is a Software Engineer at Databricks. His work has focused on solving security problems through software. He spends most of his time outside work with family, or ... at the computer, reading books, writing code, or playing games. https://www.twitter.com/mhlakhani

Kurt Boberg

r2c

Kurt is a Staff Security Researcher at r2c - the Semgrep folks! He arrived on the path of research by way of DevOps and AppSec where he spent so much time reading documentation and specifications that his mentors told him he should probably just do that as a job. Outside work, Kurt... Read More →

Saturday April 22, 2023 11:10am - 12:00pm PDT
AMC Theatre 13

Panel

11:30am PDT

Community Cyber Defense: How to be a Local Cyber Hero

Learn about volunteer efforts to protect community organizations like cities, schools, and nonprofits from low-level cyber attacks, and how YOU can help them succeed.

Speakers

Sarah Powazek

UC Berkeley CLTC

Sarah Powazek is the Program Director of Public Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity (CLTC), where she leads flagship policy and research work to help under-resourced public interest organizations improve their defenses. Sarah co-leads the Consortium... Read More →

Saturday April 22, 2023 11:30am - 11:40am PDT
AMC Theatre 14

Lightning Presentation

11:35am PDT

Gamify security best practices to scalably improve engineering culture

Engineers don’t always know how to make code secure. Security teams are tired of asking engineers to make security fixes. Leaders have low visibility into security posture.

At Chime, we gamified our security best practices which resulted in improved engineering culture and security observability.

Speakers

David Trejo

Chime, Inc

Security Engineering @ Chime. Chime is the top challenger fintech taking on the big banks with greatly improved customer experience for the average American (free overdraft up to $200, get paid 2 days early, credit building). Ask me how to cook a mind-blowing steak :) 🥩Security... Read More →

Saturday April 22, 2023 11:35am - 12:00pm PDT
AMC Theatre 15

Talk Presentation

11:40am PDT

Growing Your Skillset with Capture the Flag

Capture the Flag competitions (CTFs) provide an opportunity to "get your hands dirty" on a variety of topics. I'll discuss strategies for learning as much as you can and discuss where to get started with a topic you've not worked with before. I'll also cover the organizer's perspective on our CTF.

Speakers

David Tomaschik

Senior Security Engineer, BSidesSF CTF Organizer

David is a Senior Security Engineer on the Google Offensive Security team and has been helping to organize the BSidesSF CTF for 7 years. He focuses on red teaming, embedded device security, web security, and security education. https://www.twitter.com/matir

Saturday April 22, 2023 11:40am - 12:00pm PDT
Après Village (Embarcadero)

Presentation Village

12:00pm PDT

Lunch

Saturday April 22, 2023 12:00pm - 1:30pm PDT
Participation Hall

Food & Drink

12:30pm PDT

Sponsor Raffle

Complete your Sponsor Passport (which can be found in the bag you received at registration). Drop your completed card into the Sponsor Passport raffle box located within Twin Peaks to be entered into the raffle. Winners will be announced at 12:30pm each day (must be present to win).

Saturday April 22, 2023 12:30pm - 1:00pm PDT
Participation Hall

General, BSidesSF Booth

12:30pm PDT

Android App Hacking - Hacking for Good

Speakers

Maria Uretsky

Google

Maria Uretsky is the Tech Lead on the Android Vulnerability Rewards program at Google. Her passion is to break all the things before the bad actors do, to ensure they are kept out. During her 10+ years of software engineering and security work, she has been part of Google Cloud Security... Read More →

Kavia Venkatesh

Google

Kavia Venkatesh is a Technical Program Manager on the Android Security Team at Google where she leads the execution of the Android Security Release Program aka Android Security Bulletin. Over the last 7+ years has led numerous security initiative of varied shapes and sizes and sizes... Read More →

Sajjad Arshad

Google

JJ is a Senior Security SWE at Google's Android Security & Privacy team where he is developing tools to fight abuse in Android with focus on JavaScript-based frameworks. He has also designed CTF challenges and helped organize GoogleCTF in the past 3 years. Before Google, he was a... Read More →

Olivier Tuchon

Google

Olivier Tuchon is a Security Engineer on the Android Vulnerability Research team. Olivier has been working at Google for almost 5 years, he started by chasing malware/PHA in the Play Store and into the wild (OffMarket) with a speciality in Stalkerware. Now, Olivier looks for vulnerabilities... Read More →

Saturday April 22, 2023 12:30pm - 5:30pm PDT
AMC Theatre 10

Workshop

1:30pm PDT

Cross Site Scripting 101

Are you new to web application security? Are you curious about XSS? Then this is the talk for you! Join us for a quick overview of XSS and a walkthrough of a 101 XSS challenge from this year's BSidesSF CTF.

Speakers

Niru Ragupathy

Security Engineer, Google / BSidesSF CTF

Niru is a tech lead manager on Google's Offensive Security team, where she oversees the program and works on red team exercises. She has run web application security workshops at BSidesSF, WiCys and Blackhoodie. In her free time she doodles corgis and writes CTF challenges.

Saturday April 22, 2023 1:30pm - 1:50pm PDT
Après Village (Embarcadero)

Presentation Village

1:30pm PDT

What Does it Mean to Build a Proactive Security Culture in an Organization

If your company doesn't like your security team then nothing else you do matters, you will never be successful. In this talk we'll share what strategies have worked exceptionally well for instilling a security culture within our company, and what strategies have been colossal failures.

Speakers

Mukund Sarma

Chime

A Security generalist with hands-on experience in Application Security, Security Architecture, and Platform Security. I enjoy building security programs and I've had some experience doing so. I'm currently the Senior Director of Product Security at Chime. In this capacity, I oversee... Read More →

Arkadiy Tetelman

Chime

Hi there, I'm Arkadiy and I'm a security enthusiast with a passion for all things technical. My areas of expertise include application security, cloud security, reverse engineering, and detection & response. I've had the opportunity to share my knowledge and speak at conferences across... Read More →

Saturday April 22, 2023 1:30pm - 1:55pm PDT
AMC Theatre 15

Talk Presentation

1:30pm PDT

Catching the Phisherman

This talk will dive deep into the group behind what is currently the largest known credential harvesting campaign ever discovered. We will reveal how we discovered the campaign, how we determined its full impact, and the response of Social Media companies and Law Enforcement so far.

Speakers

Nick Ascoli

Foretrace

Nick Ascoli is a cybersecurity researcher and the founder and CEO of Foretrace, an External Attack Surface Management (EASM) solution. Nick has been a guest on the Cyber Wire podcast, and a speaker at GrrCON, Defcon Skytalks, Blackhat Arsenal, SANS, and B-Sides conferences on SIEM... Read More →

Aidan Raney

Full-stack web developer by day, cybercrime researcher by night.

Saturday April 22, 2023 1:30pm - 2:20pm PDT
AMC Theatre 13

Deep Dive Presentation

1:30pm PDT

Hunting Supply Chain Threats Using Anomaly Detection

Come see a case detailed study of a supply chain incident and how it was detected by applying anomaly detection to Cloud API logs.

Speakers

Craig Chamberlain

Uptycs

Craig has seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion, C-beams glittering in the dark near the Tannhäuser Gate. Craig is a longtime security researcher who has been to the places and done the kinds of things you would expect, most of which... Read More →

Saturday April 22, 2023 1:30pm - 2:20pm PDT
AMC Theatre 14

Deep Dive Presentation

1:30pm PDT

Lessons Learned While Building a Privacy Operations Center at Headspace Health

How difficult will it be to build a Privacy Operations Center (POC) at a digital healthcare company? Not much, right? WRONG! This talk aims to share the best practices & challenges of building a POC that satisfies 150+ countries and complies with regulations such as HIPAA, GDPR, CCPA, etc.

Speakers

Shobhit Mehta

Security & Compliance Director, Headspace Health

Shobhit is the Security & Compliance Director at Headspace Health, an on-demand mental-health company in San Francisco, CA. Prior to Headspace Health, he worked for 11+ years in different facets of Security & Information Assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal... Read More →

Saturday April 22, 2023 1:30pm - 2:20pm PDT
AMC Theatre 12

Deep Dive Presentation

2:00pm PDT

Tracking Meaningful Security Product Metrics

Many security teams struggle to quantify and demonstrate the value that they bring to their company. The right metrics are an effective way to communicate cross-functionally and can help your security organization demonstrate that you are both mitigating risk, and driving revenue growth.

Speakers

Leif Dreizler

Senior Engineering Manager, Semgrep

Leif Dreizler is an information security professional with over a decade of experience. He is currently leading two product engineering teams at Semgrep. Previously, Leif was a Senior Engineering Manager at Twilio Segment where his team was focused on building customer-facing security... Read More →

Tracking meaningful product security metrics pdf

Saturday April 22, 2023 2:00pm - 2:25pm PDT
AMC Theatre 15

Talk Presentation

2:00pm PDT

HSMs in Plain Envelopes: A Code Signing Story

It’s been framed that open source developers didn’t prioritize security. But outdated mechanisms and burdensome costs need just as much attention. Mention "code signing" to any programmer who has done so, and you will see their soul slowly evaporate. And there's good reason to highlight why.

Speakers

Alexis Hancock

Director of Engineering, Public Encryption Projects, EFF

Alexis works to encrypt the web by managing the Certbot project on the Public Interest Technology team at EFF. She researches an intersection of issues on digital rights, encryption, and consumer technology. Deeply passionate about tech equity for all, she has been aiding activists... Read More →

Saturday April 22, 2023 2:00pm - 2:30pm PDT
Après Village (Embarcadero)

Presentation Village

2:30pm PDT

Defining a Data Masking Framework at Scale

In this talk, we’ll explore Tokenization and Obfuscation as alternate Data Security techniques in addition to conventional methodologies like Encryption and the challenges that need to be addressed while implementing a Data Security Framework at scale.

Speakers

Sohini Mukherjee

Sohini is a Senior Security Parter at LinkedIn. Sohini is a purple team evangelist and is also passionate about Data Security and Cloud Security. She has been a Speaker at BSidesSF 2020 and has also spoken in several other Conferences.

Tim Lam

Data Masking @ Scale (LI theme) Final pptx

Saturday April 22, 2023 2:30pm - 2:55pm PDT
AMC Theatre 12

Talk Presentation

2:30pm PDT

New Apps, Good Snacks: Effective Threat Modeling for New Territory

You’ve fostered good security culture in your eng org: great! But what happens when a team proposes a new and very different feature for new devices? We’ll walk through team education, explaining security to diverse audiences, and threat modeling something new in a way everyone can understand.

Speakers

Breanne Boland

Product security engineer - security partner, Gusto

Saturday April 22, 2023 2:30pm - 2:55pm PDT
AMC Theatre 15

Talk Presentation

2:30pm PDT

New Face, Who Dis? Recent Adversarial Approaches to Facial Recognition

While it has its potential benefits, facial recognition is eroding privacy. Thankfully, adversarial approaches are providing ways to protect this biometric in the real world.

We'll explore recent techniques and demonstrate an open-source mobile app that puts them in the hands of “normal” people.

Speakers

Mike Kiser

SailPoint

Mike Kiser is insecure. He has been this way since birth, despite holding a panoply of industry positions over the past 20 years—from the Office of the CTO to Security Strategist to Security Analyst to Security Architect—that might imply otherwise. In spite of this, he has designed... Read More →

Saturday April 22, 2023 2:30pm - 2:55pm PDT
AMC Theatre 13

Talk Presentation

2:30pm PDT

Certificate Transparency Logs: Roadmaps to Riches or Ruin?

Certificate Transparency Logs are an integral component of modern Web PKI, providing tamper proof verification and authenticity of issued certificates by Certificate Authorities.

However, for bad actors, they can also provide a notification beacon for recon and a head start on finding a target.

Speakers

Nolan Reisbeck

Lead Software Engineer, Mastercard

Nolan has been a Platform Engineer at Mastercard Inc. for 2 years, prior to that he worked for a Telehealth startup and Major League Baseball Advanced Media/Disney in media streaming.He has a keen interest in security and modern DevSecOp practices in large cloud environments.

BSidesSF 2023 Certificate Transparency Logs key

Saturday April 22, 2023 2:30pm - 3:20pm PDT
AMC Theatre 14

Deep Dive Presentation

3:00pm PDT

Career Village - tales from a hiring manager

Learn from my experiences as a hiring manager about the do's and don't while interviewing, along with cases I've seen.

Speakers

Sacha Faust

Grammarly

Sacha Faust is a seasoned security leader who has worked for major tech companies like Microsoft, Lyft, and Amazon since the late 90s. He currently leads security engineering for Grammarly.

Saturday April 22, 2023 3:00pm - 3:20pm PDT
Après Village (Embarcadero)

Presentation Village

3:00pm PDT

Life of a Bug (an insight on the GitHub bounty program)

GitHub's Bug Bounty and PSIRT teams partner to investigate security findings submitted by external researchers through our HackerOne bounty program. From triage to notification, this talk will include the roles of both teams and full incident response process with the walkthrough of a mock bug.

Speakers

Jeffrey Guerra

GitHub

Jeff Guerra is a Sr. Product Security Engineer at GitHub who enjoys bounties, application security, and much more. He is an avid advocate for vulnerability disclosure programs and the effectiveness and community engagement that comes with it. He's a curious and passionate security... Read More →

Caitlin Buckshaw

GitHub

Caitlin Buckshaw is a Product Security Engineer at GitHub. With over a decade of experience in the IT/Security domain, she has channeled her skills into product security and incident response in recent years. Her mission is to employ a data-driven approach, along with an emphasis... Read More →

Saturday April 22, 2023 3:00pm - 3:25pm PDT
AMC Theatre 15

Talk Presentation

3:00pm PDT

NLP for security log analysis : Learning to crawl before you run

Large language models are changing the landscape of natural language processing, but where does security lie on the NLP paradigm? This work covers the effective use of NLP for security analysis. We give a general overview and specifically focus on the use of “embeddings” for insider threat detection.

Speakers

Arjun Chakraborty

Databricks

Arjun Chakraborty is a staff detection engineer at Databricks. He works on building out the security analytics platform which enables the use of machine learning to detect security threats. He previously worked as a machine learning engineer at Nvidia where he built machine learning... Read More →

Saturday April 22, 2023 3:00pm - 3:25pm PDT
AMC Theatre 12

Talk Presentation

3:00pm PDT

The History of Ransomware: From Floppies to Droppers, and Beyond

Modern ransomware has become synonymous with some of the most devastating cyber attacks of our time.. 30 years ago, however, ransomware was born as a wild scheme, devised by a man armed with 10,000 floppy disks and a virus. How has ransomware evolved since and what can this strange history teach us?

Speakers

Eliad Kimhy

Akamai Security Research

Eliad is the head of Akamai Security Research CORE Team guiding the development of the Akamai Security Research work. He was one of the creators and producers of the podcast Malicious Life which tells stories from the history of cybersecurity, and has a deep passion for the untold... Read More →

Saturday April 22, 2023 3:00pm - 3:25pm PDT
AMC Theatre 13

Talk Presentation

3:30pm PDT

Hackers Don't Care About Scope

Companies are running bug bounty and VDP programs but often they are doing very small scope with application with little to functionality and creating a scope that prevents hackers from finding good vulnerabilities, when in reality adversaries and cybercriminals will continue to hack into your organization regardless of scope.

Speakers

Ben Sadeghipour

VP of Research & Community, Ben Sadeghipour aka NahamSec is an ethical hacker and content creator.

Ben is a hacker and content creator. He has helped identify over 1000 vulnerabilities in companies like Amazon, Apple, Airbnb, Snapchat, Lyft, and more! Prior to becoming a full time content creator, he worked as a community and education executive at companies such as Hadrian and... Read More →

Saturday April 22, 2023 3:30pm - 3:50pm PDT
Après Village (Embarcadero)

Presentation Village

3:30pm PDT

Overwatch: A serverless approach to orchestrating your security automation

We've gleaned many benefits from shifting security left, but some problems it has brought upon security teams include managing a plethora of CI files, or actively maintaining infra across a lean team. To simplify this we built Overwatch, our serverless security orchestration approach written in Go.

Speakers

Sanchay Jaipuriyar

Chime

Sanchay Jaipuriyar is a Senior Security Engineer at Chime, where he spends most of his time working on security engineering problems to creatively eliminate classes of security issues at scale. You'll regularly find him writing code, tinkering with new technologies, researching... Read More →

Saturday April 22, 2023 3:30pm - 3:55pm PDT
AMC Theatre 15

Talk Presentation

3:30pm PDT

FAIR STRIDE - Building Business Relevant Threat Models

Have you ever wondered what the ROI is on a security control? Or whether you should spend time fixing 2 highs or 47 mediums? FAIR STRIDE is a method for creating application threat models that can answer these questions to help define a roadmap towards scalable risk reduction for a product.

Speakers

Arthur Loris

Ping Identity

Arthur started his career as a developer before transitioning to the security space, contributing to both infrastructure and application security teams. Most recently, he moved into a leadership position. Arthur holds a bachelor’s degree in mathematics from the University of Colorado... Read More →

Saturday April 22, 2023 3:30pm - 4:20pm PDT
AMC Theatre 12

Deep Dive Presentation

3:30pm PDT

You lost data, unfortunately… Who will knock on your door and why?

In this session, speaker will start with the data types, hacks and then move on to stakeholders, external subjects, jurisdiction boundaries and government agencies that you need to deal with if a security incident occurs.
This session will check the process and interested parties for key industries.

Speakers

Gopi Ramamoorthy

Symmetry Systems, Cyberventure.org

o Gopi Ramamoorthy is technology leader, strategic thinker and problem solver. He has extensive experience in engineering, cyber security and compliance o He has worked for 10 years in Fintech, managed Security Compliance for 3 business units in Fiserv, worth of $350 billion in... Read More →

Saturday April 22, 2023 3:30pm - 4:20pm PDT
AMC Theatre 14

Deep Dive Presentation

3:30pm PDT

Detection as Code: The Engineering-Focused Future of Detection and Response

It's time to retire the traditional SOC model of staffing reactive teams, throwing alerts generated by black boxes at them, and hoping it provides security return. Instead, hear how teams are using engineering-first principles to build scaleable, noise-cutting threat detection programs that work.

Speakers

Jackie Bow

Head of Detection and Response, Asana

A Jackie-of-all- trades, master of some, Jackie seems to be physically unable to stop returning to threat detection and response. Her 10+ years in the industry have been spent in malware analysis, reverse engineering, and infrastructure and product security. She has been an analyst... Read More →

Julie Agnes Sparks

Brex

Julie Agnes Sparks is a Detection & Response Engineer at Brex, with specialties in detection systems engineering, threat detection creation, and incident response. She is passionate about educating, mentoring, and bringing together people within the Detection & Response fields and... Read More →

Jessica Rozhin

Brex

Jessica manages the Security Operations Team at Brex and is still in the process of writing her fancy sounding bio.

Louis Barrett

Product Security Lead, Artificial Intelligence, Scale AI

Pioneering new frontiers in security, Louis Barrett is a seasoned expert with over a decade in the field. As a full-stack security researcher, he's not just keeping pace with the industry; he's setting the rhythm. Now at Scale AI, he's applying groundbreaking methods to secure the... Read More →

Saturday April 22, 2023 3:30pm - 4:20pm PDT
AMC Theatre 13

Panel

4:00pm PDT

Hiring and Interviewing as Security Engineers

A look at interviews from both sides. Having spent a decade interviewing & hiring for Databricks, Facebook, Palo Alto Networks and startups in US, EMEA, APAC, I will share how to hire with reduced bias and how to maximize your interviews for different security roles like software engineer, security analysts, incident responders and leadership.

Speakers

Arpita Biswas

Databricks

Sr Mgr, Security Incident Response, Databricks. Experienced security leader on establishing security & privacy incident response, compliance processes, large scale cloud & enterprise security and detection solutions. Areas of interest include detection and response, cloud security... Read More →

Saturday April 22, 2023 4:00pm - 4:20pm PDT
Après Village (Embarcadero)

Presentation Village

4:00pm PDT

When is a vulnerability not a vulnerability? Overcoming the inundation of noisy supply chain security alerts

This talk presents a counterintuitive approach to strengthening security: one that ignores over 90% of security vulnerability alerts. Using specific examples, it illustrates how orgs can ignore alerts with high confidence, and how this enables a marked shift in security workflows and behavior.

Speakers

Adam Berman

Head of Semgrep Supply Chain, Semgrep

Adam Berman is Head of Semgrep Supply Chain. In this role, he focuses on developing new products to help security teams work hand-in-hand with developers and scale their security programs. Previous to Semgrep, Adam led the engineering team for Meraki Insight at Cisco Meraki. Adam... Read More →

Saturday April 22, 2023 4:00pm - 4:25pm PDT
AMC Theatre 15

Talk Presentation

4:30pm PDT

Container vuln management with (hopefully) minimal burnout

In a microservice architecture, it's difficult to tell if a service's vulnerability was inherited from a base image (most cases) or introduced by the service itself. This talk shows how we used a graph approach to know precisely how to fix our vulns across 1000+ services at Lyft.

Speakers

Alex Chantavy

Software Engineer, Lyft

Alex Chantavy is a proudly homesick Hawaii boy who works as a Software Engineer at Lyft and maintains an open source graph tool called cartography. In previous roles, he's worked as a red teamer at Microsoft and as a [REDACTED] for the Department of Defense.

Saturday April 22, 2023 4:30pm - 4:55pm PDT
AMC Theatre 15

Talk Presentation

4:30pm PDT

Red Team Tales - 7 Years of Physical Penetration Testing

Never before told stories of some of the most exciting pentests of my physical security career. Learn new bypasses, Social Engineering pretexts, and unbelievable ways to defeat security.

Speakers

Justin Wynn

Coalfire

Justin Wynn is a Principal at Coalfire who specializes in physical security and regularly performs network, application, wireless, and social engineering penetration tests. You may be familiar with his wrongful arrest while testing courthouses in Iowa. He's Keynoted conferences and... Read More →

Saturday April 22, 2023 4:30pm - 5:20pm PDT
AMC Theatre 13

Deep Dive Presentation

4:30pm PDT

Sleeping With One AI Open: An Introduction to Attacks Against Artificial Intelligence and Machine Learning

AI-based solutions influence us and our society - often without our awareness - making decisions that can change the course of our lives. Despite the level of trust that we place in ML algorithms, these systems can be exploited. We present a taxonomy of attacks on ML and show how they work.

Speakers

Eoin Wickens

Technical Research Director, HiddenLayer

Eoin Wickens is the Technical Research Director - Field at HiddenLayer, where he both researches and speaks about security for artificial intelligence and machine learning. He has previously worked in threat research, threat intelligence and malware reverse engineering and has been... Read More →

Marta Janus

HiddenLayer

Marta is a Principal Researcher at HiddenLayer, where she focuses on investigating adversarial machine learning attacks and the overall security of AI-based solutions. Before joining HiddenLayer, Marta spent over a decade working as a security researcher for leading anti-virus vendors... Read More →

Saturday April 22, 2023 4:30pm - 5:20pm PDT
AMC Theatre 12

Deep Dive Presentation

4:30pm PDT

To Normalized Logs, and Beyond - Building a Threat Detection Platform from Scratch

You’ve been asked to build out a threat detection platform from scratch - now what? Join us for a deep dive on building a scalable and lean detection pipeline. We’ll show how to automate data ingestion, use detections-as-code, filter data, and more to build a serverless platform to detect threats.

Speakers

David Levitsky

David is a security practitioner and builder at heart, with a passion for all things related to the cloud. He is a firm believer that security is a data problem, and he strives to build high-quality infrastructure and services to support secure-by-default configurations and threat... Read More →

Brian Maloney

Benchling

Brian has built a long career as an infrastructure expert with a passion for security. This has led him to many opportunities to work as an engineer and leader building infrastructure for general use, as well as working to build systems that directly support security use cases. In... Read More →

Saturday April 22, 2023 4:30pm - 5:20pm PDT
AMC Theatre 14

Deep Dive Presentation

5:00pm PDT

Scalable security: how to win friends and not burn out everyone

Brandon and Eric have been involved in numerous security efforts over the last 5 years at Google. Some successfully, others… less so. Hear lessons learned scaling processes for lots of users, pissing off as few coworkers as possible, and (when we’re lucky) doing a little bit of security.

Speakers

Eric Chiang

Google

Eric is a Senior Software Engineer in Google’s Security org, where he leads management of Google’s internal network ACLs. He’s previously worked on a range of topics, including Linux fleet security, device hardware attestation, and Kubernetes auth. Eric is a Bay Area native... Read More →

Brandon Weeks

Saturday April 22, 2023 5:00pm - 5:25pm PDT
AMC Theatre 15

Talk Presentation

5:30pm PDT

Happy Hour

Once the last talks of the day are done, join us in the Bar and Chill Out
Space to celebrate a successful day one of the event!

Sponsors

Ory

Happy Hour

Saturday April 22, 2023 5:30pm - 6:30pm PDT
Participation Hall

Food & Drink, Bar

6:30pm PDT

Party

After the last couple of years, we could all use some fun! This year’s party will be a summer time affair complete with food, drinks, music, and great conversation. Head to the bar to try one of the party’s signature cocktails. Or join in on the yard games which will include corn hole, lawn dice, and ladder toss. Or stop by one of the two photo booths for photos to commemorate this year’s event!

Sponsors

Lacework

Party

Saturday April 22, 2023 6:30pm - 9:30pm PDT
Participation Hall

Food & Drink, Embarcadero

9:00am PDT

Breakfast

Sunday April 23, 2023 9:00am - 10:00am PDT
Participation Hall

Food & Drink

9:00am PDT

Coffee

Sponsors

Opal

Espresso and Coffee

Sprinkles

Espresso and Coffee

Tailscale

Espresso and Coffee, Lanyard

Sunday April 23, 2023 9:00am - 3:00pm PDT
Participation Hall

Food & Drink

9:00am PDT

Capture the Flag

Sponsors

Socket

Capture The Flag

Sunday April 23, 2023 9:00am - 5:00pm PDT
Twin Peaks

CTF, Village

9:00am PDT

Info Desk

Got a question or comment about the event? Drop by the information desk and chat with us.

Sunday April 23, 2023 9:00am - 5:00pm PDT
Lobby

General

9:00am PDT

Prayer & Mother's Room

Need a quiet place for meditation or mothering duties? Ask at the Info Desk, and we can guide you to a private location.

Sunday April 23, 2023 9:00am - 5:00pm PDT
Lobby

General

9:00am PDT

Registration

Sunday April 23, 2023 9:00am - 5:00pm PDT
Mezzanine (AMC)

General

9:00am PDT

Badge Village

Sponsors

GitGuardian

Village

Tessian

Village

Sunday April 23, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Bug Bounty Village

Sponsors

GitGuardian

Village

Tessian

Village

Sunday April 23, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Career Village

Sponsors

GitGuardian

Village

Tessian

Village

Sunday April 23, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Cloud Village

Sponsors

GitGuardian

Village

Tessian

Village

Sunday April 23, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Crypto & Privacy Village

Crypto & Privacy Village helps bring cryptography & privacy knowledge to the hacker community.
Learn how to secure your own systems while also picking up some tips and tricks on how to break classical and modern encryption. The CPV features workshops and lightning talks on a wide range of crypto and privacy topics from experts. We’ll also have an intro to crypto talk for beginners, some crypto-related games, puzzles, and challenge.

Sponsors

GitGuardian

Village

Tessian

Village

Sunday April 23, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Day of Shecurity

Sponsors

GitGuardian

Village

Tessian

Village

Sunday April 23, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Electronic Frontier Foundation (EFF)

Sponsors

GitGuardian

Village

Tessian

Village

Sunday April 23, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

IoT Village

Sponsors

GitGuardian

Village

Tessian

Village

Sunday April 23, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Lockpick Village

Sponsors

GitGuardian

Village

Tessian

Village

Sunday April 23, 2023 9:00am - 5:00pm PDT
Participation Hall

Village

9:00am PDT

Bar and Chill Out

Take a break from the day’s events with a stop at the Bar and Chill Out Space. Two complimentary drink tickets were provided to you at registration. We already paid for them, so please use them!

Sunday April 23, 2023 9:00am - 5:30pm PDT
Participation Hall

Food & Drink, Bar

9:00am PDT

Lounge

Enjoy the SF skyline from the Lounge. Located on the patio next to the tent, the Lounge includes comfortable places to rest and relax as well as lawn games to play.

Sponsors

Slack

Lounge

Sunday April 23, 2023 9:00am - 5:30pm PDT
City View Terrace

General

9:00am PDT

T-Shirt Sales

Sunday April 23, 2023 9:00am - 5:30pm PDT
Coat Check

General

9:00am PDT

Coat Check

Sponsors

Netflix

Coat Check

Sunday April 23, 2023 9:00am - 7:00pm PDT
Coat Check

General

10:00am PDT

Opening Remarks

Opening Remarks from Reed Loden, Lead Organizer of BSidesSF

Speakers

Reed Loden

VP of Security, Teleport

Sunday April 23, 2023 10:00am - 10:10am PDT
AMC Theatre 13

Presentation Simulcast

10:00am PDT

Outpwn: Gamified, Card-Based Cyber Warfare

Event locked in Sched to limit confusion. See registration to determine current session availability.
YOU ARE REQUIRED TO REGISTER AT https://bsidessf.regfox.com/2023 TO ATTEND THIS WORKSHOP (i.e. this session cannot be reserved with Sched)
-----
We will explore phishing attacks, software supply chain attacks, and Kubernetes credential exfiltration attacks in a way that demonstrates how these concepts build on each other.
-----
This workshop will utilize a rogue-like deck-building game that I have built with the sole intention of teaching cybersecurity principles and the steps of the cyber kill chain. We will explore phishing attacks, software supply chain attacks, and Kubernetes credential exfiltration attacks in a way that demonstrates how these concepts build on each other.

Attending this workshop allows all participants to get their hands dirty in performing various forms of cyberattacks--no prior experience is required.

Requirements:
Bring a laptop or mobile device

Speakers

Tony Loehr

Emery Hollingsworth

Sunday April 23, 2023 10:00am - 12:00pm PDT
AMC Theatre 10

Workshop

10:10am PDT

Hacking Policy and Policy Hacking - A Hacker Guide to the Universe of Cyber Policy

Cybersecurity Policy has transformed our industry. Cyber is perhaps the most emerging domain of the law, with strategies, regulations, and standards constantly emerging, globally. This domain also serves an amazing opportunity for you explore to new paths, and opportunities, to drive impact at scale and collaborate with the hacker ecosystem to drive better polices, and better security – that advance all users. This talk invites the audience to explore the latest trend in cyber policy globally, focusing on areas with broad impact on the community – such as secure development, workforce, vulnerability disclosure, product security, and anti- hacking laws. We will cover the latest developments from the National Cyber Security Strategy to the EU Cyber Resilience Act – and introduce the audience to the world of policy hacking, and policy “hacking”. We will cover case studies and tools available to each have you, starting today. And since this is a journey into new spaces, you should also expect some surprises as we embark this journey! Are you ready for lift off?!

Featuring guest speaker: Harley Geiger

Speakers

Dr. Amit Elazari

Intel / UC Berkeley

Dr. Amit Elazari is Head of Cybersecurity Policy at Intel, Lecturer at the UC Berkeley and Reichman University, Israel and an External Advisor for Center for Long-Term Cybersecurity, UC Berkeley. She also Chairs the Cybersecurity Committee for the Information Technology Industry Council... Read More →

Sunday April 23, 2023 10:10am - 11:00am PDT
AMC Theatre 13

Keynote Simulcast Presentation

11:05am PDT

HALT AND CATCH FIRE: Social Engineering CTFs for fun to a job as a Professional Red Team Social Engineer

HCF. Reboot. - Coming from Social Engineering Competitions, to Social Engineering in the context of a consulting engagement, a lot of tactics and strategies had to be torn down and rebuild. While the contests were fun and seemingly glamorous, the reality of SE for money was much different.

Speakers

Alethe Denis

Senior Security Consultant, Bishop Fox

https://alethedenis.com

Sunday April 23, 2023 11:05am - 11:30am PDT
AMC Theatre 15

Talk Presentation

11:05am PDT

Protecting Pinner Passwords

Passwords are problematic, it is therefore no small feat to work against password issues to provide a secure, enjoyable Pinterest experience. In this talk, we will dive into a few of the techniques we employ in order to accomplish this.

Speakers

Aalaa Kamal Satti

Software engineer on Pinterest's product security team.

Yuru Shao

Software engineering at Pinterest working on product security.

Sunday April 23, 2023 11:05am - 11:30am PDT
AMC Theatre 14

Talk Presentation

11:05am PDT

You don’t have to patch!

This talk puts the finger on one of the most significant struggles that security professionals have: nobody patches fast enough. We’ll explain why and present the numbers. We present the use of sandboxing and isolation, combined with patching as a more effective defense strategy.

Speakers

Pedro Fortuna

JSCRAMBLER

Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast-paced world of entrepreneurship. He Started Jscrambler where he leads all security research and drives the company's product... Read More →

Jasvir Nagra

None, Technical Advisor to Jscrambler

Jasvir Nagra is widely recognized as a thought leader in software protection. He is co-author of Surreptitious Software, the definitive textbook on software protection, and an early researcher in obfuscation, software watermarking, and fingerprinting. With more than 12 years of experience... Read More →

Sunday April 23, 2023 11:05am - 11:30am PDT
AMC Theatre 12

Talk Presentation

11:10am PDT

What I learned about security working minimum wage at Hollywood Video

As a teenager in the late 90s, I learned a lot about what to do (and what not to do) to manage security from working at Hollywood Video, where merchandise and other resources were stolen constantly. In this talk, I'll go over my personal experiences and how to relate it to security management.

Speakers

Ben Schmerler

Independent Security Evaluators

Ben Schmerler has been helping people manage cybersecurity risks for over a decade. His experience ranges from consulting clients on security risk management, to vulnerability testing, to security awareness and more. He now works with Independent Security Evaluators as Senior Solutions... Read More →

Sunday April 23, 2023 11:10am - 11:30am PDT
Après Village (Embarcadero)

Presentation Village

11:10am PDT

Take The Helm: Guidance For Prospective Future CISOs

For the security professionals with their sights set on leading security for an organization: this panel is for you. Come hear from a group of first time CISOs and Heads of Security on choosing the right time, preparing, pursuing, landing, and succeeding in your first role owning security all up.

Speakers

Kyle Tobener

VP, Head of Security, Copado

Kyle Tobener is a VP and Head of Security for the DevOps startup Copado. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. He loves application security, third party risk management, and building security programs from... Read More →

Emre Sağlam

Head of Security and Compliance, Dremio Corporation

Emre Sağlam is the Head of Security and Compliance for the Open Data Lakehouse startup Dremio. He started his security journey by being curious about how things work and how to make them work to his benefit. He focuses on all aspects of security from network stack to human stack... Read More →

Divya Dwarakanath

Snap Inc.

With over 12 years of experience in the Infosec industry, Divya currently oversees multiple security teams at Snap. During her leisure time, you can find her unwinding on the beach or enjoying her favorite delivered food while catching up on a movie.

Arianna Willett

ngrok

Arianna Willett runs security and privacy at ngrok, an API-first ingress as a service platform. Over the course of her career, she has created and worked on security teams for companies ranging in size from Fortune 200 to startups.

Katie Ledoux

Attentive

Katie Ledoux is the CISO at Attentive where she oversees information security and IT. She previously built the security program at analytics unicorn Starburst Data, and spent many years at security SaaS vendor Rapid7. She obtained her undergraduate degree from Villanova University... Read More →

Sunday April 23, 2023 11:10am - 12:00pm PDT
AMC Theatre 13

Panel

11:35am PDT

Designing consumer account recovery in a 2FA world

WebAuthn is great until the user gets locked out. Humans are, well, human after all –– so what happens when a user upgrades their phone or loses their device? This talk will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.

Speakers

Kelley Robinson

Security Developer Advocate, Twilio

Kelley works on the Account Security team at Twilio, helping developers manage and secure customer identity in their software applications. Previously she worked in a variety of API platform and data engineering roles at startups. Her research focuses on authentication user experience... Read More →

Sunday April 23, 2023 11:35am - 12:00pm PDT
AMC Theatre 14

Talk Presentation

11:35am PDT

Security Compliance as Code

Security compliance frameworks such as SOC 2, ISO 27001, PCI DSS is always perceived as a burden for engineering & operation teams within organizations but at the same time is a must have for the organization to be industry leader and ensure customer trust is upheld.

Speakers

Rahat Sethi

Adobe

Rahat Sethi is the Director of the Technology Governance, Risk, & Compliance (GRC), where he leads a global compliance team responsible for managing security compliance and certifications for all Adobe enterprise offerings. Rahat is the co-author of the Common Controls Framework... Read More →

Sunday April 23, 2023 11:35am - 12:00pm PDT
AMC Theatre 12

Talk Presentation

11:35am PDT

Windows 11 At Your Service

Win 11 ships with a nifty feature which lets users automate mundane processes. Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines, executed successfully and reports back to the cloud. You can probably see where this is going...

Speakers

Michael Bargury

CTO, Zenity

Michael Bargury is a security researcher passionate about all things related to cloud, SaaS and low-code security, and spends his time finding ways they could go wrong. He is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code / no-code apps. In the past... Read More →

Sunday April 23, 2023 11:35am - 12:00pm PDT
AMC Theatre 15

Talk Presentation

11:40am PDT

Cameras, CACs & Clocks: A Story of Millions of Interrogated and Hacked xIoT Devices

We’ve unleashed our dark allies from the nightmare dimension on an unholy crusade to demonstrate cyberattacks for your enlightenment. If you love seeing devices compromised as much as we do, join us for a real hacking demonstration, detailed security research findings, and threat mitigation techniques that will disappoint bad actors.

Speakers

John Vecchi

Phosphorus

As Chief Marketing Officer at Phosphorus Cybersecurity, John's achieved more than 25 years of experience in high-tech security marketing, strategy, product marketing, product management, and consulting. A serial CMO and security visionary, he has helped build and lead some of the... Read More →

Sunday April 23, 2023 11:40am - 12:00pm PDT
Après Village (Embarcadero)

Presentation Village

12:00pm PDT

Lunch

Sunday April 23, 2023 12:00pm - 1:30pm PDT
Participation Hall

Food & Drink

12:30pm PDT

Sponsor Raffle

Sunday April 23, 2023 12:30pm - 1:00pm PDT
Participation Hall

General, BSidesSF Booth

12:30pm PDT

Space Intruders: A Practical Guide to Building (& Maintaining) Your Cyber Threat Profile

Event locked in Sched to limit confusion. See registration to determine current session availability.
YOU ARE REQUIRED TO REGISTER AT https://bsidessf.regfox.com/2023 TO ATTEND THIS WORKSHOP (i.e. this session cannot be reserved with Sched)
-----
Which threats matter most to my organization? This session will give participants the foundation to confidently address this question by providing practical, immediately-applicable guidance on building, refining, and maintaining cyber threat profiles tailored to their organizations, helping drive defensive prioritization.
-----
Which threats matter most to my organization? A common question from security leadership, but not an easy one to answer, especially on the fly. This session will give participants the foundation to confidently address this question by providing practical, immediately-applicable guidance on building, refining, and maintaining cyber threat profiles tailored to their organizations, helping drive defensive prioritization. We’ll peel back the cover on a discipline once reserved for highly-resourced teams, showing how members of virtually any security function (not just dedicated CTI or risk analysts) supporting programs across maturity levels can build accurate threat profiles using publicly-accessible community resources. We will focus our case study on building a realistic profile for a hypothetical aerospace company/manufacturer.

Often considered a buzzword, threat profiling is in fact a powerful capability that allows security teams to proactively address threats with confidence, while de-escalating would-be “fires” that may in fact not pose major risks, providing teams clearer focus and giving them back (at least a little) control over both short- and long-term priorities. However, adoption of this discipline has been limited by misconceptions and a lack of awareness on where to start, where to find reliable sources, and how to apply the end-product. Drawing on the presenters’ deep experience advising security programs across the maturity spectrum, we will arm attendees with the following resources and repeatable processes, enabling them to turn a buzzword into an achievable goal and quickly start realizing the value of threat profiling for security prioritization:

A simplified approach to building a tailored yet repeatable threat profile
Reliable, publicly available sources for informing a cyber threat profile
Real-world applications of community resources that allow you to take action on your threat profile
Guidance on quantification and potential automation opportunities

Prerequisites: Laptops with internet connection will be useful for participants who want to follow the exercise’s steps live. Familiarity with spreadsheet data analysis and cyber adversaries will be beneficial but is by no means required.

Speakers

Scott Small

Director of Cyber Threat Intelligence, Tidal Cyber

Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He currently serves as Director of Cyber Threat Intelligence at Tidal Cyber. Scott has advised enterprise... Read More →

Sunday April 23, 2023 12:30pm - 2:30pm PDT
AMC Theatre 10

Workshop

1:30pm PDT

Scraping after HiQ Labs v. LinkedIn

Learn about some of the recent legal developments in relation to scraping and the factors have affected its legality.

Speakers

Hannah Zhao

Electronic Frontier Foundation

Hannah is a staff attorney who focuses on criminal justice and privacy issues, and is part of the Coders’ Rights Project. Prior to joining EFF, she represented criminal defendants on appeal in state and federal courts in New York, Illinois, and Missouri, and also worked at the human... Read More →

Sunday April 23, 2023 1:30pm - 1:50pm PDT
Après Village (Embarcadero)

Presentation Village

1:30pm PDT

(Canceled) Malware Hunting - Discovering techniques in PDF malicious

This talk has been canceled by the presenter. We apologize for the inconvenience.

Sunday April 23, 2023 1:30pm - 2:20pm PDT
AMC Theatre 15

Deep Dive Presentation

1:30pm PDT

Securing the Pipeline: Protecting Self-Hosted GitHub Runners

Organizations using GitHub Actions with self-hosted runners are at risk of attackers gaining an internal network foothold from the Internet if they compromise one developer’s personal GitHub access token. Key configuration adjustments can secure these pipelines and limit the damage from a breach.

Speakers

Adnan Khan

Praetorian

Adnan is a Lead Security Engineer at Praetorian. He currently works on Praetorian's Red Team conducting complex attacks against large enterprise networks. His current interests have focused on attacks leveraging compromised tokens for SaaS platforms. Before finding a passion for offensive... Read More →

Sunday April 23, 2023 1:30pm - 2:20pm PDT
AMC Theatre 12

Deep Dive Presentation

1:30pm PDT

Sure, Let Business Users Build Their Own. What Could Go Wrong?

Business professionals are increasingly building their own applications with Low-Code/No-Code platforms. And so, enterprises are placing *developer-level power* in the hands of 100x *new* business developers. What could go wrong?

Speakers

Michael Bargury

CTO, Zenity

Sunday April 23, 2023 1:30pm - 2:20pm PDT
AMC Theatre 14

Deep Dive Presentation

1:30pm PDT

The State of Blockchain Security - 2023 Edition

Annual in-depth review of the novel blockchain security field. In this talk you will learn detailed analysis of major DeFi, exchange, and blockchain compromises, trends, and opportunities.

Speakers

Peter Kacherginsky

BlockThreat and Coinbase

Peter Kacherginsky is an active member of the Blockchain Security community where he presents at Defcon and other conferences For the last three years he has been publishing a weekly Blockchain Threat Intelligence newsletter. Professionally he is working hard to make our ecosystem... Read More →

Sunday April 23, 2023 1:30pm - 2:20pm PDT
AMC Theatre 13

Deep Dive Presentation

2:00pm PDT

Hacking the Hiring Process: Insider Tips for your InfoSec Job Search

Insider tips and tricks to level up your job search from a career security recruiter. From resume tips, networking advice, linkedin profile reviews and interview suggestions, we will cover everything to make your job search easier, efficient, and effective.

Speakers

Zach Strong

Code Red Partners

Zach Strong is a Principal Security Recruiter at Code Red. He has a rich history of working with some of the most exciting companies across tech and brings expertise and empathy to security recruiting. He has spent his career working across cybersecurity - including leadership and... Read More →

Sunday April 23, 2023 2:00pm - 2:20pm PDT
Après Village (Embarcadero)

Presentation Village

2:30pm PDT

Security Hiring Trends

I'll be covering the new FAANG companies, leaning into the chaos, what industries are paying the most, what skills are the hottest, and how to land the interview and pull in an offer.

Speakers

Erin Barry

Code Red Partners

Senior Manager at Code Red Partners where I help build security teams with some of the top companies and my favorite humans.

Sunday April 23, 2023 2:30pm - 2:50pm PDT
Après Village (Embarcadero)

Presentation Village

2:30pm PDT

How Segment proactively protects customer’s API keys

Security teams spend a lot of time hardening their app, tracking suspicious sessions, and investigating phishing attempts. But what about API keys? Thousands of secrets are leaked every day on GitHub, and can take the same actions as users. Learn how Segment is helping protect our user's API keys.

Speakers

Sal Olivares

Senior Software Engineer, Twilio

Sal Olivares is a senior software engineer at Twilio Segment where he builds both user facing and internal security features. He loves endlessly tinkering with his development tools and always on the hunt for a new hobby.

bsidessf 2023 pdf

Sunday April 23, 2023 2:30pm - 2:55pm PDT
AMC Theatre 14

Talk Presentation

2:30pm PDT

Advanced Attack Vectors in Azure Environments

Microsoft integrated Azure IaaS services and Office 365 products into one ecosystem, centralizing all permissions and roles. At least, from the attacker's perspective, it's also great. We’ll explain core concepts behind Azure and demonstrate a number of privilege escalation techniques.

Speakers

Zur Ulianitzky

XM Cyber

Zur Ulianitzky is an experienced information security researcher, skilled in red teaming and penetration testing. He has published groundbreaking research in the field of cloud security and red teaming with deep expertise in attack techniques from both an offensive and defensive perspective... Read More →

Bill Ben Haim

XM Cyber

Bill Ben Haim is an experienced information security researcher specializing in red teaming and penetration testing. Prior to joining XM Cyber, he worked at Anheuser-Busch InBev as the tech lead of their Internal Red Team group. Before that Bill worked at Ernst and Young as an information... Read More →

Sunday April 23, 2023 2:30pm - 3:20pm PDT
AMC Theatre 12

Deep Dive Presentation

2:30pm PDT

Space and Cyberspace at the White House

The White House’s Office of the National Cyber Director (ONCD), is leading the charge on a range of cybersecurity issues for the nation, including space systems cybersecurity. ONCD will discuss its approach toward space and cybersecurity in line with the Biden-Harris Administration’s new National Cybersecurity Strategy.

Speakers

Tanya Simms

White House’s Office of the National Cyber Director (ONCD)

Tanya Simms is the Director for Cyber Policy and Programs at the White House’s Office of the National Cyber Director (ONCD), focusing on critical infrastructure and critical systems cybersecurity. She joins ONCD from the National Security Agency (NSA), where she has spent more than... Read More →

Lauryn Williams

White House’s Office of the National Cyber Director (ONCD)

Lauryn Williams is a senior advisor for strategy in the White House Office of the National Cyber Director (ONCD) and focuses on space systems cybersecurity. She joined ONCD from the Department of Defense, where she served in the Office of the Assistant Secretary of Defense for Space... Read More →

Sunday April 23, 2023 2:30pm - 3:20pm PDT
AMC Theatre 15

Deep Dive Presentation

2:30pm PDT

The Best Defense is a Great Offense: Leveraging Automated OffSec to Build Proactive C2 Detections

Do you need comprehensive, rigorously-validated detections for evolving Command & Control (C2) threats? This talk is for you! Come learn about push-button C2 infrastructure that simulates complex attacker behaviors and high-fidelity signals useful for developing generalized detection capabilities.

Speakers

Sam Manzer

Mike Parowski

3:00pm PDT

The Big “P” Problem in Cybersecurity

More and more cybersecurity practitioners are considering powering-down their careers and leaving the field. Stacey will share her observations of what has caused people to reach this breaking point, and propose a solution of where to go from here.

Speakers

Stacey Champagne

Founder & CEO, Hacker in Heels

Stacey Champagne is a multi-disciplined expert in insider risk with experience conducting analysis, investigations, and program management at globally recognized Fortune 100 & 500 companies. She believes that inspiring vigilance and loyalty in employees—through a holistic approach... Read More →

Sunday April 23, 2023 3:00pm - 3:20pm PDT
Après Village (Embarcadero)

Presentation Village

3:00pm PDT

Backup Plans for Your Backup Plans for Your Backup Plans

Business Continuity Planning (BCP) is important, but a single enactment of the BCP can increase the impact of other concurrent risks. In this talk, we address the risk that one business continuity event will increase the probability or impact of others, with examples from 🌜space 🌛.

Speakers

Margaret Fero

Latacora

Margaret Fero is an interdisciplinary hacker with interests ranging from technical writing to board games to corporate risk analysis to the ethics of Artificial Intelligence. They are the Engineering Manager of Corporate Security at Latacora, where they help startups at all stages... Read More →

Sunday April 23, 2023 3:00pm - 3:25pm PDT
AMC Theatre 14

Talk Presentation

3:00pm PDT

IR Workshop

Event locked in Sched to limit confusion. See registration to determine current session availability.
YOU ARE REQUIRED TO REGISTER AT https://bsidessf.regfox.com/2023 TO ATTEND THIS WORKSHOP (i.e. this session cannot be reserved with Sched)
-----
Today's DevOps world has new responsibilities added to the everyday engineer's existence. A developer often has to assist in incident response and threat hunts. Unfortunately, these skills are hard to learn and can come at a cost if they are done on the job during an event. TableTop/Online Workshop
-----
Today's DevOps world has several new responsibilities added to the everyday engineer's existence. For example, a developer must often assist in incident response and threat hunts. Unfortunately, these skills are hard to learn and can come at a cost if they are done on the job while an event is ongoing.

In this two-hour tabletop/workshop, we will examine a scenario where we are running multiple AWS services and being attacked by an outside threat. Exploring the use of a SIEM (Security Information and Event Management), we will demonstrate how it exposes critical related data to signal errant activity. After the workshop, the participant will come away with a topical understanding of the risks in any cloud deployment, incident response experience, and hands-on experience in using a SIEM and how to integrate it into your observability portfolio. We will leave the online lab portion of this workshop open after the workshop ends to give everyone more time to work independently.

Requirements:
Laptops

Speakers

Nathan Case

Ciso, Corsha

Nathan Case is a successful executive and builder, pushing for change in security and the culture surrounding it. Leading strategic initiatives and the creation of new technologies in the healthcare, information technology and cloud industries, focusing on security. A passion for... Read More →

Sunday April 23, 2023 3:00pm - 5:00pm PDT
AMC Theatre 10

Workshop

3:30pm PDT

Go Far Together: Building Your Squad

The House always wins...unless you work together! Let's discuss some practical methods to pull together a cohort of peers who will help each other succeed.

Speakers

Terry O'Daniel

Head of Security, Amplitude

Terry O’Daniel is the Head of Security at Amplitude. His specialty is building lean Security Engineering teams to solve complex challenges at scale via automation and telemetry--rather than compliance-by-spreadsheet. Before Amplitude, Terry built the functions for Security Risk... Read More →

Sunday April 23, 2023 3:30pm - 3:50pm PDT
Après Village (Embarcadero)

Presentation Village

3:30pm PDT

Lost In Space: How to navigate Corporate Security as an Engineer

There's a whole new world outside of day-to-day Engineering. As a backend engineer turned security professional, I will share lessons learned such as navigating the rest of the company outside Engineering, how to communicate effectively with others, and how to make the most out of your new role.

Speakers

Maria Mora

Staff Application Security Engineer, SiriusXM

Maria Mora (they/them) is a Staff Application Security Engineer based in Unceded Ohlone Land (San Francisco, California). Engineering-wise, Maria has worked with various systems including monoliths, microservices, and in between. Among a variety of projects, they have worked with... Read More →

Sunday April 23, 2023 3:30pm - 3:55pm PDT
AMC Theatre 14

Talk Presentation

3:30pm PDT

Using machine learning to detect sensitive documents on SharePoint

Sensitive documents can pose an insider threat data exfiltration risk if permissions are set incorrectly on them. Our project uses machine learning (ML) models to help us detect various categories of sensitive documents. We will also discuss unique challenges when building ML models for security.

Speakers

Wilson Tang

Adobe

Cyber Security Data Scientist at Adobe

Sunday April 23, 2023 3:30pm - 3:55pm PDT
AMC Theatre 12

Talk Presentation

3:30pm PDT

Placeholder for Dayzzz

Support systems and live chat services use placeholders to make it easier for agents to reply to ticket. In this talk, identify how Rojan was able to identify vulnerabilities in numerous companies by abusing placeholders as a regular user to extract sensitive data of other users and more.

Speakers

Rojan Rijal

Ophion Security

Rojan Rijal is founder of Ophion Security, a pentest and research focused firm. I like digging through source codes for vulnerabilities and writing automation tools to help me in security assessments and vulnerability management. In my free time, I enjoy watching and playing soccer... Read More →

Sunday April 23, 2023 3:30pm - 4:20pm PDT
AMC Theatre 15

Deep Dive Presentation

3:30pm PDT

First Security Hire: Building a security roadmap and team from scratch

With more early-stage companies looking to invest in building a security program and a culture of cybersecurity, we speak to industry experts who have been on this professional journey.

Speakers

Reed Loden

VP of Security, Teleport

Tom Alcock

Partner and Founder, Code Red Partners

Tom Alcock Partner and Founder, Code Red Partners Tom has spent over 12 years in technical recruiting and consulting across Europe and North America. He is passionate about cybersecurity, diversity and inclusivity hiring. I am an experienced and passionate professional, who is keen... Read More →

Mike McBryde

Temporal

Mike McBryde is seasoned security leader and Senior Staff level IC with 17 years of industry experience in early- & late-stage tech startups, public companies, and consulting. He is currently the Head of Security of Temporal Technologies, where he was the first security hire. Over... Read More →

Coleen Coolidge

CISO, Experienced Head of Security and CISO

Coleen Coolidge is a CISO in San Francisco, most recently serving as the CISO of Segment and Twilio for several years.Within the Bay Area SaaS community, she’s known for building mature and holistic security programs from scratch to protect customer data. Coleen is also very active... Read More →

Kevin Hanaford

Discord

Kevin is the Head of Security Engineering at Discord, a voice, video, and text communications platform that brings people together over shared experiences and gives everyone a place to belong. He is responsible for building and fostering a highly effective Security team and security-conscious... Read More →

Sunday April 23, 2023 3:30pm - 4:20pm PDT
AMC Theatre 13

Panel

4:00pm PDT

Building an Endpoint Security program from scratch

Do you have confidence in the security posture of the endpoints that access your internal resources? Join me to learn how to build an endpoint security program to reduce security risks your company faces through compromised endpoints and keep your organization and data safe from adversaries.

Speakers

Nishith Shah

Netflix

Nishith Shah is an information security professional with a decade of enterprise security experience at companies and education institutions like Netflix, Salesforce, Harvard, and Medallia. He currently leads the endpoint security program at Netflix and helps protects its endpoints... Read More →

Sunday April 23, 2023 4:00pm - 4:25pm PDT
AMC Theatre 14

Talk Presentation

4:00pm PDT

Launch Control - Automating a Security Baseline in the Cloud at Scale

In this talk, we’ll demonstrate how to seamlessly deploy cloud-native security controls across cloud environments, whether it’s 5 or 500 accounts. We’ll walk through designing and building a declarative configuration that enables an automated, self-healing, and repeatable security baseline.

Speakers

David Levitsky

Olivia Hillman

Olivia is a security software engineer who seeks out opportunities to blend her passion for cloud security with her affinity for improving the developer experience. She has significant experience designing security workflows and infrastructure at a global scale, including the Apple... Read More →

Sunday April 23, 2023 4:00pm - 4:25pm PDT
AMC Theatre 12

Talk Presentation

4:00pm PDT

How to CTF Infra - Beyond the challenges and flags

You've decided to run a CTF and built some challenges! Congrats! How will users register or submit flags? How will you keep the scoreboard online? Let's talk about it.

Speakers

Max G

Cloud Ops for fun and profit

Sunday April 23, 2023 4:00pm - 4:45pm PDT
Après Village (Embarcadero)

Presentation Village

4:30pm PDT

Disrupting Malicious Traffic with Egress Proxies

When external threat actors compromise a service, they often make network requests to download additional payloads and exfiltrate data. We’ll teach you how to detect and disrupt this malicious traffic by ensuring all traffic originating from your network is trusted via egress proxies.

Speakers

Dean Liu

Software Engineer, Lyft

Dean Liu is a Software Engineer at Lyft focusing on Security Infrastructure. Over 15 years of industry experience, passionate about building things that secure services at scale. Avid runner outside of work.

Sunday April 23, 2023 4:30pm - 4:55pm PDT
AMC Theatre 12

Talk Presentation

4:30pm PDT

Secret Hunting

Everyone knows storing secrets in your code is bad. But where are we supposed to store them? What do we do when we find one that has been compromised? Let’s talk about how to find secrets, rotate them, and then change our apps to manage and access them SAFELY.

Speakers

Tanya Janca

Head Nerd, We Hack Purple

Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning community that revolves around teaching everyone to create secure software. Tanya has been coding... Read More →

Sunday April 23, 2023 4:30pm - 4:55pm PDT
AMC Theatre 13

Talk Presentation

4:30pm PDT

Using an mTLS Identity Provider to achieve Password-less auth, Device Health Attestation, and low Earth orbit

Pinterest has required the use of managed and compliant devices in our SSO flow, so that only known and healthy devices access our tools.

In this talk, we’ll share details about our custom identity provider, how we've implemented user facing mTLS, and a compliance framework to evaluate devices.

Speakers

Armen Tashjian

Armen Tashjian is a Corporate Security Engineer at Pinterest, focusing on employee authentication and device hardening. Before that, he was a Security Engineer at Yelp and SCE. Armen enjoys traveling, making pizza, and trying new foods. https://www.twitter.com/armentashjian

Sunday April 23, 2023 4:30pm - 4:55pm PDT
AMC Theatre 14

Talk Presentation

4:30pm PDT

MTV Reboot — my Super Sweet 16-bit malware ~*MS-DOS Edition*~ [TSR Remix]

This talk is a deep-dive analysis of MS-DOS malware with a reverse-engineering focus.
It covers the various infection/stealth/persistence techniques of notable samples, highlighting both the technical complexity and the flare for dazzling graphical displays in 16-bit DOS malware.

Speakers

Nika Korchok Wakulich

Leviathan Security Group

Nika (ic3qu33n) is a Security Consultant at Leviathan Security Group where she works on a range of penetration testing engagements, with a focus on hardware and embedded security. Outside of work, she combines her artistic practice (woodcut prints, painting, drawing, etc.) with her... Read More →

Sunday April 23, 2023 4:30pm - 5:20pm PDT
AMC Theatre 15

Deep Dive Presentation

5:00pm PDT

How do you trust your open source software?

The OpenSSF Scorecard is an automated tool that assesses several important heuristics ("checks") associated with software security and assigns each checks a score of 0-10. These scores help understand specific areas to improve to strengthen the security posture of a dependency.

Speakers

Naveen Srinivasan

OSS Contributor, Indepedent

Naveen Srinivasan is a contributor and maintainer of multiple OpenSSF projects, a member and contributor to the Sigstoreorganization, and a contributor to the SLSA code base.His contributions have earned him recognition with Google Peer Bonus awards in 2021 and 2022. He has consistently contributed to the open-source community for an extended period, with no gaps in activity for the past two years.In addition to his technical contributions, He is a sought-after speaker at conferences, discussing topics related to supply chain security and mitigating... Read More →

Brian Russell

Program Manager, Google

TBD

Sunday April 23, 2023 5:00pm - 5:25pm PDT
AMC Theatre 14

Talk Presentation

5:00pm PDT

Sandboxes all the way down - A hitchhiker's guide to platform containment

Modern sandboxes and isolation primitives are some of the coolest tech we have in security, but no one has the time to figure out how it works and how to use it. This talk is a whirlwind guide to containment tools you should have in your toolbox, when to use them, and how to get started.

Speakers

Tom DNetto

Tom is an Engineer at Tailscale with a penchant for all things security. Formerly at Google as on the Platform Security team, he spends his daylight hours building safer systems and implementing secure networking, both within the product and as part of the larger ecosystem. Tom greatly... Read More →

Sunday April 23, 2023 5:00pm - 5:25pm PDT
AMC Theatre 12

Talk Presentation

5:00pm PDT

WebAuthn, Yubikeys, and You: What we wish we knew before rolling out WebAuthn for internal use

There’s a better way to MFA today: FIDO2/WebAuthn is a much better second factor (compared to TOTP or SMS) that our IdP, Okta, supports well. Hear Discord’s experience trying to elevate our company’s security posture and deploy WebAuthn to all users who do work for us— in any capacity, anywhere.

Speakers

Alex Toombs

Alex Toombs runs Platform Security at Discord, a voice, video, and text communications platform that brings people together over shared experiences and gives everyone a place to belong. Before that, he started the Security team at Alto Pharmacy after making the jump from fullstack... Read More →

Sunday April 23, 2023 5:00pm - 5:25pm PDT
AMC Theatre 13

Talk Presentation

5:30pm PDT

Closing Ceremony

We will be discussing the logistics and joys of organizing the event. Come hear how it all gets put together and who helps us out!

Speakers

Reed Loden

VP of Security, Teleport

Sunday April 23, 2023 5:30pm - 6:30pm PDT
AMC Theatre 13

Closing Ceremony