BSidesSanFrancisco 2020 Feb. 22, 2020 to Feb. 24, 2020, San Francisco, US

Event Page


Tell us about missing data
Title Speakers Summary Topic Types
Opening remarks Reed Loden N/A
Keynote: Give Away Security’s Legos: Dumping Traditional Security Teams Fredrick "flee" Lee It’s common to hear of security teams that feel overwhelmed. They have too many alerts, ...
Checking your --privileged container Sam Kaczorowski Docker provides a convenient --privileged flag to create "privileged containers" but what does it actually ...
Fantastic AWS Attacks and Where to Find them Georgios Kapoglis Building better detections on our Cloud infrastructures and knowing our enemies is a necessity for ...
Graph Based Detection and Response with Grapl Colin O'brien Grapl is a Detection and Response Platform that centers around graph analytics services. By leveraging ...
Transform your presentation skills Anne Spreiter Are you conference ready? Do you want to give a presentation that everyone is talking ...
How to Kill an AWS Access Key Benjamin Hering AWS Access Keys are great for attackers; powerful and sitting in plaintext. The Security Token ...
Someone set us up the SBOM – How software transparency can help save the world Allan Friedman “Am I affected by this new vuln?” This is a question very few orgs that ...
Adventures in vendor security and continuous review Lokesh Pidawekar The advent of cloud services has created a new paradigm in vendor security. Typically, companies ...
Secure by Design: Usable Security Tooling Hon Kwok How do you build effective security products? Are people actually using your tools? Spending time ...
Panel: OTR: Disclosing Incidents, Advice from the Front Lines Charles Nwatu , Julie Tsai , Reed Johnson Off The Record (unrecorded) This session is an off-the-record panel where industry experts will discuss ...
Panel: Let's Get 360 With Bug Bounty! Chloé Messdaghi , Jeff Boothby , Maria Mora , Tanner Sadeghipour From bug bounty hunters, to the platform triagers, to the companies that fix the vulnerability: ...
Non-Political Security Learnings from the Mueller Report Arkadiy Tetelman The Mueller Report had a trove of forensics evidence around how the DNC & DCCC ...
The Red Square: Mapping the Connections Inside Russia’s APT Ecosystem Ari Eitan This talk will detail the stages involved in the research study of the analysis of ...
Human or Machine? The Voight-Kampff Test for Discovering Web Application Vulnerabilities Vanessa Sauter Among the thousands of vulnerabilities you find, how can you tell which were found through ...
MOSE: Using Configuration Management for Evil Jayson Grace Ever land on a configuration management server and not know what to do? Want to ...
OTR: Responding to Firefox 0-days in the wild Philip Martin Off The Record (unrecorded) This session is an off-the-record talk where the speaker will be ...
Script All the Things, Reverse All the Malware: A Look at Jython-Enhanced Reverse Engineering with Ghidra Byron Roosa Tired of long days spent reversing obfuscated binaries that want nothing more than to make ...
Hanging on the telephone: hacking VoIP Sarah Young Before security, Sarah spent a decent amount of her career deploying VoIP systems. In this ...
Peeling the Web Application Security Onion Without Tears Noam Mashinter Bruce Schneier said security is a process, not a destination. This talk focuses on web ...
Break crypto like a pro! Alexei Kojenov Cryptography is hard. Doing it right is even harder, and Murphy’s law continues to prove ...
CISO Vendor Relationship Podcast - Live Recording David Spark , Olivia Johnson Join David Spark, Mike Johnson, and guest Olivia Rose for 45 minutes of the most ...
Bootstrapping Security Jared Shaw Bank of America has publicly shared that they spend over $400M per year on cybersecurity ...
Serverless osquery Backend and Big Data Exploration Geller Bedoya osquery is an open-source community driven endpoint for intrusion detection. Deploying at scale requires endpoint ...
Dispatch: Crisis Management Automation When Everything is On Fire Marc Monsen We built Dispatch to automate our entire crisis management lifecycle, from initial report, to resource ...
Privacy nightmares while using ML/AI in your applications Sameer Karpate Everyone is excited with using ML And AI in applications but what about privacy while ...
Purple is the new black: Modern Approaches to Application Security Tanya Janca This talk will explore how to combine defence, offence, automation, empathy and continuous learning in ...
Visualizing Security Jay Jacobs Data analysis and visualization skills are becoming a critical part of the security domain. To ...
Ask the EFF Kurt Opsahl , Alexis Hancock , Hayley Tsukayama , Jamie Daly This session will include updates on current EFF issues such as surveillance online, encryption (and ...
Managing the Assets of Your Security Career Kyle Tobener Security folks often struggle with quality feedback and influence during promotion. In this session I ...
Sharks in the Water: Open Source Component Risk and Mitigation Aaron Brown Navigating the Open Source Component (OSC) Supply Chain can be murky and unforgiving. Gain an ...
Keynote: What's New or Not in 2020: Are we Making Progress on the Intractable Security Problems? Larkin Ryder It's the end of the decade and time to look back on which parts of ...
Checking your privileged container Sam Kaczorowski Docker provides a convenient --privileged flag to create "privileged containers" but what does it actually ...
k-rail: A tool to manage k8s securely at speed Dustin Decker Kubernetes is powerful, but often insecurely configured. During this talk, we’ll roleplay offensive and defensive ...
Security, Politics, Neutrality, and Protecting Users Brendan O'Connor Tech's alleged "neutrality" causes security problems for our users--ranging from misinformation and propaganda to harassment ...
The Road to Zero Trust: Developing a baseline security standard for endpoint devices Claire Moynahan Lightning Talk - As part of implementing a Zero Trust Network, we sought to ensure ...
Protecting the Bridge from Dollars to Bitcoin: Securing Coinbase’s Edge Payments Infrastructure Nishil Shah Coinbase works with payment processors across the globe. We have seen a lot of insecure ...
If you’re not using SSH certificates you’re doing SSH wrong Mike Malone Lightning Talk - Based on a popular blog post of the same name (over 50,000 ...
Mistakes we made integrating security scanning into CI/CD Dinesh Schwartz It was 8AM, Slack showed 124 new unread messages and climbing. Our security scanner had ...
The GCP metadata API; security considerations, vulnerabilities, and remediations Dylan Donovan Some folks know about the AWS metadata API and its security implications. Here I'll talk ...
San-Serif Rules Everything Around Me Travis Knapp-prasek Lightning Talk - Lowercase L and uppercase i look exactly the same when used in ...
Chrome extension risks and you Chris Kafle An often overlooked risk in Google Chrome are the thousands of unique Chrome extensions installed ...
What should—and shouldn’t—scare you about Kubernetes and containers Connor Gilbert Kubernetes and containers change a lot of how apps are built, deployed, and secured… or ...
OTR: Campaign Security is Hard Fred Wulff , Dylan Fisher Off The Record (unrecorded)This session is an off-the-record discussion of cybersecurity challenges pertaining to political ...
Panel: Lessons Learned from the DevSecOps Trenches Zane Lackey , Clint Gibler , Astha Singhal , Justine Deperry Tired of long days spent reversing obfuscated binaries that want nothing more than to make ...
From cockroaches to marble floors: What happens when you turn on the lights? Daniel Karayan Eliminating the false distinction between security bugs and other software defects can greatly reduce the ...
Leveraging Osquery for DFIR at scale Sohini Mukherjee Security Breaches are happening every other week - understanding the anatomy of an attack is ...
2FA in 2020 and Beyond Kelley Robinson This talk will explore the modern landscape of 2FA. With a data driven analysis of ...
So you’re the first security hire: Creating a security program and integrating security into your company’s culture Bryan Zimmer You're the first security hire at a company, where do you start? How do you ...
OTR: Campfire Stories of Vendor Security Horror Kyle Riley Off The Record (unrecorded)It’s a dark and stormy night. You open your email and there ...
Real Time Vulnerability Alerting by Using Principles from the United States Tsunami Warning Center Amol Sarwate Harness public data and apply data analytics principles from US Tsunami Warning Center to cut ...
Creating Data-Driven Threat Intelligence Signals in a “Zero Trust” Environment Or Katz As network architecture changed over the years, threat intelligence in a “Zero Trust” environment should ...
Security Learns to Sprint: DevSecOps Tanya Janca This talk will explain what security teams needs to adjust in order to turn DevOps ...
How to 10X Your Company’s Security (Without a Series D) Clint Gibler I’ll summarize and distill the insights, unique tips and tricks, and actionable lessons learned from ...
OTR: Tears from The Cloud Tim Heckman Off The Record (unrecorded) "When ‘getting pwned’ doesn’t even fully describe what happened" When building ...
Phishy Little Liars - Pretexts That Kill Alethe Denis The 'IT Guy' is the Nigerian Prince of Pretexts. As bad actors begin to use ...
When GDPR and CCPA strike: Silver lining for security teams in data protection clouds Rafae Bhatti Data protection obligations can be an ally to the security team instead of a burden. ...
How To Write Like It's Your Job Brianne Hughes Hackers thought they could avoid formal essays, but SURPRISE! They still have to write about ...
RIS-ky Business: Exploiting Medical Information Systems Jacob Brackett The security of medical devices has been a hot topic in the news the past ...
Panel: Mental Health for Hackers: Contents Under Pressure Chloé Messdaghi , Ryan Peediyakkal Pressures and stress affect both professional and personal lives within infosec. This panel will introduce ...
An Effective Approach to Software Obfuscation Yu-jye Tung Understanding the essential aspects that make up obfuscation allows us to see the fundamental flaw ...
East vs West: How The Coasts Approach Information Security Differently Sourya Biswas How Wall Street and Silicon Valley fundamentally differ in their approaches to information security, and ...