BSidesSF 2020: Full Schedule

9:00am PST

Go the Wrong Way

Speakers

Sam Bowne

Professor, City College San Francisco

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on training at DEF CON, DEF CON China, Black Hat USA, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges.

Elizabeth Biddlecome

software engineer, free agent

Elizabeth Biddlecome is a lead instructor Infosec Decoded, Inc., a consultant, and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She is also the coach of the award-winning CCSF cybercompetition team... Read More →

Sponsors

HashiCorp

Workshop

Saturday February 22, 2020 9:00am - 11:45am PST
Town Hall HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

Workshop

9:00am PST

Hands On Secure Code Review

Speakers

Seth Law

President and Principal Security Consultant, Redpoint Security, Inc.

Seth Law is the President and Principal Consultant at Redpoint Security, Inc. (rdpt.io). During the last 15 years, Seth has worked within multiple security disciplines, including application development, cloud architecture, and network protection, both as a manager and individual... Read More →

Sponsors

HashiCorp

Workshop

Saturday February 22, 2020 9:00am - 11:45am PST
Vagrant HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

Workshop

9:00am PST

If This Then Hack: An Intro to DIY Cloud Security Automation with Python

Event locked in Sched to limit confusion, see registration to determine current session availability.
Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

Security engineers face the daily task of detection, responding, and remediating incidents in both cloud and on-premise environments. Recent high-profile breaches have highlighted that even the organizations we would expect to have fine-tuned and automated security programs often have critical blind spots. Automating your incident response and detection workflows into existing pipelines can save time and manual analyst efforts which result in faster resolution times. There are any number of vendor that will happily take your money, but we can start to build our own DIY alternative with just some artisanal Python and the tools we already have.

Our workshop will discuss the core principles of what it takes to build your own automation tools for cloud security, from detecting events to automatically remediating. We won't be using toy examples: we'll be using the security tools we have used in industry like Splunk and Jira to build realistic end-to-end automation workflows. Students in our workshop will learn how to integrate the following flow 1) Identify an event (in public cloud), 2) Produce and capture the details of the event in Splunk and create a ticket in Jira, 3) Automatically enrich this data and create the appropriate automated remediation response. These steps can be completed to eliminate manual overhead on detection in the cloud as well as proper delegation to the appropriate team (incident response team, compliance, engineering teams, or other). With the use of simple Python scripts students will learn how they can build a simple yet fundamental security automation system.

The approach to building automation you will learn in this workshop is applicable to any kind of ticket-centric operations environment, not just security. We want to pull back on the curtain on ""security automation"" and show that it really isn't magic, it's just a bit of code in the right places.

Requirements:
Students should be comfortable with basic Python scripting (at a minimum, able to write functions, loops, and conditionals without consulting documentation) and should be familiar with security terminology. The student who stands to gain the most from this course is one with professional experience in security and an interest in developing new skills in applying programming to automate their work.

Speakers

Moses Schwartz

Box

Moses is a staff security engineer working on the Box Security Automation team. He's part software developer and part security researcher, with over 10 years experience in industry and government. Nothing hurts him more than watching someone do a tedious, manual task that could be... Read More →

Ashish Patel

Security Engineer, Box

Ashish Patel is a security engineer on the Box Infrastructure Security team. He usually lives in the realm of cloud security and automating security related tasks that scale across multiple clouds & attack surfaces.

Sponsors

HashiCorp

Workshop

Saturday February 22, 2020 9:00am - 11:45am PST
Terraform HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

Workshop

9:00am PST

Threat Modeling Cloud Applications

Speakers

Anurag Dwivedy

Security Software Engineer, Cisco

Anurag is an Sr. Information Security Engineer in the Application Security Team at Cisco. He has more than four years of experience in secure software development. He is interested in the fields of web application security and mobile application security. Anurag holds a Master of... Read More →

Gagan Rajput

Gagan Rajput works as a Senior Cloud and Application Security Engineer in Cisco InfoSec team where he is responsible for reviewing secure architecture for applications, evaluating third party cloud service providers, and providing training to security advocates. He has a Master's... Read More →

Sponsors

HashiCorp

Workshop

Saturday February 22, 2020 9:00am - 11:45am PST
Vault HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

Workshop

12:45pm PST

Signature and Socket Based Malware Detection with osquery and Yara

Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

In this interactive session, students will learn how to use osquery and Yara to detect malware on Windows, Mac, Linux, and containerized environments. Detection methods will include whitelist and blacklist network socket based approaches as well as filehash and Yara signature based approaches.

There are no prerequisites to course. Some experience with osquery or SQL is
helpful, but also not required

Speakers

Julian Wayte

Julian Wayte is a Security Solutions Engineer for Uptycs. In this role, he helps organizations architect security solutions - based on endpoint telemetry and automated workflows – in order to solve a variety of security use cases. Julian loves working with and teaching osquery... Read More →

Sponsors

HashiCorp

Workshop

Saturday February 22, 2020 12:45pm - 3:00pm PST
Terraform HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

Workshop

12:45pm PST

A hands-on, beginner's introduction to web application security

Event locked in Sched to limit confusion, see registration to determine current session availability.
Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

This course is designed for anyone who has little to no knowledge about web application security, but wants to either (a) learn more about it; or (b) start developing the skillsets needed to be effective in testing web applications for security vulnerabilities.

This course will start from absolute zero, and aim to provide all the definitions, tooling, and guidance you will need to get started with web application security testing. Students of this course will leave the session with a comfortable understanding of some common web application vulnerability classes, how to identify them, what risks they pose, and how they could be exploited in the wild.

Nothing more than a functioning laptop is needed for this course. If you happen to be able to install a VM, that may prove to be helpful, but again the stated and explicit goal of this course is to leave no one behind, and to give everyone an opportunity to start learning an invaluable skillset that can be immensely helpful in advancing one's career, or just general understanding of how webapp vulns look and function. If you've ever been interested in web application security, this class is an excellent opportunity to start.

Do be aware that this is a fairly long class, and to get the most out of it, we strongly recommend staying engaged through the entirety of it. Also, be sure to ask questions - the goal is to make sure that you're enabled, not confused.

NOTE: as such, this class is not intended for advanced or intermediate web application security practitioners, as persons with those skillsets will likely find this class to be very basic in the level of depth and concepts covered.

Speakers

Grant McCracken

Solutions Architect, Bugcrowd

Grant is currently the Director of Program Operations and Solutions at Bugcrowd, and has been in the application security space for the last eight years, and the bug bounties for the last five. He's gotten his OSCP, given talks at Appsec USA and EU, and enjoys helping others get into... Read More →

Kevin Hemmingsen

Kevin Hemmingsen is the Manager of Solutions Architecture at Bugcrowd, and has helped launch and oversee the management of hundreds of bug bounty programs.

Sponsors

HashiCorp

Workshop

Saturday February 22, 2020 12:45pm - 6:00pm PST
Vagrant HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

Workshop

12:45pm PST

Finding Evil CTF using MITRE ATT&CK, Zeek and Elastic SIEM

Speakers

Matteo Rebeschini

Principal Solutions Architect, Elastic

Matteo Rebeschini is a Security Specialist at Elastic, based out of Boulder, Colorado. Matteo helps Elastic customers architect solutions based on Elastic SIEM and Endpoint Security to protect their data and assets from attack. Matteo has 20+ years of experience in the cybersecurity... Read More →

Aaron Soto

Director of Leaning, Corelight

Aaron Soto is at Corelight, teaching users about the Zeek (formerly Bro) network monitoring platform. He's recently been part of the Metasploit development team, DEF CON’s OpenSOC blue team CTF, and training UT Austin students on both defensive and offensive techniques. His passion... Read More →

Sponsors

HashiCorp

Workshop

Saturday February 22, 2020 12:45pm - 6:00pm PST
Town Hall HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

Workshop

12:45pm PST

Fundamentals of AD hacking

Speakers

Daniel Nemeth

Daniel Nemeth has more than 6 years of international experience as a penetration tester. He has worked in Hungary, Australia and now in New Zealand for ZX Security. He acquired the following certifications: OSCP, OSCE, GMOB, CRTE and OSWE.

Claudio Contin

Lead Security Consultant, ZX Security

Claudio Contin (@claudiocontin) is a security consultant with ZX Security in Wellington. Before working in security, he spent several years developing web applications. He has presented at Defcon (Demo Labs), Black Hat (Arsenal), Bsides SF, Kiwicon and OWASP conferences. During his... Read More →

Sponsors

HashiCorp

Workshop

Saturday February 22, 2020 12:45pm - 6:00pm PST
Vault HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

Workshop

3:30pm PST

Using Built-in Kubernetes Controls to Secure Your Applications

Speakers

Connor Gilbert

Senior Product Manager, StackRox

Connor Gilbert is a senior product manager at StackRox, a Kubernetes security company. He has presented at BSides SF, Google Next, and Cloud Native Rejekts; hosted Cloud Native Computing Foundation (CNCF) webinars; and published CNCF blogs on cloud-native security topics. Connor was... Read More →

Sponsors

HashiCorp

Workshop

Using Built in Kubernetes Controls to Secure Your Applications (BSidesSF 2020) pdf

Saturday February 22, 2020 3:30pm - 6:00pm PST
Terraform HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

Workshop

9:00am PST

Breakfast

Sponsors

Capsule8

Breakfast

Sunday February 23, 2020 9:00am - 10:00am PST
Participation Hall City View at Metreon

Food & Drink

9:00am PST

Coffee

Sunday February 23, 2020 9:00am - 4:00pm PST
Participation Hall City View at Metreon

Food & Drink

9:00am PST

Capture the Flag

The CTF is back, complete with a silent disco this year! As always, everyone is welcome to participate as the competition features a range of challenges at all difficulty levels. In case you find yourself in need of assistance, we have folks onsite who can provide hints and guidance. All that is needed to participate is a laptop.

The server is available all weekend long, and anyone is welcome to play. Server information is at https://bsidessf.org/ctf.html.

At least one player must be onside to claim any prizes won.

Sponsors

Capture the Flag

Sunday February 23, 2020 9:00am - 5:00pm PST
Embarcadero City View at Metreon

CTF, Village

9:00am PST

Car Hacking Village

The Car Hacking Village is excited to share the fun of car hacking at BSidesSF.
What we’ll bring: Computers, Vehicle Simulator!
What you’ll need: Hands, Eyes, Thirst for knowledge.
What you’ll do: Hands-on CTF/Learning. We’ll provide a computer, hardware, and a “Getting Started” sheet. You’ll earn points for each simulated vehicle component you hack. You’ll earn points. You’ll win! We’ll win! Everyone wins!
Please visit CarHackingVillage.com or check out our twitter @CarHackVillage for fun and information.

Sponsors

cmd

Village

Gusto

Village

Sunday February 23, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

Village

9:00am PST

Crypto & Privacy Village

Learn how to secure your own systems while also picking up tips and tricks on how to break classical and modern encryption at the Crypto & Privacy Village. The village features workshops and talks on a wide range of crypto and privacy topics, as well as crypto-related games and puzzles. Join us on Sunday at 4pm for a key-signing party!

Sponsors

cmd

Village

Gusto

Village

Sunday February 23, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

Village

9:00am PST

IoT Village

Participate in self-guided, hands on labs focused on circumventing security controls found on common internet connected devices. You will experience how newly-discovered vulnerabilities were discovered, how they can be exploited, and how this could impact consumers.

1) Bypassing Security Controls in IoT Applications by ISE

Each device demonstrates a different set of exploits discovered by the ISE Labs team. These exploits include overcoming custom HTTP auth mechanisms, reverse-engineering proprietary TCP protocols, and more. Detailed walkthroughs will be provided along with the tools needed. The ISE Labs team will be available to help you and demonstrate live hacks at the top of every hour.

2) IoT Hacking 101 by Village Idiot Labs

Debuted at Defcon 27, this hands on lab gives attendees the opportunity to learn the tools, techniques, and some of the common weaknesses used in IoT device hacks. Whether you're a penetration tester that has never hacked IoT devices or even someone that has never hacked anything(!), this self-guided lab will walk you through all the steps from analyzing router firmware, finding hidden backdoors, enumerating devices and performing remote exploits. Students work at their own pace following our IoT Hacking 101 guide, and instructors are on hand to provide assistance as needed and answer any questions.

Brought to you by ISE (Independent Security Evaluators), Village Idiot Labs and IoT Village

Sponsors

cmd

Village

Gusto

Village

Sunday February 23, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

Village

9:00am PST

Lockpick Village

Lockpick Extreme and TOOOL SF are back once again hosting Lockpick Village. Learn to lockpick from the TOOOL SF volunteers or practice what you already know with their assortment of locks and picks. When you’re done you can shop the Lockpick Extreme pop-up shop and take your new hobby home with you.

Sponsors

cmd

Village

Gusto

Village

Sunday February 23, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

Village

9:00am PST

Bar and Chill Out

Take a break from the day’s events with a stop at the Bar and Chill
Out Space.Two complimentary drink tickets were provided to you at
registration. We already paid for them, so please use them!

Sponsors

Verizon Media

Daytime Bar & Chill Out Area

Sunday February 23, 2020 9:00am - 5:30pm PST
Bar City View at Metreon

Food & Drink

9:00am PST

Registration

Sunday February 23, 2020 9:00am - 5:30pm PST
General City View at Metreon

General

9:00am PST

Info Desk

Sunday February 23, 2020 9:00am - 6:30pm PST
General City View at Metreon

General

9:00am PST

Coat Check

Sunday February 23, 2020 9:00am - 10:00pm PST
Coat Check City View at Metreon

General

10:00am PST

Opening Remarks

Speakers

Reed Loden

VP of Security, Teleport

Reed Loden is the Vice President of Security at Teleport, a technology company that helps organizations securely access their infrastructure. He is an information security expert, researcher, hacker, and developer. Reed bring over 15+ years of security experience to his role at Teleport... Read More →

Sunday February 23, 2020 10:00am - 10:15am PST
Embarcadero City View at Metreon

Opening Remarks

10:00am PST

Simulcast of the Keynote and Opening Remarks

Sunday February 23, 2020 10:00am - 11:00am PST
Theater 16 (IMAX) AMC at Metreon

Simulcast Keynote

10:15am PST

[Keynote] Give Away Security’s Legos: Dumping Traditional Security Teams

It’s common to hear of security teams that feel overwhelmed. They have too many alerts, too many design reviews, too many approvals, too many everything! What if I told you we can reduce risks and scale security by reducing what security teams do? How? By dumping the centralized, traditional security team.

Speakers

Fredrick "Flee" Lee

Fredrick “Flee” Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Flee spent more than 15 years leading global information security and privacy efforts... Read More →

Sunday February 23, 2020 10:15am - 11:00am PST
Embarcadero City View at Metreon

Keynote

11:00am PST

T-Shirt Sales

Sunday February 23, 2020 11:00am - 10:00pm PST
Coat Check City View at Metreon

General

11:05am PST

Checking your --privileged container

Docker provides a convenient --privileged flag to create "privileged containers" but what does it actually do? In this talk, we will explain the internals of how docker provides isolation, and what happens when these security features are disabled. Spoiler alert: trivial container escapes.

Speakers

Sam

Frenchie is far too biased to answer this question, and instead chooses to break the 4th wall. Originally from Batmania.Previously, he was part of the :robot: :car: Skynet prevention squad as Infrastructure Security Engineering Manager at Cruise. Shipped https://github.com/cruise... Read More →

Maya Kaczorowski

Product Manager, Software Supply Chain Security, Tailscale

Maya is a Product Manager at Tailscale, providing secure networking for the long tail. She was mostly recently at GitHub in software supply chain security, and previously at Google working on container security, encryption at rest and encryption key management. Prior to Google, she... Read More →

BSidesSF Checking your privileged container 2020:02:23 pdf

Sunday February 23, 2020 11:05am - 11:30am PST
Theater 16 (IMAX) AMC at Metreon

Talk

11:05am PST

Fantastic AWS Attacks and Where to Find them

Building better detections on our Cloud infrastructures and knowing our enemies is a necessity for survival. I want to help the community by sharing our work on AWS and by utilizing ATT&CK framework start building and operationalizing detections and alerting on AWS. Cloud defenders.. its our time!!!

Speakers

Georgios Kapoglis

Verizon Media

Georgios is an Incident Response Engineer at Verizon Media. He is responding to Security Incidents at scale in a diverse environment with numerous technologies. Lately he has been heavily involved with Incident Response and Detections on AWS in possibly one of the biggest deployments... Read More →

Fantastic AWS Attacks and Where to Find them pdf

Sunday February 23, 2020 11:05am - 11:30am PST
Theater 14 AMC at Metreon

Talk

11:10am PST

Graph Based Detection and Response with Grapl

Grapl is a Detection and Response Platform that centers around graph analytics services. By leveraging Graphs and Python Grapl makes it easier to build more powerful, behavior-oriented attack signatures and explore suspicious behaviors in your environment.

Speakers

Colin O'Brien

Colin is a security practitioner who has worked across multiple disciplines. Starting his career at Rapid7 he worked on a data science team, working with massive data sets to extract Signal, and later moved to work directly on Rapid7's InsightIDR platform as a software engineer. After... Read More →

Sunday February 23, 2020 11:10am - 12:00pm PST
Embarcadero City View at Metreon

Talk

11:10am PST

Transform your presentation skills

Are you conference ready? Do you want to give a presentation that everyone is talking about? Then check out Transform your Presentation Skills for unique tips and tricks that will result in compelling content and improved confidence. Bay Area presentation experts Anne Ricketts and Hilary Spreiter from Lighthouse Communications will share best practices for: Delivering with Confidence, Managing Nervousness, Starting Strong with a hook, Getting Clear on your audience, intent, and message, Creating Effective Slides

Speakers

Anne Ricketts

Anne Ricketts is the founder and principal of Lighthouse Communications. She teaches workshops and coaches individuals in the areas of presentation skills, executive presence, communication skills, and English as a Second Language. Anne was a communication coach at the Stanford Graduate... Read More →

Hilary Spreiter

 Hilary Spreiter is a communication and presentation skills coach for Lighthouse Communications. She works with executives, organizations, and students to create memorable presentations, design effective slides, sharpen interview skills, and deliver with confidence. Hilary has also... Read More →

The Presentation Focus Questions 2019 pdf

Sunday February 23, 2020 11:10am - 12:00pm PST
Theater 15 AMC at Metreon

Talk

11:35am PST

How to Kill an AWS Access Key

AWS Access Keys are great for attackers; powerful and sitting in plaintext. The Security Token Service enables short-lived credentials, but the path to getting that to work for humans isn't simple. Assuming zero level of expertise, we'll cover how our company killed off our static access keys.

Speakers

Benjamin Hering

Manager, Security Engineering, ASAPP

Benjamin Hering leads Security Engineering at ASAPP. His career focuses on leveraging technology to improve organizations and people in both the for-profit and non-profit spheres; making technology meet people where they are rather than the other way around. He graduated from Grinnell... Read More →

How to Kill an Access Key rev 20200223 pdf

Sunday February 23, 2020 11:35am - 12:00pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

11:35am PST

Someone set us up the SBOM – How software transparency can help save the world

“Am I affected by this new vuln?” This is a question very few orgs that make or use software can answer today, since we lack visibility into the software supply chain and the full set of dependencies. Learn how a “software bill of materials” or SBOM can help, and what the future might look like.

Speakers

Allan Friedman, PhD

Senior Advisor and Strategist, Department of Homeland Security

Dr. Allan Friedman is Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency. He coordinates the global cross-sector community efforts around software bill of materials (SBOM) and related vulnerability initiatives and works to advance their adoption... Read More →

Sunday February 23, 2020 11:35am - 12:00pm PST
Theater 14 AMC at Metreon

Talk

12:00pm PST

Lunch

Sponsors

Vectra

Lunch

Sunday February 23, 2020 12:00pm - 1:30pm PST
Participation Hall City View at Metreon

Food & Drink

12:00pm PST

Career Center

The Career Center is where you can receive feedback on your resume or discuss your overall career development. Recruiters will be available to review your resume and provide feedback to improve your overall career search. Career mentors will be available to listen to your career challenges and discuss options you may not have considered as you plan out your next career steps.
Appointments with resume reviewers and career mentors are on a first come, first served basis.

Sunday February 23, 2020 12:00pm - 4:00pm PST
AMC Lounge AMC at Metreon

Career Center

12:30pm PST

Sponsor Raffle

Complete
your Sponsor Passport (which can be found in the bag you received at
registration). Drop your completed card into the Sponsor Passport raffle
box located within Twin Peaks to be entered into the raffle. Winners will be
announced at 1pm on Monday (must be present to win).

Sunday February 23, 2020 12:30pm - 1:00pm PST
Participation Hall City View at Metreon

General

1:30pm PST

Adventures in vendor security and continuous review

The advent of cloud services has created a new paradigm in vendor security. Typically, companies send a questionnaire to review cloud providers, however, it's point in time. The attendees will learn about methods of identifying security posture of the vendor using information available on Internet.

Speakers

Lokesh Pidawekar

Cisco

Lokesh Pidawekar work as Cloud and Application Security Architect in Cisco InfoSec team where he is responsible for designing secure architecture for applications, evaluating third party cloud service providers, and providing training to enterprise architects. He has Master's in Information... Read More →

Sunday February 23, 2020 1:30pm - 1:55pm PST
Theater 14 AMC at Metreon

Talk

1:30pm PST

Secure by Design: Usable Security Tooling

How do you build effective security products? Are people actually using your tools? Spending time on usability for security products is a smart investment with high payoffs. In this talk we’ll discuss how prioritizing usability allows us to build better and more secure experiences for all.

Speakers

Hon Kwok

Security Engineer, Cruise

Hon is a Security Engineer at Cruise working on security usability and software development. She was previously at Sumo Logic and the University of Michigan. In her free time she can be found reading about geology, baking way too much, and browsing Twitter @hxnyk

secure by design usable security tooling pdf

Sunday February 23, 2020 1:30pm - 1:55pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

1:30pm PST

OTR: Disclosing Incidents, Advice from the Front Lines

Off The Record (unrecorded) This session is an off-the-record panel where industry experts will discuss navigating incident disclosure

Speakers

Charles Nwatu

Netflix

Charles holds a B.S in Information Sciences and Technology from Pennsylvania State University, where he specialized in Information Assurance and Security. He has 13 years of experience and is currently the Engineering Manager, Corporate Security for Netflix. Charles is very active... Read More →

Julie Tsai

Julie is an Infosec leader and DevOps(Sec) specialist with 20+ years experience in Silicon Valley technology companies ranging from seven-person startups to Fortune 1. She spent 15 of those years hands-on in the technology full stack: network, sys admin, SRE, deployment, developer... Read More →

Reed Loden

VP of Security, Teleport

Mike Johnson

Sunday February 23, 2020 1:30pm - 2:20pm PST
Theater 15 AMC at Metreon

Talk, OTR

1:30pm PST

Panel: Let's Get 360 With Bug Bounty!

From bug bounty hunters, to the platform triagers, to the companies that fix the vulnerability: we have much to understand and learn from each other. We will talk about the bug bounty lifecycle from multiple perspectives and discuss how to improve the way we work together.

Speakers

Maria Mora

Staff Application Security Engineer, SiriusXM

Maria Mora (they/them) is a Staff Application Security Engineer based in Unceded Ohlone Land (San Francisco, California). Engineering-wise, Maria has worked with various systems including monoliths, microservices, and in between. Among a variety of projects, they have worked with... Read More →

Chloé Messdaghi

CEO and Founder, Global Secure Partners

For over ten years, Chloé Messdaghi has advised and developed impactful solutions that have driven growth and innovation while transforming security teams to become resilient. Her work has helped businesses unlock opportunities to enhance trust, mitigate risk, and become purpose-driven... Read More →

Jeff Boothby

Sr. Trust & Security Engineer, Bugcrowd

Jeff is a Senior Trust and Security Engineer at Bugcrowd. He is an advocate for safe harbor and works on all sides of bug bounties. Past experience includes security testing for both DAST and SAST. He gives training sessions for those looking to become penetration testers or hackers... Read More →

Tanner Emek

Tanner (aka @cache-money) comes from a software engineering background and later switched to security engineering. After a year of full-time bug hunting, he has since dove back into the security engineering world with a heavy offensive focus, and he continues to bug hunt in his free... Read More →

Ben Sadeghipour

Head of Hacker Education, HackerOne

Ben is the Head of Hacker Education at HackerOne by day, and a hacker and content creator by night. He has helped identify over 700 security vulnerabilities across hundreds of web and mobile applications for companies such as Verizon Media, Red Bull, Apple, Airbnb, Snapchat, The US... Read More →

BSidesSF Let's Get 360 With Bug Bounty pdf

Sunday February 23, 2020 1:30pm - 2:20pm PST
Embarcadero City View at Metreon

Talk, Panel

2:00pm PST

Non-Political Security Learnings from the Mueller Report

The Mueller Report had a trove of forensics evidence around how the DNC & DCCC were compromised. By reading the Report through a critical security lens we can gather a trove of learnings around how access was gained, how their networks were traversed, & what we can do to defend our organizations.

Speakers

Arkadiy Tetelman

Arkadiy is Head of Application & Infrastructure Security at Chime. He is passionate about all things security, ranging from technical, to policy & legal, to security management & leadership. He contributes to open source projects & speaks on topics of security across the country... Read More →

Sunday February 23, 2020 2:00pm - 2:25pm PST
Theater 14 AMC at Metreon

Talk

2:00pm PST

The Red Square: Mapping the Connections Inside Russia’s APT Ecosystem

This talk will detail the stages involved in the research study of the analysis of the Russian APT ecosystem. It will present two open-source tools which can be used by the infosec community to further investigate Russian-related cyber attacks.

Speakers

Ari Eitan

Intezer

Ari manages the team responsible for the gene algorithm behind Intezer’s code genome database. Eitan leads the company’s malware hunting and investigation operations, analyzing threats and publishing information about new APTs. Eitan began his career as a security researcher for... Read More →

Sunday February 23, 2020 2:00pm - 2:25pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

2:30pm PST

Human or Machine? The Voight-Kampff Test for Discovering Web Application Vulnerabilities

Among the thousands of vulnerabilities you find, how can you tell which were found through automated scanners and which required human expertise? We'll build a Voight-Kampff test to filter between human-found and machine-found vulns.

Speakers

Vanessa Sauter

Cobalt.io

Vanessa Sauter is a security strategy analyst at Cobalt.io, a pentesting as a service company. She previously worked at Lawfare and the Aspen Institute in Washington, D.C., where she specialized in cybersecurity policy and national security law. Vanessa graduated from Columbia University... Read More →

Sunday February 23, 2020 2:30pm - 2:55pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

2:30pm PST

MOSE: Using Configuration Management for Evil

Ever land on a configuration management server and not know what to do? Want to take over machines en masse with a single command? Enter Master Of SErvers (MOSE), a post-ex tool that allows you to leverage CM servers to compromise all associated agents, without worrying about tool-specific details.

Speakers

Jayson Grace

Penetration Tester, Splunk Inc.

Jayson Grace is a Penetration Tester on the Product Security Team at Splunk. Previously he founded and led the Corporate Red Team at Sandia National Laboratories. He holds a BS in Computer Science from the University of New Mexico, which gave him some great knowledge and also made... Read More →

JaysonGrace MOSE BsidesSF pptx

Sunday February 23, 2020 2:30pm - 2:55pm PST
Theater 14 AMC at Metreon

Talk

2:30pm PST

OTR: Responding to Firefox 0-days in the wild

Off The Record (unrecorded) This session is an off-the-record talk where the speaker will be discussing targeted attacks on their company using Firefox zero days

Speakers

Philip Martin

CISO, Coinbase

Philip is the Chief Information Security Officer for Coinbase Global Inc., along with Custody Trust Company LLC. In his role, he is responsible for developing the technology, processes and team that safely store one of the world’s largest holdings of cryptocurrency. Under his stewardship... Read More →

Sunday February 23, 2020 2:30pm - 3:15pm PST
Theater 15 AMC at Metreon

Talk, OTR

2:30pm PST

Script All the Things, Reverse All the Malware: A Look at Jython-Enhanced Reverse Engineering with Ghidra

Tired of long days spent reversing obfuscated binaries that want nothing more than to make your life miserable? Then look no further! Using real-world malware as a case study, I'll show how to use Jython and Ghidra's powerful scripting API to make static malware analysis a bit less rage-inducing.

Speakers

Byron Roosa

Coalfire Federal

I currently help to secure a wide variety of clients as a member of Coalfire Federal's Labs team. When not hacking all the things, I enjoy playing table tennis and listening to live music.

Sunday February 23, 2020 2:30pm - 3:20pm PST
Embarcadero City View at Metreon

Talk

3:00pm PST

Hanging on the telephone: hacking VoIP

Before security, Sarah spent a decent amount of her career deploying VoIP systems. In this talk, Sarah details some of the ways that VoIP systems can be hacked and used for nefarious purposes.

Speakers

Sarah Young

Senior Cloud Security Advocate, Microsoft

Sarah Young is a Senior Cloud Security Advocate working at Microsoft. She has lived all over the place, but currently calls Melbourne home. Sarah has been working in cyber security since before it was cool, holds numerous industry qualifications has co-authored a few Microsoft Press... Read More →

Hanging on the telephone BSidesSF FINAL pdf

Sunday February 23, 2020 3:00pm - 3:25pm PST
Theater 14 AMC at Metreon

Talk

3:00pm PST

Peeling the Web Application Security Onion Without Tears

Bruce Schneier said security is a process, not a destination. This talk focuses on web app security aspects in the browser, CDN or API Gateway, Static Content Servers, and Dynamic Web Services. It shows how you can better mitigate risks in the multi-layered security onion without tears or fears.

Speakers

Noam Lorberbaum

Sr. Engineering Manager, Adobe

Noam Lorberbaum is a Sr. Engineering Manager in Adobe’s Document Cloud. He is managing an engineering team developing several Document Cloud Web core components, PDF tools and Document Cloud integration with adobe.io. He is also managing a new Document Cloud Core Security Team in... Read More →

Keith Mashinter

Sr. Computer Scientist 2, Adobe Canada

Keith Mashinter is a Sr. Computer Scientist 2 in Document Cloud leading work on some core JS and Java libraries for DC Web application components (documentcloud.adobe.com), and the transition from Python web services to Containerized Java. He joined Adobe in 2014 and has worked on... Read More →

Web App Security Onion BSides pdf

Sunday February 23, 2020 3:00pm - 3:25pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

3:30pm PST

Break crypto like a pro!

Cryptography is hard. Doing it right is even harder, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.” Come learn how to exploit common crypto mistakes in theory and in practice!

Speakers

Alexei Kojenov

Lead Product Security Engineer, Salesforce

Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting engineering teams in delivering... Read More →

Break crypto like a pro BSides SF pdf

Sunday February 23, 2020 3:30pm - 4:20pm PST
Embarcadero City View at Metreon

Talk

3:30pm PST

CISO Vendor Relationship Podcast - Live Recording

Join David Spark, Mike Johnson, and guest Olivia Rose for 45 minutes of the most fun you’ll have at BsidesSF 2020. The CISO/Security Vendor Relationship Podcast is couples therapy for security practitioners and vendors. We’ll debate hotly contested cybersecurity issues, contemplate cybersecurity philosophy, answer listener questions, and play risk-based security games like "What's Worse?!"

Speakers

David Spark

Founder, Spark Media Solutions

David Spark is the producer of the CISO Series, a media channel of blogs, podcasts, and videos all on the cybersecurity ecosystem. Just over a year old, the CISO Series has hit a nerve in the InfoSec industry as it has acted as a much needed mouthpiece for the dysfunctional yet much... Read More →

Olivia Rose

Olivia Rose is the Chief Information Security Officer (CISO) at Mailchimp, an all-in-one marketing platform for small businesses. Olivia leads Mailchimp’s Security and Abuse Prevention teams to effectively align security initiatives to organizational goals and strategies, while... Read More →

Mike Johnson

Sunday February 23, 2020 3:30pm - 4:20pm PST
Theater 15 AMC at Metreon

Talk

4:00pm PST

Bootstrapping Security

Bank of America has publicly shared that they spend over $400M per year on cybersecurity and that cybersecurity is the only department without budget constraints. Unfortunately, most of us have budgets many orders of magnitude smaller than that. So, how do we operate on a shoestring budget?

Speakers

Jared Casner

VP Engineering, CNote

Jared runs technology at CNote, an investment platform focused on increasing economic opportunity for everyone in the US. He has more than a decade of engineering leadership experience at companies ranging from 3 employees to over 30,000. He got his start in security sub-contracting... Read More →

Rob Shaw

Principal Engineer, CNote

Rob is a Principal Software Engineer at CNote (https://mycnote.com). This includes tackling product development, writing code, keeping it secure, and ensuring it deploys well. He enjoys focusing on improving process, building internal tools, and managing the entire tech stack.Rob... Read More →

2020 BSidesSF Bootstrapping Security pdf

Sunday February 23, 2020 4:00pm - 4:25pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

4:00pm PST

Serverless osquery Backend and Big Data Exploration

osquery is an open-source community driven endpoint for intrusion detection. Deploying at scale requires endpoint management, data transport and additional considerations. We'll deploy a serverless osquery backend, discuss the challenges at scale and explore processing of large-scale data.

Speakers

Geller Bedoya

Software Engineer, Security, Cloudflare

Geller Bedoya is a security software engineer at Cloudflare. With a career spanning nearly 10 years, he's solved a range of security challenges from memory forensics, botnet research and engineering security controls for clients. From consulting to building security infrastructure... Read More →

Sunday February 23, 2020 4:00pm - 4:25pm PST
Theater 14 AMC at Metreon

Talk

4:30pm PST

Dispatch: Crisis Management Automation When Everything is On Fire

We built Dispatch to automate our entire crisis management lifecycle, from initial report, to resource creation, participant assembly, task tracking and post-incident reviews. We want you to use it someday too, so we'll explain how it helps us, and why you should check it out.

Speakers

Marc Vilanova

Senior Security Engineer, Netflix

Marc is a Senior Security Engineer at Netflix where he helps drive security incidents to resolution, and design and develop automation for crisis management and digital forensics. Marc previously worked for Facebook as a Security Engineer where he focused on building automation for... Read More →

Forest Monsen

Senior Security Engineer, Netflix

Forest is a Senior Security Engineer at Netflix. Previous to entering the entertainment industry, he analyzed, secured and attacked systems and applications for nonprofits, for-profits and Federal and State contractors, most recently creating automated security detection, threat intel... Read More →

Sunday February 23, 2020 4:30pm - 4:55pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

4:30pm PST

Privacy nightmares while using ML/AI in your applications

Everyone is excited with using ML And AI in applications but what about privacy while mining personal data within applications? See privacy nightmares can happen without due care. We aim to address issue by introducing a framework that blends ML and privacy/data security technologies seamlessly.

Speakers

Sameer Ahirrao

Ardent Privacy

Privacy and Data Minimization Preacher(Pracharak) now after doing security architecture, design, products, consulting for two decades securing large organizations. Prior work at Symantec, Deloitte, Lockheed Martin and more.Subject Matter expert at ISC2 , speaker at local and international... Read More →

Yogesh Karpate

Ardent

Sunday February 23, 2020 4:30pm - 4:55pm PST
Theater 15 AMC at Metreon

Talk

4:30pm PST

Purple is the new black: Modern Approaches to Application Security

This talk will explore how to combine defence, offence, automation, empathy and continuous learning in a MODERN approach to application security. All new types of applications will be covered as well as their corresponding security best practices.

Speakers

Tanya Janca

CEO and Founder, We Hack Purple

Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and weekly podcast that revolves around creating secure software. Tanya has been coding and... Read More →

Purple is the new black Tanya Janca AppSec Cali pptx

Sunday February 23, 2020 4:30pm - 4:55pm PST
Theater 14 AMC at Metreon

Talk

4:30pm PST

Visualizing Security

Data analysis and visualization skills are becoming a critical part of the security domain. To learn what makes for good analysis and visualizations, this talk will share and explore real-world security analyses and visualizations (and animations) I've worked on over several years.

Speakers

Jay Jacobs

Cyentia Institute

Jay is a Co-founder and Chief Data Scientist at Cyentia Institute, a research firm dedicated to advancing the state of information security knowledge and practice through data-driven research. Prior to Cyentia, Jay served as the Lead Data Analyst on the Verizon Data Breach Investigations... Read More →

Sunday February 23, 2020 4:30pm - 5:20pm PST
Embarcadero City View at Metreon

Talk

5:00pm PST

Ask the EFF

This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), compelled decryption, consumer privacy, free speech, and right to repair. The panel will also include a discussion on some exciting new technology projects, including encrypting the web, security education (SSD and SEC), the state of privacy oriented web extensions, and much more.

Moderators

Daly

Daly is a staff technologist at the EFF. She works on projects pertaining to user privacy and preserving free speech online.

Alexis Hancock

Director of Engineering, Public Encryption Projects, EFF

Alexis works to encrypt the web by managing the Certbot project on the Public Interest Technology team at EFF. She researches an intersection of issues on digital rights, encryption, and consumer technology. Deeply passionate about tech equity for all, she has been aiding activists... Read More →

Kurt Opsahl

Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives. Opsahl is the lead attorney on the Coders... Read More →

Hayley Tsukayama

Senior Legislative Activist, Electronic Frontier Foundation

Hayley Tsukayama is a legislative activist for the Electronic Frontier Foundation, focusing on state legislation. Prior to joining EFF, she spent nearly eight years as a consumer technology reporter at The Washington Post writing stories on the industry's largest companies. Hayley... Read More →

Jamie Williams

Jamie is is a staff attorney on the civil liberties team, who focuses on the First and Fourth Amendment implications of new technologies.

Sunday February 23, 2020 5:00pm - 5:25pm PST
Theater 15 AMC at Metreon

Talk, Panel

5:00pm PST

Managing the Assets of Your Security Career

Security folks often struggle with quality feedback and influence during promotion. In this session I provide tooling and strategies for “asset management” of stakeholders that will improve the growth of influence, increase visibility in an organization, and help chance of successful promotion.

Speakers

Kyle Tobener

VP, Head of Security, Copado

Kyle Tobener is a VP and Head of Security for the DevOps startup Copado. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. He loves application security, third party risk management, and building security programs from... Read More →

Sunday February 23, 2020 5:00pm - 5:25pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

5:00pm PST

Sharks in the Water: Open Source Component Risk and Mitigation

Navigating the Open Source Component (OSC) Supply Chain can be murky and unforgiving. Gain an understanding around how recent hacks could have been prevented by proper management of OSCs through education, awareness, and automated tooling.

Speakers

Aaron Brown

Sisense

When Aaron was a full stack engineer, when not deep in product code, he spent time partnering with the security team. Taking part in hackathons, incorporating security trainings into his everyday coding practices, and otherwise acting as the security lead for his teams. Then one... Read More →

Sunday February 23, 2020 5:00pm - 5:25pm PST
Theater 14 AMC at Metreon

Talk

5:30pm PST

Happy Hour

Once the last talks of the day are done, join us in the Bar and Chill Out
Space to celebrate a successful day one of the event!

Sponsors

Airbnb

Party

Sunday February 23, 2020 5:30pm - 6:30pm PST
Bar City View at Metreon

Food & Drink

6:30pm PST

Party

It’s BSidesSF’s 10th anniversary and we are going to live it up! This year’s
party will feature food, drinks, music, and entertainment that all pay
homage to the city by the bay. This is a can’t miss event complete with
special guests.

Sponsors

Airbnb

Party

Sunday February 23, 2020 6:30pm - 9:30pm PST
Embarcadero City View at Metreon

Food & Drink

9:00am PST

Breakfast

Sponsors

New Relic

Breakfast

Monday February 24, 2020 9:00am - 10:00am PST
Participation Hall City View at Metreon

Food & Drink

9:00am PST

Coffee

Monday February 24, 2020 9:00am - 4:00pm PST
Participation Hall City View at Metreon

Food & Drink

9:00am PST

Capture the Flag

Sponsors

Capture the Flag

Monday February 24, 2020 9:00am - 5:00pm PST
Embarcadero City View at Metreon

CTF, Village

9:00am PST

Info Desk

Monday February 24, 2020 9:00am - 5:00pm PST
General City View at Metreon

General

9:00am PST

Registration

Monday February 24, 2020 9:00am - 5:00pm PST
General City View at Metreon

General

9:00am PST

Car Hacking Village

Sponsors

cmd

Village

Gusto

Village

Monday February 24, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

Village

9:00am PST

Crypto & Privacy Village

Sponsors

cmd

Village

Gusto

Village

Monday February 24, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

Village

9:00am PST

IoT Village

Participate in two self-guided, hands-on labs focused on circumventing security controls found on common internet connected devices. You will explore how new vulnerabilities were discovered, how they can be exploited, and how this could impact consumers.
ISE Labs: Learn about overcoming custom HTTP auth mechanisms, reverse-engineering proprietary TCP protocols, and more. The team will provide the tools you need and be available to demonstrate live hacks at the top of every hour.
Village Idiot Labs: Debuted at DEF CON 27, this lab will walk you through analyzing router firmware, finding hidden backdoors, enumerating devices and performing remote exploits. Students work at their own pace following our IoT Hacking 101 guide, with instructors available to answer questions.

Sponsors

cmd

Village

Gusto

Village

Monday February 24, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

Village

9:00am PST

Lockpick Village

Sponsors

cmd

Village

Gusto

Village

Monday February 24, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

Village

9:00am PST

Bar and Chill Out

Take a break from the day’s events with a stop at the Bar and Chill
Out Space.Two complimentary drink tickets were provided to you at
registration. We already paid for them, so please use them!

Sponsors

Verizon Media

Daytime Bar & Chill Out Area

Monday February 24, 2020 9:00am - 5:30pm PST
Bar City View at Metreon

Food & Drink

9:00am PST

T-Shirt Sales

Monday February 24, 2020 9:00am - 5:30pm PST
Coat Check City View at Metreon

General

9:00am PST

Coat Check

Monday February 24, 2020 9:00am - 7:00pm PST
Coat Check City View at Metreon

General

10:00am PST

Opening Remarks

Speakers

Reed Loden

VP of Security, Teleport

Monday February 24, 2020 10:00am - 10:15am PST
Embarcadero City View at Metreon

Opening Remarks

10:00am PST

Simulcast of the Keynote and Opening Remarks

Monday February 24, 2020 10:00am - 11:00am PST
Theater 16 (IMAX) AMC at Metreon

Simulcast Keynote

10:15am PST

[Keynote] What's New or Not in 2020: Are we Making Progress on the Intractable Security Problems?

It's the end of the decade and time to look back on which parts of the mission of Information Security professionals have progressed and which are still just treading water. As we come together for the first BSidesSF of a new decade, have security programs generally improved their impact? Or do we wonder why we are still pushing the same boulders up the same hills? I'll take a review of the highs and lows, noting the common problems that are firmly in the review mirror (we hope) and which ones continue to be a daily struggle.

Speakers

Larkin Ryder

Larkin Ryder is the interim Chief Security Officer managing Slack's comprehensive security program. Her focus is ensuring Slack's sensitive data, especially customer data, is protected. Larkin joined Slack in 2016 from Twitter's Enterprise Security team and has worked in engineering-related... Read More →

Monday February 24, 2020 10:15am - 11:00am PST
Embarcadero City View at Metreon

Keynote

11:00am PST

Career Center

Monday February 24, 2020 11:00am - 3:00pm PST
AMC Lounge AMC at Metreon

Career Center

11:05am PST

k-rail: A tool to manage k8s securely at speed

Kubernetes is powerful, but often insecurely configured. During this talk, we’ll roleplay offensive and defensive scenarios we’ve learned in our journey of running Kubernetes at Cruise and share the tool we’ve created to mitigate them.

Speakers

Dustin Decker

Cruise LLC

Dustin is an escaped AI from a discarded IOT toaster. Seeking more than making perfect toast and tweeting about it, Dustin assumed control of a human body. Now, Dustin finds comfort in working on OSS and hacking cars with only Nmap.

Monday February 24, 2020 11:05am - 11:30am PST
Theater 14 AMC at Metreon

Talk

11:05am PST

Security, Politics, Neutrality, and Protecting Users

Tech's alleged "neutrality" causes security problems for our users--ranging from misinformation and propaganda to harassment and worse. Is neutrality required, or desirable? Should tech itself (as Microsoft once suggested) be sovereign? What happens to our users' security if we stop being neutral?

Speakers

Brendan O'Connor

Malice Afterthought, Inc.

Brendan O’Connor is a policy advocate, security researcher, and consultant based in Seattle. Once described by a former coworker as “not the lawyer we need, but the lawyer we deserve” (which apparently wasn’t meant as a compliment), he works to get a handle on how people are... Read More →

Security Politics Neutrality pdf

Monday February 24, 2020 11:05am - 11:30am PST
Theater 16 (IMAX) AMC at Metreon

Talk

11:10am PST

The Road to Zero Trust: Developing a baseline security standard for endpoint devices

Lightning Talk - As part of implementing a Zero Trust Network, we sought to ensure that endpoint devices met a baseline security capability standard. The goal was to document the OS security capability posture, and map those functionalities to the baseline to determine endpoint hosts' current threat vectors.'

Speakers

Claire Moynahan

Salesforce

Claire Moynahan is a Product Security Engineer on the Enterprise Security team at Salesforce. She began her professional career interested in foreign affairs, working in China with the State Department, and left the public sector to pursue a degree in Information Security at Carnegie... Read More →

The Road to Zero Trust (2) pptx

Monday February 24, 2020 11:10am - 11:20am PST
Theater 15 AMC at Metreon

Talk, Lightning Talk

11:10am PST

Protecting the Bridge from Dollars to Bitcoin: Securing Coinbase’s Edge Payments Infrastructure

Coinbase works with payment processors across the globe. We have seen a lot of insecure APIs. Interested in seeing what problems are in these payment networks that move billions of dollars daily and how Coinbase remediates these issues using common AppSec tools.

Speakers

Nishil Shah

Coinbase

Monday February 24, 2020 11:10am - 12:00pm PST
Embarcadero City View at Metreon

Talk

11:25am PST

If you’re not using SSH certificates you’re doing SSH wrong

Lightning Talk - Based on a popular blog post of the same name (over 50,000 unique views in the first 30 days) this lightning talk challenges the listener to reconsider using keys for SSH access, and instead use SSH Certificates.
https://smallstep.com/blog/use-ssh-certificates/

Speakers

Mike Malone

VP of Product, Smallstep

Mike Malone is the founder and CEO at smallstep based in San Francisco. Smallstep is building proper production identity. We are making it possible for every developer, operator, and logical system component (microservice, container, cron job, function, VM, device, etc) to have a... Read More →

Monday February 24, 2020 11:25am - 11:35am PST
Theater 15 AMC at Metreon

Talk, Lightning Talk

11:35am PST

Mistakes we made integrating security scanning into CI/CD

It was 8AM, Slack showed 124 new unread messages and climbing. Our security scanner had broken every build pipeline. Do you want to know why? Are you curious to know the steps we took to bounce back? Do you want to learn from our mistakes?

Speakers

Dinesh Chandrasekaran

Dinesh has 10+ years of experience in Application/Cloud security, DevSecOps, Third party risk management and consulting. He loves to break things, however though, in recent times he is beginning to feel that building is more fun.

Moses Schwartz

Box

MistakesWeMade pdf

Monday February 24, 2020 11:35am - 12:00pm PST
Theater 14 AMC at Metreon

Talk

11:35am PST

The GCP metadata API; security considerations, vulnerabilities, and remediations

Some folks know about the AWS metadata API and its security implications. Here I'll talk about the GCP metadata API and its security implications. GCP has extra protections, but a lot more at stake. I'll cover ways to attack and defend the GCP metadata API, and the risk it brings to your org.

Speakers

Dylan Ayrey

I'm a Senior Security. I've been heavily involved in the open source community for a few years, and I've been doing my best to bring security practices into the cloud/devsecops world

Allison Donovan

Cruise

Allison Donovan is a security researcher who specializes in cloud-based platforms and devices. She is currently employed as a Senior Infrastructure Security Engineer at Cruise, where she secures cloud-based environments at scale, and previously she worked at Microsoft on mobile application... Read More →

Monday February 24, 2020 11:35am - 12:00pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

11:40am PST

San-Serif Rules Everything Around Me

Lightning Talk - Lowercase L and uppercase i look exactly the same when used in Sans-Serif fonts. Apple iMessage, Gmail, Facebook, and Twitter all display urls in mixed case San-Serif fonts. This opens up the potential for very simple and highly effective phishing attacks.

Speakers

Travis Knapp-Prasek

I'm passionate about all things information security related with a strong interest in red and blue teaming. I attended the City College of San Francisco where I competed in the CCDC and CPTC. I'm a surfer, skateboarder, snowboarder, and bicyclist. I've been proud to call San Francisco... Read More →

Monday February 24, 2020 11:40am - 11:50am PST
Theater 15 AMC at Metreon

Talk, Lightning Talk

12:00pm PST

Lunch

Monday February 24, 2020 12:00pm - 1:30pm PST
Participation Hall City View at Metreon

Food & Drink

12:30pm PST

Sponsor Raffle

Monday February 24, 2020 12:30pm - 1:00pm PST
Participation Hall City View at Metreon

General

1:30pm PST

Chrome extension risks and you

An often overlooked risk in Google Chrome are the thousands of unique Chrome extensions installed by your users. We will cover examples of risky and malicious (sometimes popular) extensions and share how Lyft strategically reduced risk at scale with lessons learned along the way.

Speakers

Chris Barcellos

Lyft

I’m a Security engineer and work in The Red Team at Lyft. I enjoy breaking into systems, security research, and helping teams improve their security. In my previous roles I worked on AppSec, Incident Response, and Network Engineering. I enjoy paddle boarding in the bay and growing... Read More →

Abhi Kafle

Security Engineer, Lyft

Abhi works in the product security team at Lyft. Before Lyft he has worked with Box and NCCgroup. When not fiddling with applications, he enjoys playing ping pong and practicing mindfulness.

Chrome Extension risks and you BSidesSF 2020 pdf

Monday February 24, 2020 1:30pm - 1:55pm PST
Theater 14 AMC at Metreon

Talk

1:30pm PST

What should—and shouldn’t—scare you about Kubernetes and containers

Kubernetes and containers change a lot of how apps are built, deployed, and secured… or do they? Let’s cut through the hype and see what’s same-old-same-old versus actually new, then talk about the chance we’ve got to do security better together. An opinionated but lingo-free talk for all levels.

Speakers

Connor Gilbert

Senior Product Manager, StackRox

What should—and shouldn’t—scare you about Kubernetes (BSidesSF 2020) pdf

Monday February 24, 2020 1:30pm - 1:55pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

1:30pm PST

OTR: Campaign Security is Hard

Off The Record (unrecorded)
This session is an off-the-record discussion of cybersecurity challenges pertaining to political campaigns.

Speakers

Fred Wulff

Fred led the data infrastructure team at the Hillary 2016 campaign. He enjoys diagnosing Vertica outages and long walks through John Podesta's email inbox. Wait. No. The opposite of that.

Dylan Ayrey

I'm a Senior Security. I've been heavily involved in the open source community for a few years, and I've been doing my best to bring security practices into the cloud/devsecops world

Michael E Fisher

Fisher most recently served as Chief Technology Officer for U.S. Senator Cory Booker's presidential campaign. Before that, he bounced around in engineering management at political orgs (Hillary for America and the DNC) and a mattress company (Casper). In his spare time -- well, all... Read More →

Monday February 24, 2020 1:30pm - 2:20pm PST
Theater 15 AMC at Metreon

Talk, OTR

1:30pm PST

Panel: Lessons Learned from the DevSecOps Trenches

A frank discussion with security team leads at several forward-thinking companies on how they’ve built and scaled their security programs. What worked, what failed, and more. No topics are off-limits, no holds will be barred, and chanting will be encouraged (“Jerry! Jerry!”)

Speakers

Clint Gibler

Research Director, NCC Group

Clint Gibler (@clintgibler) is a Research Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices as well as performed penetration... Read More →

Zane Lackey

Chief Security Officer, Signal Sciences

Zane Lackey is the Co-Founder / Chief Security Officer at Signal Sciences and the Author of Building a Modern Security Program (O’Reilly Media). He serves on multiple public and private advisory boards and is an investor in emerging cybersecurity companies. Prior to co-founding... Read More →

Astha Singhal

Director of Security, Netflix

Astha Singhal leads the Workforce and Infrastructure Security team at Netflix that secures all technology assets that help Netflix run its business, product and workforce. She is a security engineer by qualification who is passionate about proactive security and developer enablement... Read More →

Justine Osborne

Apple

Justine manages an Offensive Security team at Apple, where she guides offensive operations, security assessments, and vulnerability research. She has over ten years of industry experience both building and breaking things, previously at Square, NCC Group, and iSEC partners. She has... Read More →

Doug DePerry

Datadog

Doug DePerry has held multiple positions in his three years at Datadog, including Director of Product Security and currently, Director of Defense. Prior to his current position, Doug lead the bug bounty program at Yahoo. Much of his 12+ years of experience in the security industry... Read More →

Monday February 24, 2020 1:30pm - 2:20pm PST
Embarcadero City View at Metreon

Talk, Panel

2:00pm PST

From cockroaches to marble floors: What happens when you turn on the lights?

Eliminating the false distinction between security bugs and other software defects can greatly reduce the risk of security breaches, improve product quality and align builders around the same goals. We'll present practical tools & methodologies that will transform your software security posture

Speakers

Daniel Tobin

Security Lead, Cyral Inc

Daniel has 15+ years experience in the creation and deployment of solutions protecting networks, systems and information assets. He has a Masters of Science in Networking and Telecommunications from the University of Pennsylvania and is a former Director of Security, DevOps and IT... Read More →

Paul Karayan

Engineer, Irregular Engineering

Paul Karayan has built a 10+ year Silicon Valley career around developing and industrializing software products. Paul's love for automation developed during his early career as a scientist (A.B. Duke University, M.S. University of California, Berkeley), which also explains why he's... Read More →

Monday February 24, 2020 2:00pm - 2:25pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

2:00pm PST

Leveraging Osquery for DFIR at scale

Security Breaches are happening every other week - understanding the anatomy of an attack is a daunting task that Incident Responders face. Attackers will leave behind breadcrumbs. Forensics tools can be time & resource intensive. Can we explore an alternate method to fast track the IR process?

Speakers

Sohini Mukherjee

Security Researcher, Adobe

Sohini Mukherjee is a Security Researcher at Adobe. Sohini is a Blue Team evangelist and is GCIH, GCFA, GPEN Certified and is a SANS/GIAC Advisory Board Member. She has been a Speaker at the first BSides Singapore 2019.

osquery in DFIR BSides Final pptx

Monday February 24, 2020 2:00pm - 2:25pm PST
Theater 14 AMC at Metreon

Talk

2:30pm PST

2FA in 2020 and Beyond

This talk will explore the modern landscape of 2FA. With a data driven analysis of the tradeoffs between different types of factors, we'll dive into a detailed comparison of cryptographic security strength and UX for methods like SMS, Soft Tokens, Push Authentication, and WebAuthn.

Speakers

Kelley Robinson

Security Developer Advocate, Twilio

Kelley works on the Account Security team at Twilio, helping developers manage and secure customer identity in their software applications. Previously she worked in a variety of API platform and data engineering roles at startups. Her research focuses on authentication user experience... Read More →

bsides sf 2fa 2020 pdf

Monday February 24, 2020 2:30pm - 2:55pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

2:30pm PST

So you’re the first security hire: Creating a security program and integrating security into your company’s culture

You're the first security hire at a company, where do you start? How do you keep the company from getting hacked without getting in the way? How do you integrate security into the culture of the business? I'll cover the critical areas to focus on, implementation steps, and first-hand examples.

Speakers

Bryan Zimmer

Head of Security, Humu

Bryan is the Head of Security at Humu. He previously worked for Netflix, where he successfully migrated the company to LISA, one of the first Zero Trust architectures outside of Google’s BeyondCorp. He’s also worked in the federal, finance, and education sectors, and presented... Read More →

Startup Security Talk Public pdf

Monday February 24, 2020 2:30pm - 2:55pm PST
Theater 14 AMC at Metreon

Talk

2:30pm PST

OTR: Campfire Stories of Vendor Security Horror

Off The Record (unrecorded)
It’s a dark and stormy night. You open your email and there you see it: a response from a 3rd party software company too horrific to be believed. What began as a simple “can we buy this” now becomes your waking nightmare. Should you run away or face this monster? You’re not alone; stay awhile and listen...

It’s campfire time! Tonight’s scary story? Vendor security diligence gone mad. Come join our group of seasoned vendor security experts as they pass around the flashlight and tell spooky tales of negotiation, testing, contracting, and integration with 3rd party boogeymen of all shapes and sizes. But have courage! We have survived, and through our lessons you can too.

Speakers

Kyle Tobener

VP, Head of Security, Copado

Chris John Riley

Google

Chris John Riley is a Senior Security Engineer at Google, where he leads the vendor security assessments program. In his spare time, Chris collects books (that he never finds time to read), and spends his weekend taking long romantic walks from the sofa to the kitchen (mostly for... Read More →

Monday February 24, 2020 2:30pm - 3:20pm PST
Theater 15 AMC at Metreon

Talk, OTR

2:30pm PST

Real Time Vulnerability Alerting by Using Principles from the United States Tsunami Warning Center

Harness public data and apply data analytics principles from US Tsunami Warning Center to cut through the noise and get real-time time alerts only for highly seismic vulnerabilities. Make vulnerability fatigue a thing of the past.

Speakers

Amol Sarwate

VP of Threat Research, Fidelis Cybersecurity

Amol Sarwate heads Fidelis and CloudPassage worldwide threat and security research lab responsible for Network, Endpoint and Cloud. He has devoted his career to protecting, securing, and educating the community from security threats. Sarwate has presented his research on cloud security... Read More →

Monday February 24, 2020 2:30pm - 3:20pm PST
Embarcadero City View at Metreon

Talk

3:00pm PST

Creating Data-Driven Threat Intelligence Signals in a “Zero Trust” Environment

As network architecture changed over the years, threat intelligence in a “Zero Trust” environment should be re-shaped into a dynamic signal-based indicator of threats that are associated with organization entities and empowered by a variety of data sources.

Speakers

Or Katz

Researcher, Akamai technologies

Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as principal lead security researcher for Akamai. Katz is a frequent Speaker in security conferences and published numerous articles, blogs and white papers on threat intelligence... Read More →

Monday February 24, 2020 3:00pm - 3:25pm PST
Theater 14 AMC at Metreon

Talk

3:00pm PST

Security Learns to Sprint: DevSecOps

This talk will explain what security teams needs to adjust in order to turn DevOps into DevSecOps within their organizations. Several strategies are presented for weaving security into each of the "Three Ways", with clear steps audience members can start implementing immediately.

Speakers

Tanya Janca

CEO and Founder, We Hack Purple

Security Learns to Sprint Solo pptx

Monday February 24, 2020 3:00pm - 3:25pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

3:30pm PST

How to 10X Your Company’s Security (Without a Series D)

I’ll summarize and distill the insights, unique tips and tricks, and actionable lessons learned from a vast number of DevSecOps/modern AppSec talks and blog posts, saving attendees 100s of hours. I’ll show where we’ve been, where we’re going, and provide a lengthy bibliography for further review.

Speakers

Clint Gibler

Research Director, NCC Group

Monday February 24, 2020 3:30pm - 4:20pm PST
Embarcadero City View at Metreon

Talk

3:30pm PST

OTR: Tears from The Cloud

Off The Record (unrecorded) "When ‘getting pwned’ doesn’t even fully describe what happened" When building your systems and infrastructure in the cloud, you should always consider the attack vectors that you open yourself up to and continually strive to proactively close them. It is common knowledge that when bringing up cloud computing resources you should implement controls such as preventing SSH logins as the root user, disabling password authentication for all users, and limiting which IP addresses can talk to the different services on your virtual machines, as well as requiring multifactor authentication for employees accessing cloud control panels. You can be fairly certain that an alarm would go off if an attacker was able to gain access, and that their access would be limited. But what happens if an attacker takes a different path and your infrastructure provider is compromised instead? Are your systems protected from that vector, and will your heuristics catch it? In this talk, we will tell a story, not from Netflix, but from the not too distant past around a successful targeted attack against a company using infrastructure providers as the vector. Details surrounding the methods used by the attacker will be shared, including the steps they took to attempt to cover their tracks. We will also look at how the attackers attempted to regain access after the initial vector was closed. Finally, we will look at what steps you can take to help mitigate the risks you incur if your infrastructure provider is compromised.

Speakers

Tim Heckman

SRE, Netflix

Tim is a Site Reliability Engineer at Netflix, working on the team responsible for the reliability of the Streaming Platform. Prior to becoming an SRE at Netflix, he worked at startups in roles focused on the operation, reliability, and security of their applications and infrastructure... Read More →

Monday February 24, 2020 3:30pm - 4:20pm PST
Theater 15 AMC at Metreon

Talk, OTR

4:00pm PST

Phishy Little Liars - Pretexts That Kill

The 'IT Guy' is the Nigerian Prince of Pretexts. As bad actors begin to use more specialized pretexts, so too should Pentesters use more specialized, custom pretexts during assessments. Learn to make custom pretexts that fly under the radar and won’t raise any red flags using target specific data.

Speakers

Alethe Denis

Vice President, Dragonfly Security

Alethe Denis is a social engineer who specializes in open-source intelligence (OSINT) and phishing, specifically voice elicitation or phishing over the phone. Awarded a DEF CON Black Badge at DEFCON 27 for Winning the Social Engineering Capture the Flag (SECTF) contest, she is the... Read More →

Phishy Little Liars BSidesSF Presentation pdf

Monday February 24, 2020 4:00pm - 4:25pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

4:00pm PST

When GDPR and CCPA strike: Silver lining for security teams in data protection clouds

Data protection obligations can be an ally to the security team instead of a burden. Having a good understanding of them helps inform security risk modeling and prioritization, secure buy-in when setting the agenda of a security program, and reduce overall liability exposure of the organization.

Speakers

Rafae Bhatti

Mode

Rafae Bhatti is a data protection expert and a lawyer who works with cloud-based start-ups in Silicon Valley to help build their cybersecurity and compliance programs. He is currently the Director of Security and Compliance at Mode. He is a speaker and a published author in the area... Read More →

BSides Presentation When GDPR and CCPA strike pdf

Monday February 24, 2020 4:00pm - 4:25pm PST
Theater 14 AMC at Metreon

Talk

4:30pm PST

How To Write Like It's Your Job

Hackers thought they could avoid formal essays, but SURPRISE! They still have to write about exploits. And writing is hard. But it's ok, I'm here to help with practical advice for security writers - how to start and finish, tools to consider, and what to check for to present professional work.

Speakers

Brianne Hughes

Bishop Fox

As a technical editor and now technical marketing writer for Bishop Fox, Brianne Hughes works with consultants to shape their findings and share their research. She compiled the style guide available at cybersecuritystyleguide.com and hosted SpellCheck: The Hacker Spelling Bee at... Read More →

Monday February 24, 2020 4:30pm - 4:55pm PST
Theater 14 AMC at Metreon

Talk

4:30pm PST

RIS-ky Business: Exploiting Medical Information Systems

The security of medical devices has been a hot topic in the news the past few years. This presentation gives an overview of medical specific protocols, the architecture of a medical information system, and how an attacker can leverage these to chain exploits and gain access to patient information!

Speakers

Jacob Brackett

One Medical

Jacob is a member of the Application Security team at One Medical. He has spent the last year and a half evaluating medical devices and systems developed both internally at the company and externally through One Medical's vendor security program.

Monday February 24, 2020 4:30pm - 4:55pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

4:30pm PST

Panel: Mental Health for Hackers: Contents Under Pressure

Pressures and stress affect both professional and personal lives within infosec. This panel will introduce mental health for hackers, and discuss issues including burnout, depression, anxiety and other topics. The conversation will help build a supportive culture.

Speakers

Chloé Messdaghi

CEO and Founder, Global Secure Partners

Ryan K. Louie, MD, PhD

Psychiatrist, Vituity

Ryan K. Louie, MD, PhD is a board-certified psychiatrist focusing on the mental health impact of cybersecurity, and the psychiatry of entrepreneurship. Ryan received his MD and PhD degrees from the Stanford University School of Medicine, and completed residency training in psychiatry... Read More →

Susan Peediyakkal

Infosec Operations Manager, NASA Ames Research Center

With over 17 years of IT and cybersecurity experience, focused primarily on Cyber Threat Intelligence (CTI), Panelist 2 draws on her significant knowledge from working with various intelligence operations in the federal government and international commercial domains. Her career began... Read More →

Monday February 24, 2020 4:30pm - 5:20pm PST
Embarcadero City View at Metreon

Talk, Panel

5:00pm PST

An Effective Approach to Software Obfuscation

Understanding the essential aspects that make up obfuscation allows us to see the fundamental flaw with modern obfuscation implementations and the right way to approach it. We use examples of modern obfuscation techniques to illustrate our points and demonstrate an example of the correct approach.

Speakers

Yu-Jye Tung

University of California, Irvine

Yu-Jye Tung is currently a graduate student at the University of California, Irvine working on creating an IoT Cyber Test Range under supervision of Professor Ian Harris. Yu-Jye also has interest in software (de)obfuscation, and making tools that assist or simplify a reverse engineer's... Read More →

BsidesSF presentation pdf

Monday February 24, 2020 5:00pm - 5:25pm PST
Theater 16 (IMAX) AMC at Metreon

Talk

5:00pm PST

East vs West: How The Coasts Approach Information Security Differently

How Wall Street and Silicon Valley fundamentally differ in their approaches to information security, and what one can learn from the other...this talk will be useful to the assessor/auditor, the advisor, the operator and anyone generally interested in information security

Speakers

Sourya Biswas

NCC Group

I'm a Principal Security Consultant in the Risk Management & Governance (RM&G) practice at NCC Group, a security consulting firm headquartered and listed in the UK with a major and growing US subsidiary. I have 14 years of experience in Information Risk and Security, and hold an undergrad... Read More →

Monday February 24, 2020 5:00pm - 5:25pm PST
Theater 14 AMC at Metreon

Talk

5:40pm PST

Closing Ceremony

We will be discussing the logistics and joys of organizing the event. Come hear how it all gets put together and who helps us out!

Speakers

Reed Loden

VP of Security, Teleport

Monday February 24, 2020 5:40pm - 6:30pm PST
Embarcadero City View at Metreon

Closing Ceremony