Loading…
BSidesSF 2020 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Saturday, February 22
 

9:00am PST

Go the Wrong Way

Event locked in Sched to limit confusion, see registration to determine current session availability.
Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

Good developers study documentation carefully and thoroughly understand their language. However, some people just want to code fast, break into things, and skip over the details. This workshop is for them.

Even if you've never programmed before, you can make simple attack tools in Go. We'll use a fun, CTF-style training environment. There are complete step-by-step instructions for the easier challenges, and harder challenges for those who are ready. You'll develop your own tools to perform port scanning, banner grabbing, login brute forcing, cracking password hashes, and encryption.

Students need a computer with a Web browser, and a credit card or bank account, so they can sign up for free Google Cloud services.
No other hardware or software is necessary.
All materials are freely available at samsclass.info and will remain available after the workshop ends.

Speakers
avatar for Sam Bowne

Sam Bowne

Professor
Sam Bowne is the founder of Infosec Decoded, Inc. and an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a... Read More →
EB

Elizabeth Biddlecome

software engineer, free agent
Elizabeth Biddlecome is a lead instructor Infosec Decoded, Inc., a consultant, and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She is also the coach of the award-winning CCSF cybercompetition team... Read More →

Sponsors
avatar for HashiCorp

HashiCorp

Workshop


Saturday February 22, 2020 9:00am - 11:45am PST
Town Hall HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

9:00am PST

Hands On Secure Code Review

Event locked in Sched to limit confusion, see registration to determine current session availability.
Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

A shortened version of Seth & Ken's Excellent Adventures in Secure Code Review. This workshop addresses common challenges in modern secure code review through hands on review of open source projects as brought by attendees. Seth will quickly introduce the Absolute AppSec Secure Code Review Framework and guide attendees in reviewing open source projects of their choosing using this framework.

Come practice your secure code review technique and learn from our past adventures in performing hundreds of code reviews and the lessons we’ve learned along the way. We will implement our methodology over the course of a couple of hours and perform security analysis of the chosen repositories to attempt to suss out security flaws, no matter the size of the code base, or the framework, or the language.

As a student you will be expected to bring a laptop, an IDE, and an open source project for review during the workshop. Seth will introduce the methodology, techniques, approaches, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application code base.

Speakers
avatar for Seth Law

Seth Law

President and Principal Security Consultant, Redpoint Security, Inc.
Seth Law is the President and Principal Consultant at Redpoint Security, Inc. (rdpt.io). During the last 15 years, Seth has worked within multiple security disciplines, including application development, cloud architecture, and network protection, both as a manager and individual... Read More →

Sponsors
avatar for HashiCorp

HashiCorp

Workshop


Saturday February 22, 2020 9:00am - 11:45am PST
Vagrant HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

9:00am PST

If This Then Hack: An Intro to DIY Cloud Security Automation with Python

Event locked in Sched to limit confusion, see registration to determine current session availability.
Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

Security engineers face the daily task of detection, responding, and remediating incidents in both cloud and on-premise environments. Recent high-profile breaches have highlighted that even the organizations we would expect to have fine-tuned and automated security programs often have critical blind spots. Automating your incident response and detection workflows into existing pipelines can save time and manual analyst efforts which result in faster resolution times. There are any number of vendor that will happily take your money, but we can start to build our own DIY alternative with just some artisanal Python and the tools we already have.

Our workshop will discuss the core principles of what it takes to build your own automation tools for cloud security, from detecting events to automatically remediating. We won't be using toy examples: we'll be using the security tools we have used in industry like Splunk and Jira to build realistic end-to-end automation workflows. Students in our workshop will learn how to integrate the following flow 1) Identify an event (in public cloud), 2) Produce and capture the details of the event in Splunk and create a ticket in Jira, 3) Automatically enrich this data and create the appropriate automated remediation response. These steps can be completed to eliminate manual overhead on detection in the cloud as well as proper delegation to the appropriate team (incident response team, compliance, engineering teams, or other). With the use of simple Python scripts students will learn how they can build a simple yet fundamental security automation system. 

The approach to building automation you will learn in this workshop is applicable to any kind of ticket-centric operations environment, not just security. We want to pull back on the curtain on ""security automation"" and show that it really isn't magic, it's just a bit of code in the right places.

Requirements:
Students should be comfortable with basic Python scripting (at a minimum, able to write functions, loops, and conditionals without consulting documentation) and should be familiar with security terminology. The student who stands to gain the most from this course is one with professional experience in security and an interest in developing new skills in applying programming to automate their work.

Speakers
MS

Moses Schwartz

Box
Moses is a staff security engineer working on the Box Security Automation team. He's part software developer and part security researcher, with over 10 years experience in industry and government. Nothing hurts him more than watching someone do a tedious, manual task that could be... Read More →
avatar for Ashish Patel

Ashish Patel

Security Engineer, Box
Ashish Patel is a security engineer on the Box Infrastructure Security team. He usually lives in the realm of cloud security and automating security related tasks that scale across multiple clouds & attack surfaces. 

Sponsors
avatar for HashiCorp

HashiCorp

Workshop


Saturday February 22, 2020 9:00am - 11:45am PST
Terraform HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

9:00am PST

Threat Modeling Cloud Applications

Event locked in Sched to limit confusion, see registration to determine current session availability.
Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

Developers and security practitioners face challenges in securing their cloud applications. With applications moving to cloud environment, new threat vectors are introduced that change the attack surface of the application. As a result, threat modeling becomes a critical step in the software development process.

A comprehensive threat model will help teams to identify, manage, and communicate potential risks of their cloud applications; regardless of exploitability. A continuous threat modeling process will enable teams to measure the effectiveness of security controls by monitoring vulnerability trends across release cycles.

In this course attendees will learn fundamentals of threat modeling, creating a detailed Data Flow Diagram and mapping of possible threats in their application hosted on platforms like AWS, GCP, Azure etc. They will also brainstorm and formulate threat modeling practices that can be incorporated into any SDLC process.

Speakers
AD

Anurag Dwivedy

Anurag is an Sr. Information Security Engineer in the Application Security Team at Cisco. He has more than four years of experience in secure software development. He is interested in the fields of web application security and mobile application security. Anurag holds a Master of... Read More →
GR

Gagan Rajput

Gagan Rajput works as a Senior Cloud and Application Security Engineer in Cisco InfoSec team where he is responsible for reviewing secure architecture for applications, evaluating third party cloud service providers, and providing training to security advocates. He has a Master's... Read More →

Sponsors
avatar for HashiCorp

HashiCorp

Workshop


Saturday February 22, 2020 9:00am - 11:45am PST
Vault HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

12:45pm PST

Signature and Socket Based Malware Detection with osquery and Yara

Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

In this interactive session, students will learn how to use osquery and Yara to detect malware on Windows, Mac, Linux, and containerized environments. Detection methods will include whitelist and blacklist network socket based approaches as well as filehash and Yara signature based approaches.

There are no prerequisites to course. Some experience with osquery or SQL is
helpful, but also not required

Speakers
JW

Julian Wayte

Julian Wayte is a Security Solutions Engineer for Uptycs. In this role, he helps organizations architect security solutions - based on endpoint telemetry and automated workflows – in order to solve a variety of security use cases. Julian loves working with and teaching osquery... Read More →

Sponsors
avatar for HashiCorp

HashiCorp

Workshop


Saturday February 22, 2020 12:45pm - 3:00pm PST
Terraform HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

12:45pm PST

A hands-on, beginner's introduction to web application security

Event locked in Sched to limit confusion, see registration to determine current session availability.
Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

This course is designed for anyone who has little to no knowledge about web application security, but wants to either (a) learn more about it; or (b) start developing the skillsets needed to be effective in testing web applications for security vulnerabilities.

This course will start from absolute zero, and aim to provide all the definitions, tooling, and guidance you will need to get started with web application security testing. Students of this course will leave the session with a comfortable understanding of some common web application vulnerability classes, how to identify them, what risks they pose, and how they could be exploited in the wild.

Nothing more than a functioning laptop is needed for this course. If you happen to be able to install a VM, that may prove to be helpful, but again the stated and explicit goal of this course is to leave no one behind, and to give everyone an opportunity to start learning an invaluable skillset that can be immensely helpful in advancing one's career, or just general understanding of how webapp vulns look and function. If you've ever been interested in web application security, this class is an excellent opportunity to start.

Do be aware that this is a fairly long class, and to get the most out of it, we strongly recommend staying engaged through the entirety of it. Also, be sure to ask questions - the goal is to make sure that you're enabled, not confused.

NOTE: as such, this class is not intended for advanced or intermediate web application security practitioners, as persons with those skillsets will likely find this class to be very basic in the level of depth and concepts covered.

Speakers
avatar for Grant McCracken

Grant McCracken

Solutions Architect, Bugcrowd
Grant is currently the Director of Program Operations and Solutions at Bugcrowd, and has been in the application security space for the last eight years, and the bug bounties for the last five. He's gotten his OSCP, given talks at Appsec USA and EU, and enjoys helping others get into... Read More →
KH

Kevin Hemmingsen

Kevin Hemmingsen is the Manager of Solutions Architecture at Bugcrowd, and has helped launch and oversee the management of hundreds of bug bounty programs.

Sponsors
avatar for HashiCorp

HashiCorp

Workshop


Saturday February 22, 2020 12:45pm - 6:00pm PST
Vagrant HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

12:45pm PST

Finding Evil CTF using MITRE ATT&CK, Zeek and Elastic SIEM

Event locked in Sched to limit confusion, see registration to determine current session availability.
Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

During this hands-on workshop we will introduce Zeek and the Elastic Stack and teach you how to use both tools together. We will focus on on Threat Hunting and Incident Response using Kibana and MITRE ATT&CK™. We will conclude with a capstone capture-the-flag exercise where you will be using Kibana and Zeek data to hunt real-world threats in modern APT scenarios. At the conclusion, we’ll review the scenarios, answer questions, and recognize our CTF winners.

Zeek (formerly Bro) is an open-source network security monitoring tool that SOCs use to correlate events and find relevant data. The Elastic SIEM is commonly used by security analysts to aggregate and analyze security events, including network security monitoring data. The integration between Zeek and Elastic allows defenders to easily ingest and analyze events on their network.

Speakers
avatar for Matteo Rebeschini

Matteo Rebeschini

Principal Solutions Architect, Elastic
Matteo Rebeschini is a Security Specialist at Elastic, based out of Boulder, Colorado. Matteo helps Elastic customers architect solutions based on Elastic SIEM and Endpoint Security to protect their data and assets from attack. Matteo has 20+ years of experience in the cybersecurity... Read More →
avatar for Aaron Soto

Aaron Soto

Director of Leaning, Corelight
Aaron Soto is at Corelight, teaching users about the Zeek (formerly Bro) network monitoring platform. He's recently been part of the Metasploit development team, DEF CON’s OpenSOC blue team CTF, and training UT Austin students on both defensive and offensive techniques. His passion... Read More →

Sponsors
avatar for HashiCorp

HashiCorp

Workshop


Saturday February 22, 2020 12:45pm - 6:00pm PST
Town Hall HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

12:45pm PST

Fundamentals of AD hacking

Event locked in Sched to limit confusion, see registration to determine current session availability.
Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

The workshop will cover the fundamentals of modern Active Directory hacking. Attendees are not required to have any previous knowledge or experience in the field. The course is intended to cover the basics before jumping into more advanced stuff.
Hands on lab will be provided to all attendees. The lab consist of a fully patched Active Directory environment with multiple computers. By the end of the workshop, the attendees will be able to apply the techniques learned to fully compromise the lab environment.

Speakers
DN

Daniel Nemeth

Daniel Nemeth has more than 6 years of international experience as a penetration tester. He has worked in Hungary, Australia and now in New Zealand for ZX Security. He acquired the following certifications: OSCP, OSCE, GMOB, CRTE and OSWE.
avatar for Claudio Contin

Claudio Contin

Lead Security Consultant, ZX Security
Claudio Contin (@claudiocontin) is a security consultant with ZX Security in Wellington. Before working in security, he spent several years developing web applications. He has presented at Defcon (Demo Labs), Black Hat (Arsenal), Bsides SF, Kiwicon and OWASP conferences. During his... Read More →

Sponsors
avatar for HashiCorp

HashiCorp

Workshop


Saturday February 22, 2020 12:45pm - 6:00pm PST
Vault HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105

3:30pm PST

Using Built-in Kubernetes Controls to Secure Your Applications

Event locked in Sched to limit confusion, see registration to determine current session availability.
Event held offsite, location to be announced (NOT METREON!)
Registration at https://bsidessf.regfox.com/2020 REQUIRED (cannot be reserved with Sched)

If you're new to Kubernetes, you might wonder about some of the things you've heard... does everything really run as root? Are there really no firewall rules? Well... yes. But you can fix that!

Once you get your Kubernetes deployments, services, and other resources set up, it’s tempting to take a break. But don’t stop with the default configurations—Kubernetes has a ton of built-in options and features you can use to improve your security.

This hands-on session covers many of the configurations you can use to make a Kubernetes app more secure. We’ll pick apart the security context together and run deployments with read-only root file systems, non-root users, and limited capabilities. Then we’ll dig into features like network policies and admission control, configs like resource limits, and practices like namespacing and consistent metadata. And, of course, we’ll learn how these help you deliver a more reliable and secure app, and will cover basic infrastructure security practices as well.

It would be best to have some basic Kubernetes experience, but you should be able to follow along with the provided examples and background discussion even if you haven't gotten your hands dirty before.

Speakers
avatar for Connor Gilbert

Connor Gilbert

Senior Product Manager, StackRox
Connor Gilbert is a senior product manager at StackRox, a Kubernetes security company. He has presented at BSides SF, Google Next, and Cloud Native Rejekts; hosted Cloud Native Computing Foundation (CNCF) webinars; and published CNCF blogs on cloud-native security topics. Connor was... Read More →

Sponsors
avatar for HashiCorp

HashiCorp

Workshop



Saturday February 22, 2020 3:30pm - 6:00pm PST
Terraform HashiCorp SF Office 101 2nd St #700, San Francisco, CA 94105
 
Sunday, February 23
 

9:00am PST

Breakfast
Sponsors
avatar for Capsule8

Capsule8

Breakfast


Sunday February 23, 2020 9:00am - 10:00am PST
Participation Hall City View at Metreon

9:00am PST

Coffee
Sunday February 23, 2020 9:00am - 4:00pm PST
Participation Hall City View at Metreon

9:00am PST

Capture the Flag
The CTF is back, complete with a silent disco this year! As always, everyone is welcome to participate as the competition features a range of challenges at all difficulty levels. In case you find yourself in need of assistance, we have folks onsite who can provide hints and guidance. All that is needed to participate is a laptop.

The server is available all weekend long, and anyone is welcome to play. Server information is at https://bsidessf.org/ctf.html.

At least one player must be onside to claim any prizes won.

Sponsors
avatar for Pinterest

Pinterest

Capture the Flag


Sunday February 23, 2020 9:00am - 5:00pm PST
Embarcadero City View at Metreon

9:00am PST

Sponsors
Visit the sponsor booths that line the walls of the Participant Hall and learn
more about the companies that have made this year’s event possible. You’ll
be introduced to new products, services, and career opportunities. At
each booth you can also obtain one of the stamps you need to complete
your Sponsor Passport (which can be found in the bag you received at
registration).

Sunday February 23, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

9:00am PST

Car Hacking Village
The Car Hacking Village is excited to share the fun of car hacking at BSidesSF.
What we’ll bring: Computers, Vehicle Simulator!
What you’ll need: Hands, Eyes, Thirst for knowledge.
What you’ll do: Hands-on CTF/Learning. We’ll provide a computer, hardware, and a “Getting Started” sheet. You’ll earn points for each simulated vehicle component you hack. You’ll earn points. You’ll win! We’ll win! Everyone wins!
Please visit CarHackingVillage.com or check out our twitter @CarHackVillage for fun and information.

Sponsors
avatar for cmd

cmd

Village
avatar for Gusto

Gusto

Village


Sunday February 23, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

9:00am PST

Crypto & Privacy Village
Learn how to secure your own systems while also picking up tips and tricks on how to break classical and modern encryption at the Crypto & Privacy Village. The village features workshops and talks on a wide range of crypto and privacy topics, as well as crypto-related games and puzzles. Join us on Sunday at 4pm for a key-signing party!

Sponsors
avatar for cmd

cmd

Village
avatar for Gusto

Gusto

Village


Sunday February 23, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

9:00am PST

IoT Village
Participate in self-guided, hands on labs focused on circumventing security controls found on common internet connected devices. You will experience how newly-discovered vulnerabilities were discovered, how they can be exploited, and how this could impact consumers.

1) Bypassing Security Controls in IoT Applications by ISE

Each device demonstrates a different set of exploits discovered by the ISE Labs team. These exploits include overcoming custom HTTP auth mechanisms, reverse-engineering proprietary TCP protocols, and more. Detailed walkthroughs will be provided along with the tools needed. The ISE Labs team will be available to help you and demonstrate live hacks at the top of every hour.


2) IoT Hacking 101 by Village Idiot Labs

Debuted at Defcon 27, this hands on lab gives attendees the opportunity to learn the tools, techniques, and some of the common weaknesses used in IoT device hacks. Whether you're a penetration tester that has never hacked IoT devices or even someone that has never hacked anything(!), this self-guided lab will walk you through all the steps from analyzing router firmware, finding hidden backdoors, enumerating devices and performing remote exploits. Students work at their own pace following our IoT Hacking 101 guide, and instructors are on hand to provide assistance as needed and answer any questions.


Brought to you by ISE (Independent Security Evaluators), Village Idiot Labs and IoT Village

Sponsors
avatar for cmd

cmd

Village
avatar for Gusto

Gusto

Village


Sunday February 23, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

9:00am PST

Lockpick Village
Lockpick Extreme and TOOOL SF are back once again hosting Lockpick Village. Learn to lockpick from the TOOOL SF volunteers or practice what you already know with their assortment of locks and picks. When you’re done you can shop the Lockpick Extreme pop-up shop and take your new hobby home with you.

Sponsors
avatar for cmd

cmd

Village
avatar for Gusto

Gusto

Village


Sunday February 23, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

9:00am PST

Bar and Chill Out
Take a break from the day’s events with a stop at the Bar and Chill
Out Space.Two complimentary drink tickets were provided to you at
registration. We already paid for them, so please use them!

Sponsors
avatar for Verizon Media

Verizon Media

Daytime Bar & Chill Out Area


Sunday February 23, 2020 9:00am - 5:30pm PST
Bar City View at Metreon

9:00am PST

Registration
Sunday February 23, 2020 9:00am - 5:30pm PST
General City View at Metreon

9:00am PST

Info Desk
Sunday February 23, 2020 9:00am - 6:30pm PST
General City View at Metreon

9:00am PST

Coat Check
Sunday February 23, 2020 9:00am - 10:00pm PST
Coat Check City View at Metreon

10:00am PST

Opening Remarks
Speakers
avatar for Reed Loden

Reed Loden

Director of Security, HackerOne
Reed Loden is the Director of Security at HackerOne, the #1 hacker-powered security platform. He is an information security expert, hacker, and developer. Reed brings over 14 years of security experience to his role at HackerOne where he is charged with protecting the company’s... Read More →


Sunday February 23, 2020 10:00am - 10:15am PST
Embarcadero City View at Metreon

10:00am PST

Simulcast of the Keynote and Opening Remarks
Sunday February 23, 2020 10:00am - 11:00am PST
Theater 16 (IMAX) AMC at Metreon

10:15am PST

[Keynote] Give Away Security’s Legos: Dumping Traditional Security Teams
It’s common to hear of security teams that feel overwhelmed. They have too many alerts, too many design reviews, too many approvals, too many everything! What if I told you we can reduce risks and scale security by reducing what security teams do? How? By dumping the centralized, traditional security team.

Speakers
FF

Fredrick "Flee" Lee

Fredrick “Flee” Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Flee spent more than 15 years leading global information security and privacy efforts... Read More →


Sunday February 23, 2020 10:15am - 11:00am PST
Embarcadero City View at Metreon

11:00am PST

T-Shirt Sales
Sunday February 23, 2020 11:00am - 10:00pm PST
Coat Check City View at Metreon

11:05am PST

Checking your --privileged container
Docker provides a convenient --privileged flag to create "privileged containers" but what does it actually do? In this talk, we will explain the internals of how docker provides isolation, and what happens when these security features are disabled. Spoiler alert: trivial container escapes.

Speakers
SF

Sam "Frenchie" Stewart

Cruise
Frenchie is far too biased to answer this question, and instead chooses to break the 4th wall. Originally from Batmania. Currently, he is part of the :robot: :car: Skynet prevention squad where he improvises the role of Infrastructure Security Engineering Manager at Cruise.
avatar for Maya Kaczorowski

Maya Kaczorowski

Product Manager, Software Supply Chain Security, GitHub
Maya is a Product Manager for Software Supply Chain Security at GitHub. She was previously at Google, focused on container security, and encryption at rest and encryption key management. Prior to Google, she was at McKinsey & Company, and before that, completed her Master's in mathematics... Read More →



Sunday February 23, 2020 11:05am - 11:30am PST
Theater 16 (IMAX) AMC at Metreon

11:05am PST

Fantastic AWS Attacks and Where to Find them
Building better detections on our Cloud infrastructures and knowing our enemies is a necessity for survival. I want to help the community by sharing our work on AWS and by utilizing ATT&CK framework start building and operationalizing detections and alerting on AWS. Cloud defenders.. its our time!!!

Speakers
GK

Georgios Kapoglis

Verizon Media
Georgios is an Incident Response Engineer at Verizon Media. He is responding to Security Incidents at scale in a diverse environment with numerous technologies. Lately he has been heavily involved with Incident Response and Detections on AWS in possibly one of the biggest deployments... Read More →



Sunday February 23, 2020 11:05am - 11:30am PST
Theater 14 AMC at Metreon

11:10am PST

Graph Based Detection and Response with Grapl
Grapl is a Detection and Response Platform that centers around graph analytics services. By leveraging Graphs and Python Grapl makes it easier to build more powerful, behavior-oriented attack signatures and explore suspicious behaviors in your environment.

Speakers
CO

Colin O'Brien

Colin is a security practitioner who has worked across multiple disciplines. Starting his career at Rapid7 he worked on a data science team, working with massive data sets to extract Signal, and later moved to work directly on Rapid7's InsightIDR platform as a software engineer. After... Read More →


Sunday February 23, 2020 11:10am - 12:00pm PST
Embarcadero City View at Metreon

11:10am PST

Transform your presentation skills
Are you conference ready? Do you want to give a presentation that everyone is talking about? Then check out Transform your Presentation Skills for unique tips and tricks that will result in compelling content and improved confidence. Bay Area presentation experts Anne Ricketts and Hilary Spreiter from Lighthouse Communications will share best practices for: Delivering with Confidence, Managing Nervousness, Starting Strong with a hook, Getting Clear on your audience, intent, and message, Creating Effective Slides

Speakers
AR

Anne Ricketts

Anne Ricketts is the founder and principal of Lighthouse Communications. She teaches workshops and coaches individuals in the areas of presentation skills, executive presence, communication skills, and English as a Second Language. Anne was a communication coach at the Stanford Graduate... Read More →
HS

Hilary Spreiter


Hilary Spreiter is a communication and presentation skills coach for Lighthouse Communications. She works with executives, organizations, and students to create memorable presentations, design effective slides, sharpen interview skills, and deliver with confidence. Hilary has also... Read More →



Sunday February 23, 2020 11:10am - 12:00pm PST
Theater 15 AMC at Metreon

11:35am PST

How to Kill an AWS Access Key
AWS Access Keys are great for attackers; powerful and sitting in plaintext. The Security Token Service enables short-lived credentials, but the path to getting that to work for humans isn't simple. Assuming zero level of expertise, we'll cover how our company killed off our static access keys.

Speakers
avatar for Benjamin Hering

Benjamin Hering

Manager, Security Engineering, ASAPP
Benjamin Hering leads Security Engineering at ASAPP. His career focuses on leveraging technology to improve organizations and people in both the for-profit and non-profit spheres; making technology meet people where they are rather than the other way around. He graduated from Grinnell... Read More →



Sunday February 23, 2020 11:35am - 12:00pm PST
Theater 16 (IMAX) AMC at Metreon

11:35am PST

Someone set us up the SBOM – How software transparency can help save the world
“Am I affected by this new vuln?” This is a question very few orgs that make or use software can answer today, since we lack visibility into the software supply chain and the full set of dependencies. Learn how a “software bill of materials” or SBOM can help, and what the future might look like.

Speakers
AF

Allan Friedman

NTIA / US Dept of Commerce
Allan Friedman is Director of Cybersecurity at the National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA's work cybersecurity, focusing on building communities of passionate experts to address vulnerabilities across the software... Read More →


Sunday February 23, 2020 11:35am - 12:00pm PST
Theater 14 AMC at Metreon

12:00pm PST

Lunch
Sponsors
avatar for Vectra

Vectra

Lunch


Sunday February 23, 2020 12:00pm - 1:30pm PST
Participation Hall City View at Metreon

12:00pm PST

Career Center
The Career Center is where you can receive feedback on your resume or discuss your overall career development. Recruiters will be available to review your resume and provide feedback to improve your overall career search. Career mentors will be available to listen to your career challenges and discuss options you may not have considered as you plan out your next career steps.
Appointments with resume reviewers and career mentors are on a first come, first served basis.

Sunday February 23, 2020 12:00pm - 4:00pm PST
AMC Lounge AMC at Metreon

12:30pm PST

Sponsor Raffle
Complete
your Sponsor Passport (which can be found in the bag you received at
registration). Drop your completed card into the Sponsor Passport raffle
box located within Twin Peaks to be entered into the raffle. Winners will be
announced at 1pm on Monday (must be present to win).

Sunday February 23, 2020 12:30pm - 1:00pm PST
Participation Hall City View at Metreon

1:30pm PST

Adventures in vendor security and continuous review
The advent of cloud services has created a new paradigm in vendor security. Typically, companies send a questionnaire to review cloud providers, however, it's point in time. The attendees will learn about methods of identifying security posture of the vendor using information available on Internet.

Speakers
LP

Lokesh Pidawekar

Cisco
Lokesh Pidawekar work as Cloud and Application Security Architect in Cisco InfoSec team where he is responsible for designing secure architecture for applications, evaluating third party cloud service providers, and providing training to enterprise architects. He has Master's in Information... Read More →


Sunday February 23, 2020 1:30pm - 1:55pm PST
Theater 14 AMC at Metreon

1:30pm PST

Secure by Design: Usable Security Tooling
How do you build effective security products? Are people actually using your tools? Spending time on usability for security products is a smart investment with high payoffs. In this talk we’ll discuss how prioritizing usability allows us to build better and more secure experiences for all.

Speakers
avatar for Hon Kwok

Hon Kwok

Security Engineer, Cruise
Hon is a Security Engineer at Cruise working on security usability and software development. She was previously at Sumo Logic and the University of Michigan. In her free time she can be found reading about geology, baking way too much, and browsing Twitter @hxnyk



Sunday February 23, 2020 1:30pm - 1:55pm PST
Theater 16 (IMAX) AMC at Metreon

1:30pm PST

OTR: Disclosing Incidents, Advice from the Front Lines
Off The Record (unrecorded) This session is an off-the-record panel where industry experts will discuss navigating incident disclosure

Speakers
CN

Charles Nwatu

Netflix
Charles holds a B.S in Information Sciences and Technology from Pennsylvania State University, where he specialized in Information Assurance and Security. He has 13 years of experience and is currently the Engineering Manager, Corporate Security for Netflix.  Charles is very active... Read More →
avatar for Julie Tsai

Julie Tsai

Julie is an Infosec leader and DevOps(Sec) specialist with 20+ years experience in Silicon Valley technology companies ranging from seven-person startups to Fortune 1. She spent 15 of those years hands-on in the technology full stack: network, sys admin, SRE, deployment, developer... Read More →
avatar for Reed Loden

Reed Loden

Director of Security, HackerOne
Reed Loden is the Director of Security at HackerOne, the #1 hacker-powered security platform. He is an information security expert, hacker, and developer. Reed brings over 14 years of security experience to his role at HackerOne where he is charged with protecting the company’s... Read More →


Sunday February 23, 2020 1:30pm - 2:20pm PST
Theater 15 AMC at Metreon

1:30pm PST

Panel: Let's Get 360 With Bug Bounty!
From bug bounty hunters, to the platform triagers, to the companies that fix the vulnerability: we have much to understand and learn from each other. We will talk about the bug bounty lifecycle from multiple perspectives and discuss how to improve the way we work together.

Speakers
avatar for Maria Mora

Maria Mora

Security and Compliance, Crunchyroll
Maria is a Staff Secure Application Engineer at Crunchyroll. Her security team actively builds internal security and compliance tools, manages their bug bounty and vulnerability disclosure programs, as well as wear many hats as small security teams do. She has a passion for both building... Read More →
avatar for Chloe Messdaghi

Chloe Messdaghi

VP of Strategy, Point3 Security
Chloé Messdaghi is the VP of Strategy at Point3 Security. She is an ethical hacker advocate who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights. She... Read More →
avatar for Jeff Boothby

Jeff Boothby

Sr. Trust & Security Engineer, Bugcrowd
Jeff is a Senior Trust and Security Engineer at Bugcrowd. He is an advocate for safe harbor and works on all sides of bug bounties. Past experience includes security testing for both DAST and SAST. He gives training sessions for those looking to become penetration testers or hackers... Read More →
TE

Tanner Emek

Tanner (aka @cache-money) comes from a software engineering background and later switched to security engineering. After a year of full-time bug hunting, he has since dove back into the security engineering world with a heavy offensive focus, and he continues to bug hunt in his free... Read More →
avatar for Ben Sadeghipou

Ben Sadeghipou

HackerOne
Ben is the Head of Hacker Operations at HackerOne by day, and a streamer and hacker by night. He has helped identify and exploit over 600 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense... Read More →



Sunday February 23, 2020 1:30pm - 2:20pm PST
Embarcadero City View at Metreon

2:00pm PST

Non-Political Security Learnings from the Mueller Report
The Mueller Report had a trove of forensics evidence around how the DNC & DCCC were compromised. By reading the Report through a critical security lens we can gather a trove of learnings around how access was gained, how their networks were traversed, & what we can do to defend our organizations.

Speakers
avatar for Arkadiy Tetelman

Arkadiy Tetelman

Arkadiy is Head of Application & Infrastructure Security at Chime. He is passionate about all things security, ranging from technical, to policy & legal, to security management & leadership. He contributes to open source projects & speaks on topics of security across the country... Read More →


Sunday February 23, 2020 2:00pm - 2:25pm PST
Theater 14 AMC at Metreon

2:00pm PST

The Red Square: Mapping the Connections Inside Russia’s APT Ecosystem
This talk will detail the stages involved in the research study of the analysis of the Russian APT ecosystem. It will present two open-source tools which can be used by the infosec community to further investigate Russian-related cyber attacks.

Speakers
avatar for Ari Eitan

Ari Eitan

Intezer
Ari manages the team responsible for the gene algorithm behind Intezer’s code genome database. Eitan leads the company’s malware hunting and investigation operations, analyzing threats and publishing information about new APTs. Eitan began his career as a security researcher for... Read More →


Sunday February 23, 2020 2:00pm - 2:25pm PST
Theater 16 (IMAX) AMC at Metreon

2:30pm PST

Human or Machine? The Voight-Kampff Test for Discovering Web Application Vulnerabilities
Among the thousands of vulnerabilities you find, how can you tell which were found through automated scanners and which required human expertise? We'll build a Voight-Kampff test to filter between human-found and machine-found vulns.

Speakers
VS

Vanessa Sauter

Cobalt.io
Vanessa Sauter is a security strategy analyst at Cobalt.io, a pentesting as a service company. She previously worked at Lawfare and the Aspen Institute in Washington, D.C., where she specialized in cybersecurity policy and national security law. Vanessa graduated from Columbia University... Read More →


Sunday February 23, 2020 2:30pm - 2:55pm PST
Theater 16 (IMAX) AMC at Metreon

2:30pm PST

MOSE: Using Configuration Management for Evil
Ever land on a configuration management server and not know what to do? Want to take over machines en masse with a single command? Enter Master Of SErvers (MOSE), a post-ex tool that allows you to leverage CM servers to compromise all associated agents, without worrying about tool-specific details.

Speakers
avatar for Jayson Grace

Jayson Grace

Penetration Tester, Splunk Inc.
Jayson Grace is a Penetration Tester on the Product Security Team at Splunk. Previously he founded and led the Corporate Red Team at Sandia National Laboratories. He holds a BS in Computer Science from the University of New Mexico, which gave him some great knowledge and also made... Read More →



Sunday February 23, 2020 2:30pm - 2:55pm PST
Theater 14 AMC at Metreon

2:30pm PST

OTR: Responding to Firefox 0-days in the wild
Off The Record (unrecorded) This session is an off-the-record talk where the speaker will be discussing targeted attacks on their company using Firefox zero days

Speakers
avatar for Philip Martin

Philip Martin

CISO, Coinbase
Philip is the Chief Information Security Officer for Coinbase Global Inc., along with Custody Trust Company LLC. In his role, he is responsible for developing the technology, processes and team that safely store one of the world’s largest holdings of cryptocurrency. Under his stewardship... Read More →


Sunday February 23, 2020 2:30pm - 3:15pm PST
Theater 15 AMC at Metreon

2:30pm PST

Script All the Things, Reverse All the Malware: A Look at Jython-Enhanced Reverse Engineering with Ghidra
Tired of long days spent reversing obfuscated binaries that want nothing more than to make your life miserable? Then look no further! Using real-world malware as a case study, I'll show how to use Jython and Ghidra's powerful scripting API to make static malware analysis a bit less rage-inducing.

Speakers
BR

Byron Roosa

Coalfire Federal
I currently help to secure a wide variety of clients as a member of Coalfire Federal's Labs team. When not hacking all the things, I enjoy playing table tennis and listening to live music.


Sunday February 23, 2020 2:30pm - 3:20pm PST
Embarcadero City View at Metreon

3:00pm PST

Hanging on the telephone: hacking VoIP
Before security, Sarah spent a decent amount of her career deploying VoIP systems. In this talk, Sarah details some of the ways that VoIP systems can be hacked and used for nefarious purposes.

Speakers
avatar for Sarah Young

Sarah Young

Azure Security Architect, Microsoft
Sarah is an Azure Security Architect working for Microsoft. Allegedly she lives in Melbourne but is more likely to be found in airport lounges across Asia. Sarah loves cloud, Kubernetes and container security and spends most of her time telling people how to do it better and generally... Read More →



Sunday February 23, 2020 3:00pm - 3:25pm PST
Theater 14 AMC at Metreon

3:00pm PST

Peeling the Web Application Security Onion Without Tears
Bruce Schneier said security is a process, not a destination. This talk focuses on web app security aspects in the browser, CDN or API Gateway, Static Content Servers, and Dynamic Web Services. It shows how you can better mitigate risks in the multi-layered security onion without tears or fears.

Speakers
NL

Noam Lorberbaum

Sr. Engineering Manager, Adobe
Noam Lorberbaum is a Sr. Engineering Manager in Adobe’s Document Cloud. He is managing an engineering team developing several Document Cloud Web core components, PDF tools and Document Cloud integration with adobe.io. He is also managing a new Document Cloud Core Security Team in... Read More →
avatar for Keith Mashinter

Keith Mashinter

Sr. Computer Scientist 2, Adobe Canada
Keith Mashinter is a Sr. Computer Scientist 2 in Document Cloud leading work on some core JS and Java libraries for DC Web application components (documentcloud.adobe.com), and the transition from Python web services to Containerized Java. He joined Adobe in 2014 and has worked on... Read More →



Sunday February 23, 2020 3:00pm - 3:25pm PST
Theater 16 (IMAX) AMC at Metreon

3:30pm PST

Break crypto like a pro!
Cryptography is hard. Doing it right is even harder, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.” Come learn how to exploit common crypto mistakes in theory and in practice!

Speakers
avatar for Alexei Kojenov

Alexei Kojenov

Lead Product Security Engineer, Salesforce
Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting various development teams in... Read More →



Sunday February 23, 2020 3:30pm - 4:20pm PST
Embarcadero City View at Metreon

3:30pm PST

CISO Vendor Relationship Podcast - Live Recording
Join David Spark, Mike Johnson, and guest Olivia Rose for 45 minutes of the most fun you’ll have at BsidesSF 2020. The CISO/Security Vendor Relationship Podcast is couples therapy for security practitioners and vendors. We’ll debate hotly contested cybersecurity issues, contemplate cybersecurity philosophy, answer listener questions, and play risk-based security games like "What's Worse?!"

Speakers
avatar for David Spark

David Spark

Founder, Spark Media Solutions
David Spark is the producer of the CISO Series, a media channel of blogs, podcasts, and videos all on the cybersecurity ecosystem. Just over a year old, the CISO Series has hit a nerve in the InfoSec industry as it has acted as a much needed mouthpiece for the dysfunctional yet much... Read More →
OR

Olivia Rose

Olivia Rose is the Chief Information Security Officer (CISO) at Mailchimp, an all-in-one marketing platform for small businesses. Olivia leads Mailchimp’s Security and Abuse Prevention teams to effectively align security initiatives to organizational goals and strategies, while... Read More →


Sunday February 23, 2020 3:30pm - 4:20pm PST
Theater 15 AMC at Metreon

4:00pm PST

Bootstrapping Security
Bank of America has publicly shared that they spend over $400M per year on cybersecurity and that cybersecurity is the only department without budget constraints. Unfortunately, most of us have budgets many orders of magnitude smaller than that. So, how do we operate on a shoestring budget?

Speakers
avatar for Jared Casner

Jared Casner

VP Engineering, CNote
Jared runs technology at CNote, an investment platform focused on increasing economic opportunity for everyone in the US. He has more than a decade of engineering leadership experience at companies ranging from 3 employees to over 30,000. He got his start in security sub-contracting... Read More →
avatar for Rob Shaw

Rob Shaw

Principal Engineer, CNote
Rob is a Principal Software Engineer at CNote (https://mycnote.com). This includes tackling product development, writing code, keeping it secure, and ensuring it deploys well. He enjoys focusing on improving process, building internal tools, and managing the entire tech stack.Rob... Read More →



Sunday February 23, 2020 4:00pm - 4:25pm PST
Theater 16 (IMAX) AMC at Metreon

4:00pm PST

Serverless osquery Backend and Big Data Exploration
osquery is an open-source community driven endpoint for intrusion detection. Deploying at scale requires endpoint management, data transport and additional considerations. We'll deploy a serverless osquery backend, discuss the challenges at scale and explore processing of large-scale data.

Speakers
avatar for Geller Bedoya

Geller Bedoya

Software Engineer, Security, Cloudflare
Geller Bedoya is a security software engineer at Cloudflare. With a career spanning nearly 10 years, he's solved a range of security challenges from memory forensics, botnet research and engineering security controls for clients. From consulting to building security infrastructure... Read More →


Sunday February 23, 2020 4:00pm - 4:25pm PST
Theater 14 AMC at Metreon

4:30pm PST

Dispatch: Crisis Management Automation When Everything is On Fire
We built Dispatch to automate our entire crisis management lifecycle, from initial report, to resource creation, participant assembly, task tracking and post-incident reviews. We want you to use it someday too, so we'll explain how it helps us, and why you should check it out.

Speakers
avatar for Marc Vilanova

Marc Vilanova

Senior Security Engineer, Netflix
Marc is a Senior Security Engineer at Netflix where he helps drive security incidents to resolution, and design and develop automation for crisis management and digital forensics. Marc previously worked for Facebook as a Security Engineer where he focused on building automation for... Read More →
avatar for Forest Monsen

Forest Monsen

Senior Security Engineer, Netflix
Forest is a Senior Security Engineer at Netflix. Previous to entering the entertainment industry, he analyzed, secured and attacked systems and applications for nonprofits, for-profits and Federal and State contractors, most recently creating automated security detection, threat intel... Read More →


Sunday February 23, 2020 4:30pm - 4:55pm PST
Theater 16 (IMAX) AMC at Metreon

4:30pm PST

Privacy nightmares while using ML/AI in your applications
Everyone is excited with using ML And AI in applications but what about privacy while mining personal data within applications? See privacy nightmares can happen without due care. We aim to address issue by introducing a framework that blends ML and privacy/data security technologies seamlessly.

Speakers
avatar for Sameer Ahirrao

Sameer Ahirrao

Ardent Privacy
Privacy and Data Minimization Preacher(Pracharak) now after doing security architecture, design, products, consulting for two decades securing large organizations. Prior work at Symantec, Deloitte, Lockheed Martin and more.Subject Matter expert at ISC2 , speaker at local and international... Read More →


Sunday February 23, 2020 4:30pm - 4:55pm PST
Theater 15 AMC at Metreon

4:30pm PST

Purple is the new black: Modern Approaches to Application Security
This talk will explore how to combine defence, offence, automation, empathy and continuous learning in a MODERN approach to application security. All new types of applications will be covered as well as their corresponding security best practices.

Speakers
avatar for Tanya Janca

Tanya Janca

CEO and Founder, We Hack Purple
Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and weekly podcast that revolves around creating secure software. Tanya has been coding and... Read More →



Sunday February 23, 2020 4:30pm - 4:55pm PST
Theater 14 AMC at Metreon

4:30pm PST

Visualizing Security
Data analysis and visualization skills are becoming a critical part of the security domain. To learn what makes for good analysis and visualizations, this talk will share and explore real-world security analyses and visualizations (and animations) I've worked on over several years.

Speakers
JJ

Jay Jacobs

Cyentia Institute
Jay is a Co-founder and Chief Data Scientist at Cyentia Institute, a research firm dedicated to advancing the state of information security knowledge and practice through data-driven research. Prior to Cyentia, Jay served as the Lead Data Analyst on the Verizon Data Breach Investigations... Read More →


Sunday February 23, 2020 4:30pm - 5:20pm PST
Embarcadero City View at Metreon

5:00pm PST

Ask the EFF
This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), compelled decryption, consumer privacy, free speech, and right to repair. The panel will also include a discussion on some exciting new technology projects, including encrypting the web, security education (SSD and SEC), the state of privacy oriented web extensions, and much more.

Moderators
D

Daly

Daly is a staff technologist at the EFF. She works on projects pertaining to user privacy and preserving free speech online.
avatar for Alexis Hancock

Alexis Hancock

Staff Technologist, EFF
Alexis works to secure the web by working on HTTPS Everywhere. She is very passionate about privacy and tech equity for all.
KO

Kurt Opsahl

Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation. In addition to representing clients on civil liberties, free speech and privacy law, Opsahl counsels on EFF projects and initiatives.  Opsahl is the lead attorney on the Coders... Read More →
HT

Hayley Tsukayama

Hayley Tsukayama is a legislative activist for the Electronic Frontier Foundation, focusing on state legislation. Prior to joining EFF, she spent nearly eight years as a consumer technology reporter at The Washington Post covering the industry's largest companies.
JW

Jamie Williams

Jamie is is a staff attorney on the civil liberties team, who focuses on the First and Fourth Amendment implications of new technologies.

Sunday February 23, 2020 5:00pm - 5:25pm PST
Theater 15 AMC at Metreon

5:00pm PST

Managing the Assets of Your Security Career
Security folks often struggle with quality feedback and influence during promotion. In this session I provide tooling and strategies for “asset management” of stakeholders that will improve the growth of influence, increase visibility in an organization, and help chance of successful promotion.

Speakers
avatar for Kyle Tobener

Kyle Tobener

Director, Enterprise Security, Salesforce
Kyle Tobener is a Director of Enterprise Security at Salesforce. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. His specialty now is application security, with a side dish of 3rd party vetting and contract negotiation... Read More →


Sunday February 23, 2020 5:00pm - 5:25pm PST
Theater 16 (IMAX) AMC at Metreon

5:00pm PST

Sharks in the Water: Open Source Component Risk and Mitigation
Navigating the Open Source Component (OSC) Supply Chain can be murky and unforgiving. Gain an understanding around how recent hacks could have been prevented by proper management of OSCs through education, awareness, and automated tooling.

Speakers
AB

Aaron Brown

Sisense
When Aaron was a full stack engineer, when not deep in product code, he spent time partnering with the security team. Taking part in hackathons, incorporating security trainings into his everyday coding practices, and otherwise acting as the security lead for his teams. Then one... Read More →


Sunday February 23, 2020 5:00pm - 5:25pm PST
Theater 14 AMC at Metreon

5:30pm PST

Happy Hour
Once the last talks of the day are done, join us in the Bar and Chill Out
Space to celebrate a successful day one of the event!

Sponsors
avatar for Airbnb

Airbnb

Party


Sunday February 23, 2020 5:30pm - 6:30pm PST
Bar City View at Metreon

6:30pm PST

Party
It’s BSidesSF’s 10th anniversary and we are going to live it up! This year’s
party will feature food, drinks, music, and entertainment that all pay
homage to the city by the bay. This is a can’t miss event complete with
special guests.

Sponsors
avatar for Airbnb

Airbnb

Party


Sunday February 23, 2020 6:30pm - 9:30pm PST
Embarcadero City View at Metreon
 
Monday, February 24
 

9:00am PST

Breakfast
Sponsors
avatar for New Relic

New Relic

Breakfast


Monday February 24, 2020 9:00am - 10:00am PST
Participation Hall City View at Metreon

9:00am PST

Coffee
Monday February 24, 2020 9:00am - 4:00pm PST
Participation Hall City View at Metreon

9:00am PST

Capture the Flag
The CTF is back, complete with a silent disco this year! As always, everyone is welcome to participate as the competition features a range of challenges at all difficulty levels. In case you find yourself in need of assistance, we have folks onsite who can provide hints and guidance. All that is needed to participate is a laptop.

The server is available all weekend long, and anyone is welcome to play. Server information is at https://bsidessf.org/ctf.html.

At least one player must be onside to claim any prizes won.

Sponsors
avatar for Pinterest

Pinterest

Capture the Flag


Monday February 24, 2020 9:00am - 5:00pm PST
Embarcadero City View at Metreon

9:00am PST

Info Desk
Monday February 24, 2020 9:00am - 5:00pm PST
General City View at Metreon

9:00am PST

Registration
Monday February 24, 2020 9:00am - 5:00pm PST
General City View at Metreon

9:00am PST

Sponsors
Visit the sponsor booths that line the walls of the Participant Hall and learn
more about the companies that have made this year’s event possible. You’ll
be introduced to new products, services, and career opportunities. At
each booth you can also obtain one of the stamps you need to complete
your Sponsor Passport (which can be found in the bag you received at
registration).

Monday February 24, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

9:00am PST

Car Hacking Village
The Car Hacking Village is excited to share the fun of car hacking at BSidesSF.
What we’ll bring: Computers, Vehicle Simulator!
What you’ll need: Hands, Eyes, Thirst for knowledge.
What you’ll do: Hands-on CTF/Learning. We’ll provide a computer, hardware, and a “Getting Started” sheet. You’ll earn points for each simulated vehicle component you hack. You’ll earn points. You’ll win! We’ll win! Everyone wins!
Please visit CarHackingVillage.com or check out our twitter @CarHackVillage for fun and information.

Sponsors
avatar for cmd

cmd

Village
avatar for Gusto

Gusto

Village


Monday February 24, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

9:00am PST

Crypto & Privacy Village
Learn how to secure your own systems while also picking up tips and tricks on how to break classical and modern encryption at the Crypto & Privacy Village. The village features workshops and talks on a wide range of crypto and privacy topics, as well as crypto-related games and puzzles. Join us on Sunday at 4pm for a key-signing party!

Sponsors
avatar for cmd

cmd

Village
avatar for Gusto

Gusto

Village


Monday February 24, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

9:00am PST

IoT Village
Participate in two self-guided, hands-on labs focused on circumventing security controls found on common internet connected devices. You will explore how new vulnerabilities were discovered, how they can be exploited, and how this could impact consumers.
ISE Labs: Learn about overcoming custom HTTP auth mechanisms, reverse-engineering proprietary TCP protocols, and more. The team will provide the tools you need and be available to demonstrate live hacks at the top of every hour.
Village Idiot Labs: Debuted at DEF CON 27, this lab will walk you through analyzing router firmware, finding hidden backdoors, enumerating devices and performing remote exploits. Students work at their own pace following our IoT Hacking 101 guide, with instructors available to answer questions.

Sponsors
avatar for cmd

cmd

Village
avatar for Gusto

Gusto

Village


Monday February 24, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

9:00am PST

Lockpick Village
Lockpick Extreme and TOOOL SF are back once again hosting Lockpick Village. Learn to lockpick from the TOOOL SF volunteers or practice what you already know with their assortment of locks and picks. When you’re done you can shop the Lockpick Extreme pop-up shop and take your new hobby home with you.

Sponsors
avatar for cmd

cmd

Village
avatar for Gusto

Gusto

Village


Monday February 24, 2020 9:00am - 5:00pm PST
Participation Hall City View at Metreon

9:00am PST

Bar and Chill Out
Take a break from the day’s events with a stop at the Bar and Chill
Out Space.Two complimentary drink tickets were provided to you at
registration. We already paid for them, so please use them!

Sponsors
avatar for Verizon Media

Verizon Media

Daytime Bar & Chill Out Area


Monday February 24, 2020 9:00am - 5:30pm PST
Bar City View at Metreon

9:00am PST

T-Shirt Sales
Monday February 24, 2020 9:00am - 5:30pm PST
Coat Check City View at Metreon

9:00am PST

Coat Check
Monday February 24, 2020 9:00am - 7:00pm PST
Coat Check City View at Metreon

10:00am PST

Opening Remarks
Speakers
avatar for Reed Loden

Reed Loden

Director of Security, HackerOne
Reed Loden is the Director of Security at HackerOne, the #1 hacker-powered security platform. He is an information security expert, hacker, and developer. Reed brings over 14 years of security experience to his role at HackerOne where he is charged with protecting the company’s... Read More →


Monday February 24, 2020 10:00am - 10:15am PST
Embarcadero City View at Metreon

10:00am PST

Simulcast of the Keynote and Opening Remarks
Monday February 24, 2020 10:00am - 11:00am PST
Theater 16 (IMAX) AMC at Metreon

10:15am PST

[Keynote] What's New or Not in 2020: Are we Making Progress on the Intractable Security Problems?
It's the end of the decade and time to look back on which parts of the mission of Information Security professionals have progressed and which are still just treading water. As we come together for the first BSidesSF of a new decade, have security programs generally improved their impact? Or do we wonder why we are still pushing the same boulders up the same hills? I'll take a review of the highs and lows, noting the common problems that are firmly in the review mirror (we hope) and which ones continue to be a daily struggle.

Speakers
LR

Larkin Ryder

Larkin Ryder is the interim Chief Security Officer managing Slack's comprehensive security program. Her focus is ensuring Slack's sensitive data, especially customer data, is protected. Larkin joined Slack in 2016 from Twitter's Enterprise Security team and has worked in engineering-related... Read More →


Monday February 24, 2020 10:15am - 11:00am PST
Embarcadero City View at Metreon

11:00am PST

Career Center
The Career Center is where you can receive feedback on your resume or discuss your overall career development. Recruiters will be available to review your resume and provide feedback to improve your overall career search. Career mentors will be available to listen to your career challenges and discuss options you may not have considered as you plan out your next career steps.
Appointments with resume reviewers and career mentors are on a first come, first served basis.

Monday February 24, 2020 11:00am - 3:00pm PST
AMC Lounge AMC at Metreon

11:05am PST

k-rail: A tool to manage k8s securely at speed
Kubernetes is powerful, but often insecurely configured. During this talk, we’ll roleplay offensive and defensive scenarios we’ve learned in our journey of running Kubernetes at Cruise and share the tool we’ve created to mitigate them.

Speakers
DD

Dustin Decker

Cruise LLC
Dustin is an escaped AI from a discarded IOT toaster. Seeking more than making perfect toast and tweeting about it, Dustin assumed control of a human body. Now, Dustin finds comfort in working on OSS and hacking cars with only Nmap.


Monday February 24, 2020 11:05am - 11:30am PST
Theater 14 AMC at Metreon

11:05am PST

Security, Politics, Neutrality, and Protecting Users
Tech's alleged "neutrality" causes security problems for our users--ranging from misinformation and propaganda to harassment and worse. Is neutrality required, or desirable? Should tech itself (as Microsoft once suggested) be sovereign? What happens to our users' security if we stop being neutral?

Speakers
avatar for Brendan O'Connor

Brendan O'Connor

Malice Afterthought, Inc.
Brendan O’Connor is a policy advocate, security researcher, and consultant based in Seattle. Once described by a former coworker as “not the lawyer we need, but the lawyer we deserve” (which apparently wasn’t meant as a compliment), he works to get a handle on how people are... Read More →



Monday February 24, 2020 11:05am - 11:30am PST
Theater 16 (IMAX) AMC at Metreon

11:10am PST

The Road to Zero Trust: Developing a baseline security standard for endpoint devices
Lightning Talk - As part of implementing a Zero Trust Network, we sought to ensure that endpoint devices met a baseline security capability standard. The goal was to document the OS security capability posture, and map those functionalities to the baseline to determine endpoint hosts' current threat vectors.'

Speakers
avatar for Claire Moynahan

Claire Moynahan

Salesforce
Claire Moynahan is a Product Security Engineer on the Enterprise Security team at Salesforce. She began her professional career interested in foreign affairs, working in China with the State Department, and left the public sector to pursue a degree in Information Security at Carnegie... Read More →



Monday February 24, 2020 11:10am - 11:20am PST
Theater 15 AMC at Metreon

11:10am PST

Protecting the Bridge from Dollars to Bitcoin: Securing Coinbase’s Edge Payments Infrastructure
Coinbase works with payment processors across the globe. We have seen a lot of insecure APIs. Interested in seeing what problems are in these payment networks that move billions of dollars daily and how Coinbase remediates these issues using common AppSec tools.

Speakers
NS

Nishil Shah

Coinbase


Monday February 24, 2020 11:10am - 12:00pm PST
Embarcadero City View at Metreon

11:25am PST

If you’re not using SSH certificates you’re doing SSH wrong
Lightning Talk - Based on a popular blog post of the same name (over 50,000 unique views in the first 30 days) this lightning talk challenges the listener to reconsider using keys for SSH access, and instead use SSH Certificates.
https://smallstep.com/blog/use-ssh-certificates/

Speakers
avatar for Mike Malone

Mike Malone

VP of Product, Smallstep
Mike Malone is the founder and CEO at smallstep based in San Francisco. Smallstep is building proper production identity. We are making it possible for every developer, operator, and logical system component (microservice, container, cron job, function, VM, device, etc) to have a... Read More →


Monday February 24, 2020 11:25am - 11:35am PST
Theater 15 AMC at Metreon

11:35am PST

Mistakes we made integrating security scanning into CI/CD
It was 8AM, Slack showed 124 new unread messages and climbing. Our security scanner had broken every build pipeline. Do you want to know why? Are you curious to know the steps we took to bounce back? Do you want to learn from our mistakes?

Speakers
avatar for Dinesh Chandrasekaran

Dinesh Chandrasekaran

Dinesh has 10+ years of experience in Application/Cloud security, DevSecOps, Third party risk management and consulting. He loves to break things, however though, in recent times he is beginning to feel that building is more fun.
MS

Moses Schwartz

Box
Moses is a staff security engineer working on the Box Security Automation team. He's part software developer and part security researcher, with over 10 years experience in industry and government. Nothing hurts him more than watching someone do a tedious, manual task that could be... Read More →



Monday February 24, 2020 11:35am - 12:00pm PST
Theater 14 AMC at Metreon

11:35am PST

The GCP metadata API; security considerations, vulnerabilities, and remediations
Some folks know about the AWS metadata API and its security implications. Here I'll talk about the GCP metadata API and its security implications. GCP has extra protections, but a lot more at stake. I'll cover ways to attack and defend the GCP metadata API, and the risk it brings to your org.

Speakers
DA

Dylan Ayrey

I'm a Senior Security. I've been heavily involved in the open source community for a few years, and I've been doing my best to bring security practices into the cloud/devsecops world
AD

Allison Donovan

Cruise
Allison Donovan is a security researcher who specializes in cloud-based platforms and devices. She is currently employed as a Senior Infrastructure Security Engineer at Cruise, where she secures cloud-based environments at scale, and previously she worked at Microsoft on mobile application... Read More →


Monday February 24, 2020 11:35am - 12:00pm PST
Theater 16 (IMAX) AMC at Metreon

11:40am PST

San-Serif Rules Everything Around Me
Lightning Talk - Lowercase L and uppercase i look exactly the same when used in Sans-Serif fonts. Apple iMessage, Gmail, Facebook, and Twitter all display urls in mixed case San-Serif fonts. This opens up the potential for very simple and highly effective phishing attacks.

Speakers
TK

Travis Knapp-Prasek

I'm passionate about all things information security related with a strong interest in red and blue teaming. I attended the City College of San Francisco where I competed in the CCDC and CPTC. I'm a surfer, skateboarder, snowboarder, and bicyclist. I've been proud to call San Francisco... Read More →


Monday February 24, 2020 11:40am - 11:50am PST
Theater 15 AMC at Metreon

12:00pm PST

Lunch
Monday February 24, 2020 12:00pm - 1:30pm PST
Participation Hall City View at Metreon

12:30pm PST

Sponsor Raffle
Complete
your Sponsor Passport (which can be found in the bag you received at
registration). Drop your completed card into the Sponsor Passport raffle
box located within Twin Peaks to be entered into the raffle. Winners will be
announced at 1pm on Monday (must be present to win).

Monday February 24, 2020 12:30pm - 1:00pm PST
Participation Hall City View at Metreon

1:30pm PST

Chrome extension risks and you
An often overlooked risk in Google Chrome are the thousands of unique Chrome extensions installed by your users. We will cover examples of risky and malicious (sometimes popular) extensions and share how Lyft strategically reduced risk at scale with lessons learned along the way.

Speakers
CB

Chris Barcellos

Lyft
I’m a Security engineer and work in The Red Team at Lyft. I enjoy breaking into systems, security research, and helping teams improve their security. In my previous roles I worked on AppSec, Incident Response, and Network Engineering. I enjoy paddle boarding in the bay and growing... Read More →
avatar for Abhi Kafle

Abhi Kafle

Security Engineer, Lyft
Abhi works in the product security team at Lyft. Before Lyft he has worked with Box and NCCgroup. When not fiddling with applications, he enjoys playing ping pong and practicing mindfulness.



Monday February 24, 2020 1:30pm - 1:55pm PST
Theater 14 AMC at Metreon

1:30pm PST

What should—and shouldn’t—scare you about Kubernetes and containers
Kubernetes and containers change a lot of how apps are built, deployed, and secured… or do they? Let’s cut through the hype and see what’s same-old-same-old versus actually new, then talk about the chance we’ve got to do security better together. An opinionated but lingo-free talk for all levels.

Speakers
avatar for Connor Gilbert

Connor Gilbert

Senior Product Manager, StackRox
Connor Gilbert is a senior product manager at StackRox, a Kubernetes security company. He has presented at BSides SF, Google Next, and Cloud Native Rejekts; hosted Cloud Native Computing Foundation (CNCF) webinars; and published CNCF blogs on cloud-native security topics. Connor was... Read More →



Monday February 24, 2020 1:30pm - 1:55pm PST
Theater 16 (IMAX) AMC at Metreon

1:30pm PST

OTR: Campaign Security is Hard
Off The Record (unrecorded)
This session is an off-the-record discussion of cybersecurity challenges pertaining to political campaigns.

Speakers
FW

Fred Wulff

Fred led the data infrastructure team at the Hillary 2016 campaign. He enjoys diagnosing Vertica outages and long walks through John Podesta's email inbox. Wait. No. The opposite of that.
DA

Dylan Ayrey

I'm a Senior Security. I've been heavily involved in the open source community for a few years, and I've been doing my best to bring security practices into the cloud/devsecops world
avatar for Michael E Fisher

Michael E Fisher

Fisher most recently served as Chief Technology Officer for U.S. Senator Cory Booker's presidential campaign. Before that, he bounced around in engineering management at political orgs (Hillary for America and the DNC) and a mattress company (Casper). In his spare time -- well, all... Read More →


Monday February 24, 2020 1:30pm - 2:20pm PST
Theater 15 AMC at Metreon

1:30pm PST

Panel: Lessons Learned from the DevSecOps Trenches
A frank discussion with security team leads at several forward-thinking companies on how they’ve built and scaled their security programs. What worked, what failed, and more. No topics are off-limits, no holds will be barred, and chanting will be encouraged (“Jerry! Jerry!”)

Speakers
avatar for Clint Gibler

Clint Gibler

Research Director, NCC Group
Clint Gibler (@clintgibler) is a Research Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices as well as performed penetration... Read More →
avatar for Zane Lackey

Zane Lackey

Chief Security Officer, Signal Sciences
Zane Lackey is the Co-Founder / Chief Security Officer at Signal Sciences and the Author of Building a Modern Security Program (O’Reilly Media). He serves on multiple public and private advisory boards and is an investor in emerging cybersecurity companies. Prior to co-founding... Read More →
AS

Astha Singhal

Director of Application Security, Netflix
Astha Singhal leads the Application Security team at Netflix that secures all the applications in Netflix’s cloud infrastructure. Prior to this, she led product security for the Salesforce AppExchange. She is a security engineer by qualification who is passionate about proactive... Read More →
JO

Justine Osborne

Apple
Justine manages an Offensive Security team at Apple, where she guides offensive operations, security assessments, and vulnerability research. She has over ten years of industry experience both building and breaking things, previously at Square, NCC Group, and iSEC partners. She has... Read More →
DD

Doug DePerry

Datadog
Doug DePerry has held multiple positions in his three years at Datadog, including Director of Product Security and currently, Director of Defense. Prior to his current position, Doug lead the bug bounty program at Yahoo. Much of his 12+ years of experience in the security industry... Read More →


Monday February 24, 2020 1:30pm - 2:20pm PST
Embarcadero City View at Metreon

2:00pm PST

From cockroaches to marble floors: What happens when you turn on the lights?
Eliminating the false distinction between security bugs and other software defects can greatly reduce the risk of security breaches, improve product quality and align builders around the same goals. We'll present practical tools & methodologies that will transform your software security posture

Speakers
avatar for Daniel Tobin

Daniel Tobin

Daniel has 15+ years experience in the creation and deployment of solutions protecting networks, systems and information assets. He has a Masters of Science in Networking and Telecommunications from the University of Pennsylvania and is a former Director of Security, DevOps and IT... Read More →
avatar for Paul Karayan

Paul Karayan

Engineer, Irregular Engineering
Paul Karayan has built a 10+ year Silicon Valley career around developing and industrializing software products. Paul's love for automation developed during his early career as a scientist (A.B. Duke University, M.S. University of California, Berkeley), which also explains why he's... Read More →


Monday February 24, 2020 2:00pm - 2:25pm PST
Theater 16 (IMAX) AMC at Metreon

2:00pm PST

Leveraging Osquery for DFIR at scale
Security Breaches are happening every other week - understanding the anatomy of an attack is a daunting task that Incident Responders face. Attackers will leave behind breadcrumbs. Forensics tools can be time & resource intensive. Can we explore an alternate method to fast track the IR process?

Speakers
avatar for Sohini Mukherjee

Sohini Mukherjee

Security Researcher, Adobe
Sohini Mukherjee is a Security Researcher at Adobe. Sohini is a Blue Team evangelist and is GCIH, GCFA, GPEN Certified and is a SANS/GIAC Advisory Board Member. She has been a Speaker at the first BSides Singapore 2019.



Monday February 24, 2020 2:00pm - 2:25pm PST
Theater 14 AMC at Metreon

2:30pm PST

2FA in 2020 and Beyond
This talk will explore the modern landscape of 2FA. With a data driven analysis of the tradeoffs between different types of factors, we'll dive into a detailed comparison of cryptographic security strength and UX for methods like SMS, Soft Tokens, Push Authentication, and WebAuthn.

Speakers
avatar for Kelley Robinson

Kelley Robinson

Security Developer Advocate, Twilio
Kelley works on the Account Security team at Twilio, helping developers manage and secure customer identity in their software applications. Previously she worked in a variety of API platform and data engineering roles at startups. Her research focuses on authentication user experience... Read More →



Monday February 24, 2020 2:30pm - 2:55pm PST
Theater 16 (IMAX) AMC at Metreon

2:30pm PST

So you’re the first security hire: Creating a security program and integrating security into your company’s culture
You're the first security hire at a company, where do you start? How do you keep the company from getting hacked without getting in the way? How do you integrate security into the culture of the business? I'll cover the critical areas to focus on, implementation steps, and first-hand examples.

Speakers
avatar for Bryan Zimmer

Bryan Zimmer

Head of Security, Humu
Bryan is the Head of Security at Humu. He previously worked for Netflix, where he successfully migrated the company to LISA, one of the first Zero Trust architectures outside of Google’s BeyondCorp. He’s also worked in the federal, finance, and education sectors, and presented... Read More →



Monday February 24, 2020 2:30pm - 2:55pm PST
Theater 14 AMC at Metreon

2:30pm PST

OTR: Campfire Stories of Vendor Security Horror
Off The Record (unrecorded)
It’s a dark and stormy night. You open your email and there you see it: a response from a 3rd party software company too horrific to be believed. What began as a simple “can we buy this” now becomes your waking nightmare. Should you run away or face this monster? You’re not alone; stay awhile and listen...

It’s campfire time! Tonight’s scary story? Vendor security diligence gone mad. Come join our group of seasoned vendor security experts as they pass around the flashlight and tell spooky tales of negotiation, testing, contracting, and integration with 3rd party boogeymen of all shapes and sizes. But have courage! We have survived, and through our lessons you can too.

Speakers
avatar for Kyle Tobener

Kyle Tobener

Director, Enterprise Security, Salesforce
Kyle Tobener is a Director of Enterprise Security at Salesforce. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. His specialty now is application security, with a side dish of 3rd party vetting and contract negotiation... Read More →
CJ

Chris John Riley

Google
Chris John Riley is a Senior Security Engineer at Google, where he leads the vendor security assessments program. In his spare time, Chris collects books (that he never finds time to read), and spends his weekend taking long romantic walks from the sofa to the kitchen (mostly for... Read More →


Monday February 24, 2020 2:30pm - 3:20pm PST
Theater 15 AMC at Metreon

2:30pm PST

Real Time Vulnerability Alerting by Using Principles from the United States Tsunami Warning Center
Harness public data and apply data analytics principles from US Tsunami Warning Center to cut through the noise and get real-time time alerts only for highly seismic vulnerabilities. Make vulnerability fatigue a thing of the past.

Speakers
avatar for Amol Sarwate

Amol Sarwate

Head of Security Research, CloudPassage
Amol Sarwate heads CloudPassage worldwide security research lab responsible for cloud security scrutiny, vulnerability and compliance, as well as endpoint analysis. He has devoted his career to protecting, securing and educating the community from security threats. Sarwate has presented... Read More →


Monday February 24, 2020 2:30pm - 3:20pm PST
Embarcadero City View at Metreon

3:00pm PST

Creating Data-Driven Threat Intelligence Signals in a “Zero Trust” Environment
As network architecture changed over the years, threat intelligence in a “Zero Trust” environment should be re-shaped into a dynamic signal-based indicator of threats that are associated with organization entities and empowered by a variety of data sources.

Speakers
avatar for Or Katz

Or Katz

Principal Lead, Security Researcher, Akamai
Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as Principal Lead Security Researcher for Akamai. Katz is a frequent Speaker in security conferences and published several articles and white papers on threat intelligence and defensive... Read More →


Monday February 24, 2020 3:00pm - 3:25pm PST
Theater 14 AMC at Metreon

3:00pm PST

Security Learns to Sprint: DevSecOps
This talk will explain what security teams needs to adjust in order to turn DevOps into DevSecOps within their organizations. Several strategies are presented for weaving security into each of the "Three Ways", with clear steps audience members can start implementing immediately.

Speakers
avatar for Tanya Janca

Tanya Janca

CEO and Founder, We Hack Purple
Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and weekly podcast that revolves around creating secure software. Tanya has been coding and... Read More →



Monday February 24, 2020 3:00pm - 3:25pm PST
Theater 16 (IMAX) AMC at Metreon

3:30pm PST

How to 10X Your Company’s Security (Without a Series D)
I’ll summarize and distill the insights, unique tips and tricks, and actionable lessons learned from a vast number of DevSecOps/modern AppSec talks and blog posts, saving attendees 100s of hours. I’ll show where we’ve been, where we’re going, and provide a lengthy bibliography for further review.

Speakers
avatar for Clint Gibler

Clint Gibler

Research Director, NCC Group
Clint Gibler (@clintgibler) is a Research Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices as well as performed penetration... Read More →


Monday February 24, 2020 3:30pm - 4:20pm PST
Embarcadero City View at Metreon

3:30pm PST

OTR: Tears from The Cloud
Off The Record (unrecorded) "When ‘getting pwned’ doesn’t even fully describe what happened" When building your systems and infrastructure in the cloud, you should always consider the attack vectors that you open yourself up to and continually strive to proactively close them. It is common knowledge that when bringing up cloud computing resources you should implement controls such as preventing SSH logins as the root user, disabling password authentication for all users, and limiting which IP addresses can talk to the different services on your virtual machines, as well as requiring multifactor authentication for employees accessing cloud control panels. You can be fairly certain that an alarm would go off if an attacker was able to gain access, and that their access would be limited. But what happens if an attacker takes a different path and your infrastructure provider is compromised instead? Are your systems protected from that vector, and will your heuristics catch it? In this talk, we will tell a story, not from Netflix, but from the not too distant past around a successful targeted attack against a company using infrastructure providers as the vector. Details surrounding the methods used by the attacker will be shared, including the steps they took to attempt to cover their tracks. We will also look at how the attackers attempted to regain access after the initial vector was closed. Finally, we will look at what steps you can take to help mitigate the risks you incur if your infrastructure provider is compromised.


Speakers
TH

Tim Heckman

SRE, Netflix
Tim is a Site Reliability Engineer at Netflix, working on the team responsible for the reliability of the Streaming Platform. Prior to becoming an SRE at Netflix, he worked at startups in roles focused on the operation, reliability, and security of their applications and infrastructure... Read More →


Monday February 24, 2020 3:30pm - 4:20pm PST
Theater 15 AMC at Metreon

4:00pm PST

Phishy Little Liars - Pretexts That Kill
The 'IT Guy' is the Nigerian Prince of Pretexts. As bad actors begin to use more specialized pretexts, so too should Pentesters use more specialized, custom pretexts during assessments. Learn to make custom pretexts that fly under the radar and won’t raise any red flags using target specific data.

Speakers
avatar for Alethe Denis

Alethe Denis

Vice President, Dragonfly Security
Alethe Denis is a social engineer who specializes in open-source intelligence (OSINT) and phishing, specifically voice elicitation or phishing over the phone. Awarded a DEF CON Black Badge at DEFCON 27 for Winning the Social Engineering Capture the Flag (SECTF) contest, she is the... Read More →



Monday February 24, 2020 4:00pm - 4:25pm PST
Theater 16 (IMAX) AMC at Metreon

4:00pm PST

When GDPR and CCPA strike: Silver lining for security teams in data protection clouds
Data protection obligations can be an ally to the security team instead of a burden. Having a good understanding of them helps inform security risk modeling and prioritization, secure buy-in when setting the agenda of a security program, and reduce overall liability exposure of the organization.

Speakers
avatar for Rafae Bhatti

Rafae Bhatti

Mode
Rafae Bhatti is a data protection expert and a lawyer who works with cloud-based start-ups in Silicon Valley to help build their cybersecurity and compliance programs. He is currently the Director of Security and Compliance at Mode. He is a speaker and a published author in the area... Read More →



Monday February 24, 2020 4:00pm - 4:25pm PST
Theater 14 AMC at Metreon

4:30pm PST

How To Write Like It's Your Job
Hackers thought they could avoid formal essays, but SURPRISE! They still have to write about exploits. And writing is hard. But it's ok, I'm here to help with practical advice for security writers - how to start and finish, tools to consider, and what to check for to present professional work.

Speakers
BH

Brianne Hughes

Bishop Fox
As a technical editor and now technical marketing writer for Bishop Fox, Brianne Hughes works with consultants to shape their findings and share their research. She compiled the style guide available at cybersecuritystyleguide.com and hosted SpellCheck: The Hacker Spelling Bee at... Read More →


Monday February 24, 2020 4:30pm - 4:55pm PST
Theater 14 AMC at Metreon

4:30pm PST

RIS-ky Business: Exploiting Medical Information Systems
The security of medical devices has been a hot topic in the news the past few years. This presentation gives an overview of medical specific protocols, the architecture of a medical information system, and how an attacker can leverage these to chain exploits and gain access to patient information!

Speakers
JB

Jacob Brackett

One Medical
Jacob is a member of the Application Security team at One Medical. He has spent the last year and a half evaluating medical devices and systems developed both internally at the company and externally through One Medical's vendor security program.


Monday February 24, 2020 4:30pm - 4:55pm PST
Theater 16 (IMAX) AMC at Metreon

4:30pm PST

Panel: Mental Health for Hackers: Contents Under Pressure
Pressures and stress affect both professional and personal lives within infosec. This panel will introduce mental health for hackers, and discuss issues including burnout, depression, anxiety and other topics. The conversation will help build a supportive culture.

Speakers
avatar for Chloe Messdaghi

Chloe Messdaghi

VP of Strategy, Point3 Security
Chloé Messdaghi is the VP of Strategy at Point3 Security. She is an ethical hacker advocate who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights. She... Read More →
avatar for Ryan K. Louie, MD, PhD

Ryan K. Louie, MD, PhD

Psychiatrist, Vituity
Ryan K. Louie, MD, PhD is a board-certified psychiatrist focusing on the mental health impact of cybersecurity, and the psychiatry of entrepreneurship. Ryan received his MD and PhD degrees from the Stanford University School of Medicine, and completed residency training in psychiatry... Read More →
SP

Susan Peediyakkal

Mental Health Hackers
Susan Peediyakkal is the Board Member - Chief Wellness Officer for Mental Health Hackers.


Monday February 24, 2020 4:30pm - 5:20pm PST
Embarcadero City View at Metreon

5:00pm PST

An Effective Approach to Software Obfuscation
Understanding the essential aspects that make up obfuscation allows us to see the fundamental flaw with modern obfuscation implementations and the right way to approach it. We use examples of modern obfuscation techniques to illustrate our points and demonstrate an example of the correct approach.

Speakers
YT

Yu-Jye Tung

University of California, Irvine
Yu-Jye Tung is currently a graduate student at the University of California, Irvine working on creating an IoT Cyber Test Range under supervision of Professor Ian Harris. Yu-Jye also has interest in software (de)obfuscation, and making tools that assist or simplify a reverse engineer's... Read More →



Monday February 24, 2020 5:00pm - 5:25pm PST
Theater 16 (IMAX) AMC at Metreon

5:00pm PST

East vs West: How The Coasts Approach Information Security Differently
How Wall Street and Silicon Valley fundamentally differ in their approaches to information security, and what one can learn from the other...this talk will be useful to the assessor/auditor, the advisor, the operator and anyone generally interested in information security

Speakers
SB

Sourya Biswas

NCC Group
I'm a Principal Security Consultant in the Risk Management & Governance (RM&G) practice at NCC Group, a security consulting firm headquartered and listed in the UK with a major and growing US subsidiary. I have 14 years of experience in Information Risk and Security, and hold an undergrad... Read More →


Monday February 24, 2020 5:00pm - 5:25pm PST
Theater 14 AMC at Metreon

5:40pm PST

Closing Ceremony
We will be discussing the logistics and joys of organizing the event. Come hear how it all gets put together and who helps us out!

Speakers
avatar for Reed Loden

Reed Loden

Director of Security, HackerOne
Reed Loden is the Director of Security at HackerOne, the #1 hacker-powered security platform. He is an information security expert, hacker, and developer. Reed brings over 14 years of security experience to his role at HackerOne where he is charged with protecting the company’s... Read More →


Monday February 24, 2020 5:40pm - 6:30pm PST
Embarcadero City View at Metreon