BSidesSF 2020 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Talk [clear filter]
Sunday, February 23

1:30pm PST

OTR: Disclosing Incidents, Advice from the Front Lines
Off The Record (unrecorded) This session is an off-the-record panel where industry experts will discuss navigating incident disclosure


Charles Nwatu

Charles holds a B.S in Information Sciences and Technology from Pennsylvania State University, where he specialized in Information Assurance and Security. He has 13 years of experience and is currently the Engineering Manager, Corporate Security for Netflix.  Charles is very active... Read More →
avatar for Julie Tsai

Julie Tsai

Julie is an Infosec leader and DevOps(Sec) specialist with 20+ years experience in Silicon Valley technology companies ranging from seven-person startups to Fortune 1. She spent 15 of those years hands-on in the technology full stack: network, sys admin, SRE, deployment, developer... Read More →
avatar for Reed Loden

Reed Loden

Director of Security, HackerOne
Reed Loden is the Director of Security at HackerOne, the #1 hacker-powered security platform. He is an information security expert, hacker, and developer. Reed brings over 14 years of security experience to his role at HackerOne where he is charged with protecting the company’s... Read More →

Sunday February 23, 2020 1:30pm - 2:20pm PST
Theater 15 AMC at Metreon

2:30pm PST

OTR: Responding to Firefox 0-days in the wild
Off The Record (unrecorded) This session is an off-the-record talk where the speaker will be discussing targeted attacks on their company using Firefox zero days

avatar for Philip Martin

Philip Martin

CISO, Coinbase
Philip is the Chief Information Security Officer for Coinbase Global Inc., along with Custody Trust Company LLC. In his role, he is responsible for developing the technology, processes and team that safely store one of the world’s largest holdings of cryptocurrency. Under his stewardship... Read More →

Sunday February 23, 2020 2:30pm - 3:15pm PST
Theater 15 AMC at Metreon
Monday, February 24

1:30pm PST

OTR: Campaign Security is Hard
Off The Record (unrecorded)
This session is an off-the-record discussion of cybersecurity challenges pertaining to political campaigns.


Fred Wulff

Fred led the data infrastructure team at the Hillary 2016 campaign. He enjoys diagnosing Vertica outages and long walks through John Podesta's email inbox. Wait. No. The opposite of that.

Dylan Ayrey

I'm a Senior Security. I've been heavily involved in the open source community for a few years, and I've been doing my best to bring security practices into the cloud/devsecops world
avatar for Michael E Fisher

Michael E Fisher

Fisher most recently served as Chief Technology Officer for U.S. Senator Cory Booker's presidential campaign. Before that, he bounced around in engineering management at political orgs (Hillary for America and the DNC) and a mattress company (Casper). In his spare time -- well, all... Read More →

Monday February 24, 2020 1:30pm - 2:20pm PST
Theater 15 AMC at Metreon

2:30pm PST

OTR: Campfire Stories of Vendor Security Horror
Off The Record (unrecorded)
It’s a dark and stormy night. You open your email and there you see it: a response from a 3rd party software company too horrific to be believed. What began as a simple “can we buy this” now becomes your waking nightmare. Should you run away or face this monster? You’re not alone; stay awhile and listen...

It’s campfire time! Tonight’s scary story? Vendor security diligence gone mad. Come join our group of seasoned vendor security experts as they pass around the flashlight and tell spooky tales of negotiation, testing, contracting, and integration with 3rd party boogeymen of all shapes and sizes. But have courage! We have survived, and through our lessons you can too.

avatar for Kyle Tobener

Kyle Tobener

Director, Enterprise Security, Salesforce
Kyle Tobener is a Director of Enterprise Security at Salesforce. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. His specialty now is application security, with a side dish of 3rd party vetting and contract negotiation... Read More →

Chris John Riley

Chris John Riley is a Senior Security Engineer at Google, where he leads the vendor security assessments program. In his spare time, Chris collects books (that he never finds time to read), and spends his weekend taking long romantic walks from the sofa to the kitchen (mostly for... Read More →

Monday February 24, 2020 2:30pm - 3:20pm PST
Theater 15 AMC at Metreon

3:30pm PST

OTR: Tears from The Cloud
Off The Record (unrecorded) "When ‘getting pwned’ doesn’t even fully describe what happened" When building your systems and infrastructure in the cloud, you should always consider the attack vectors that you open yourself up to and continually strive to proactively close them. It is common knowledge that when bringing up cloud computing resources you should implement controls such as preventing SSH logins as the root user, disabling password authentication for all users, and limiting which IP addresses can talk to the different services on your virtual machines, as well as requiring multifactor authentication for employees accessing cloud control panels. You can be fairly certain that an alarm would go off if an attacker was able to gain access, and that their access would be limited. But what happens if an attacker takes a different path and your infrastructure provider is compromised instead? Are your systems protected from that vector, and will your heuristics catch it? In this talk, we will tell a story, not from Netflix, but from the not too distant past around a successful targeted attack against a company using infrastructure providers as the vector. Details surrounding the methods used by the attacker will be shared, including the steps they took to attempt to cover their tracks. We will also look at how the attackers attempted to regain access after the initial vector was closed. Finally, we will look at what steps you can take to help mitigate the risks you incur if your infrastructure provider is compromised.


Tim Heckman

SRE, Netflix
Tim is a Site Reliability Engineer at Netflix, working on the team responsible for the reliability of the Streaming Platform. Prior to becoming an SRE at Netflix, he worked at startups in roles focused on the operation, reliability, and security of their applications and infrastructure... Read More →

Monday February 24, 2020 3:30pm - 4:20pm PST
Theater 15 AMC at Metreon