• Shifting Security Everywhere

    As AppSec pro, you may feel that marketing has ruined the meaning of ‘shift left’. It was supposed to mean ‘starting security as early as possible in the SDLC’, but was transformed into “buy our product, put it in your CI/CD, then your apps will be secure”. But we can't just throw a bunch of tools into a CI/CD and call it a day. With this in mind, let’s focus on comprehensive programs, developer buy-in, and making security work for the entire business, by shifting security everywhere.

    Track 4
    Sat 8:30 am - 9:30 am

  • Optimizing red team and blue team operations using automation

    Today’s tech industry is rapidly evolving and demands an increased pace of innovation to uncover newer security and privacy attack surfaces. During these uncertain economic times, Security teams have been challenged to do more with limited resources. And therefore, automating repeated tasks involved in red team and blue operations is essential to drive operational excellence. As we enter the new era where Artificial Intelligence powered Chatbot which can be used for adversarial simulations, let’s understand its impact on red teaming and blue teaming automation. We’ll hear from security engineering leaders about the blue team tooling and processes they’ve adapted or created to keep the modern, distributed enterprise applications and system secure. We’ll also discuss what red teaming automation organizations can do to keep ahead of advanced threats. There’s tremendous value in optimizing red teams attack and blue teams defend tactics using automation - attend this talk to hear 3 experts explain why.

    Track 1
    Sat 9:30 am - 10:30 am

  • Quantum Mania: What you need to know to prepare for the quantum revolution

    We've all seen the phrases like "Y2Q" and "the quantum tipping point" used to scare us into buying "quantum-safe" products, but how can we know what's true and what's just marketing hype? Can we even approach quantum computing without getting a PhD or reliving the trauma of college calculus? In this talk you'll learn what quantum computing is, how it radically differs from classical computing, key algorithms and their applications, and all the ways quantum computers may change (or not!) the face of cybersecurity. You'll walk away with knowledge of how to protect your organization from quantum threats over the coming years, start experimenting with quantum computing today, and avoid spending money on quantum snake oil, all without a single differential equation!

    Track 2
    Sat 9:30 am - 10:30 am

  • Cybersecurity and Infrastructure Security Agency (CISA) Region-10 Services

    Interested in what CISA does and what services we can provide critical infrastructure in the Seattle & King County Area? Join Alex Salazar, CISA Cybersecurity Advisor, as he presents on no-cost services offered by CISA, success stories, and ask questions about what CISA does.

    Track 3
    Sat 10:00 am - 10:30 am

  • Hunting Mustang Panda: Exploiting PlugX DAT File Encryption with YARA

    YARA rules are an industry standard for identifying malware, but what about when the malware is encrypted with a custom encryption algorithm? Understanding the custom encryption algorithm enables the analyst to craft YARA rules for threat groups using these custom algorithms. Since 2019, Mustang Panda has deployed their variant of PlugX via an encrypted dat file. In the past year, Mustang Panda has been varying how this file is decrypted including using obfuscation techniques like mixed boolean-arithmetic (MBA) which increase the difficulty of understanding what the decryption algorithm is doing. As a result, it’s harder to identify patterns that can be exploited to create a more generic YARA rule. This talk will demonstrate using YARA to detect the dat file and how the YARA detection rules can be merged to create a single hunting rule to target these files. Techniques used include the SMT Solver, Z3, along with some YARA tricks to deal with the variations between the case studies in order to make a single rule covering them all. The dat file encryption scheme is likely to change again; however, the techniques shown here will aid analysts with drafting hunting rules to track this group through their encrypted dat files.

    Track 4
    Sat 10:00 am - 10:30 am

  • Workshop: Making IoT devices with ESP32 and Matter

    What's the hot new thing in IoT these days? How about an open source connectivity standard around which the industry seems to be converging? It's called Matter and it's supported by Apple, Google, Amazon, and Samsung. Most importantly, it gives device manufacturers a single standard to develop and test against.

    In this workshop, we'll get a development environment up and running using Espressif's ESP-IDF and ESP Matter SDKs. We'll learn about using development containers to maintain a consistent build environment regardless of host platform. We'll build some sample applications, flash them onto an ESP32 device, and add them to a test environment in the workshop. Along the way, I'll give an overview of home automation standards over the years. You'll go home with an ESP32 device configured as a Matter light or sensor and the the ability to develop your own IoT devices.

    This is an intermediate workshop. There will be no soldering, but you will need a Linux, Mac, or Windows laptop with git, esptool, Visual Studio Code, and Docker Desktop installed. You'll also want to download the 18 gig development container before coming to the workshop so you're not dependant on conference wifi for that. You'll be given clear instructions in advance of the conference of what you need to prepare.

    ### What you'll get
    * An ESP32-S3 dev board with Wifi and BLE support
    * Some I2C sensors to attach to the ESP32 board
    * I2C cable

    ### What you'll need
    * A laptop preconfigured with the workshop tools
    * A USB-C cable to program and monitor the ESP32 board with your laptop

    Workshops
    Sat 10:00 am - 12:30 pm

  • Securing Your Build Pipeline

    The amount of moving parts involved in a build system are staggering, and each and every one of them often has multiple security considerations.

    Supply chain security. License tracking and SBOM creation. Static analysis. Dynamic analysis. Code signing. Container registries and package repositories and version control systems. Password management. Identity management. Server security. Configuration auditing. Alerting.

    How did we come to need all of these… and more?

    This talk attempts to:
    - Give a visual, easy-to-parse understanding of what security controls come in when and where in a build pipeline.
    - Map various controls to the actual threats they’re countering, complete with real world past examples.
    - Highlight which controls are legally required in some of the most common compliance standards.
    - Do a cost-benefit analysis on controls: which controls you should panic if you’re missing versus which are more aspirational as your organization matures.
    - Simplify and extract some generic best-practices around build pipelines, in hopes that you can use them to evaluate new build technologies, systems, or components as you add them or as pipelines continue to evolve.

    Because writing secure software is only half the battle.

    Track 1
    Sat 10:30 am - 11:30 am

  • How I Learned to Stop Worrying and Build a Modern Detection & Response Program

    You haven’t slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? This talk gives away all the secrets you’ll need to go from reactive chaos to building and running a finely tuned detection & response program (and finally get some sleep).

    Gone are the days of buying the ol’ EDR/IDS/NGAV combo, throwing some engineers on an on-call rotation, and calling it your incident response team. You need a robust and comprehensive detection and response program to fight the modern day attackers that threaten to disable, disrupt, degrade, destroy, and steal from the enterprise you protect. But there’s a lot of challenges in the way: alert fatigue, tools are expensive, hiring talent is impossibly difficult, and your current team is overworked from running firefights every day.

    How do you successfully build a modern detection and response program, all while riding the rocket of never ending incidents and unforgiving on-call schedules?

    This talk boils down all that I’ve learned in the last decade about building detection and response programs into 39 minutes. At the end of this talk, you will walk away with a better understanding of all the capabilities a modern program should have and a framework to build or improve your own.

    Top 3 Takeaways
    1. A framework to guide leadership and engineers in building or improving a modern detection and response program
    2. Methods to measure and report on the effectiveness, efficiency, and threat coverage of a detection and response program (and how to identify failures or inefficiencies early and course correct)
    3. Lessons learned on how to empower your teams to succeed and overcome operational timesinks

    Track 2
    Sat 10:30 am - 11:30 am

  • Industrial IoT Security from All Angles

    A deep dive into the journey of IoT security told by someone who has accidentally found himself working on it from all angles.

    "The speaker started this journey in a highly specialized AI-based startup tackling the problems of the shipping industry with devices to bring machine learning to the extreme edge-cases and the challenges in securing them.

    He then took a step back to address larger scale issue of supply chain issues facing the development of software for (amongst others) Finnish critical infrastructure providers. A topic of critical importance for Finland given their "Not-quite-NATO" status and precarious Eastern neighbour.

    Now the presenter has a story to tell. The journey will go from the threat modelling processes for applied to IoT, technical controls, data protection requirements and more, before shifting focus to the supply chain to tackle the problems when you find yourself adjacent to vital Industrial-IoT targets."

    The presentation is story-based, with a peppering of technical details without going too deep into specific processes, and is set to include take aways on the lessons facing IoT manufacturers today and how to excel in that space with regards to security.

    Track 3
    Sat 10:30 am - 11:30 am

  • PBR and Kittens

    This talk will cover an incident involving APT 35 (Charming Kitten, Nemesis Kitten) and an Oil and Gas client. We will discuss TTPs, IOCs, MITRE ATT&CK and the kill chain, and how we handled recovery. Presentation structure is based on the NIST Incident Response Lifecycle.


    Track 4
    Sat 10:30 am - 11:30 am

  • An AppSec guide to practical Cryptography

    Cryptography is vital to protect sensitive information and secure communication in today’s applications and services. With the increasing amount of sensitive data being transmitted and stored electronically, cryptography plays an important role in ensuring the privacy and security of individuals, organizations, and governments.

    This is a fresh topic based on sessions I have delivered at work.

    In this session, we will:

    1. cover the functions of cryptography in the system, discuss its applicability across the stack (networking, secrets and credentials handling, access control, digital signatures, etc ) alongside the CIA triad.
    2. go over a high Level understanding of hashing, encoding and encryption
    3. perform a mini cryptography security review with a practical use case, discuss questions to ask about the system and the cryptography algorithms/ primitives to consider.
    4. cover what to look for in a threat model for cryptography

    Track 1
    Sat 11:30 am - 12:30 pm

  • How to Nix Overprivilege in Authentication and Access Systems

    This talk explores the future of privilege and trust in authentication and access systems, then proposes strategies that can be use to reclaim authentication systems from overprivileged, trust-enabled technologies. I will discuss trustlessness, a notion common in cryptography (where it forms the basis of "threshold cryptography," "secret sharing," and "multi-party computation") that ensures a system is designed such that a compromise of one of its components does not compromise the whole. With a specific focus on authentication systems, this talk will unpack why most modern "zero-trust" solutions represent an Achilles' heel because they are centralized, trusted, and highly privileged.

    We will first explore the trend of using single sign-on (SSO) for login and then discuss replacing long-lived user credentials with short-lived credentials issued by a certificate authority (CA).

    While the first approach has well-known usability and security benefits, there is a crucial downside that is rarely discussed: as the SSO provider acquires admin-level privileges and trust in an organization's infrastructure, there is more and more risk that a compromise of the SSO could lead to a catastrophic breach of other systems. By contrast, in a trustless architecture, a compromise of the SSO provider would not impact the system because it was built to include an additional control—for instance, independent multi-factor authentication.

    Similarly, in the second approach, the premise is that the risk due to credential theft is reduced because short-lived credentials expire quickly. Nevertheless, the CA secret key used to issue credentials is highly sensitive because its theft or misuse could have a catastrophic impact on the other systems that trust the CA to issue credentials. By contrast, a trustless architecture may split the secret key that issues credentials across multiple independent environments. That way, compromising one environment does not lead to all the systems that rely on the CA being compromised.

    Security engineers are traditionally trained to focus on end-user or server compromises—not a breach of the authentication system itself. After all, such systems are trusted as a single source of truth. As a result, we increasingly see highly privileged trusted entities targeted, like the 2022 Okta and Uber breaches or the 2023 CircleCI breach. This talk aims to highlight the problem and discuss various approaches that can help, including the use of multiple roots of trust, independent MFA and codes signing techniques using emerging technologies like sigstore.

    Track 2
    Sat 11:30 am - 12:00 pm

  • xIoT Hacking Demonstrations & Strategies to Disappoint Bad Actors

    We’ve unleashed our dark allies from the nightmare dimension on an unholy crusade to demonstrate cyberattacks for your enlightenment. If you love seeing devices compromised as much as we do, join us for some hacking demonstrations, detailed security research findings, and threat mitigation techniques that will disappoint bad actors. Share your new knowledge around the water cooler, apply these preventative security strategies within your own organization, and become the cool person at the office party everyone wants to hang out with regardless of that cat sweater you insist on wearing.

    We’ll demonstrate several hacks against xIoT, or Extended Internet of Things, devices. For those who would say, “But they’re just security cameras monitoring the parking garage, wireless access points in the cafeteria, or PLCs controlling robotic welding arms; what harm can they cause?” - this will illuminate that harm.

    We’ll share stories from the trenches involving cybercriminals, nation-state actors, and defenders. Our presentation will detail findings from over six years of xIoT threat research spanning millions of production devices in enterprises and government agencies around the world. We’ll identify various steps organizations can take to mitigate risk while embracing a Things-connected world.

    xIoT encompasses three disparate but interrelated device groups that operate with purpose-built hardware and firmware, are typically network-connected, and disallow the installation of traditional endpoint security controls. The first group contains enterprise IoT devices such as VoIP phones, security cameras, and printers. The second group includes operational technology such as PLCs, building automation systems, and industrial control systems. The third group consists of network gear such as switches, load balancers, and wireless access points.

    There are over 50 billion xIoT devices in operation worldwide. Most of these devices run well-known operating systems like Linux, Android, BSD, and various real-time operating systems like VxWorks. Additionally, many xIoT devices have open ports, protocols, storage, memory, and processing capabilities similar to your laptop. But there is a major difference. Even though most enterprises and government agencies have tens to hundreds of thousands of these devices in production, they go largely unmanaged and unmonitored.

    These xIoT devices typically operate with weak credentials, old, vulnerable firmware, extraneous services, and problematic certificates. This massive, vulnerable xIoT attack surface is being successfully exploited by bad actors engaging in cyber espionage, data exfiltration, sabotage, and extortion, impacting xIoT, IT, and cloud assets.

    Nation-states and cybercriminals have shifted their focus to xIoT attacks. Why? Because they work. Military-grade xIoT hacking tools are in use, cybercrime for hire that’s predicated on compromised xIoT devices has been monetized, and organizations worldwide are already “pwned” without even knowing it.

    Bad actors are counting on you being passive by not mitigating xIoT security risks. They want you to fail so they can continue to evade detection and maintain persistence on your xIoT devices. Disappoint them! Take your xIoT devices back by understanding how to hack them, recognizing where they’re most vulnerable, and employing strategies to successfully protect them at scale.

    Track 3
    Sat 11:30 am - 12:30 pm

  • Unleashing the Inner Hacker: The Power of CTFs in Cybersecurity Education

    TLDR:
    Become a cybersecurity hero with CTFs! This talk shows how these fun, educational games in K-12 education build skills and diversity in the cyber workforce.

    Description:
    Are you passionate about cybersecurity, but feel like you're missing out on the action because of a lack of experience or education? Look no further! This talk will show you how Capture the Flag (CTF) competitions can be the key to unlocking your potential as a cybersecurity professional. CTFs are games that teach cybersecurity skills by providing challenges to be solved, and they're a fun and engaging way to learn. But that's not all - I will also show you how integrating CTFs into K-12 education can help build a diverse and inclusive cyber workforce for everyone with the potential to succeed. Don't miss out on this exciting opportunity to start your journey towards a fulfilling career in cybersecurity!

    Takeaways:
    1. Solving the cyber workforce problem requires outreach to K-12 and teaching teachers to ensure a diverse, inclusive talent pool, and CTFs can be a key solution in this effort.
    2. CTFs can be integrated into trainings and coursework to foster a creative, hacker-mindset and operate like video games or sports that keep players captivated. They are team-building and friendship-building, and can bring people together to build communities.
    3. CTFs can inspire students to pursue cybersecurity as a career and can be valuable for a wide range of people, including teachers, high school students, parents, cybersecurity communities, and those pivoting their career into cybersecurity.

    Track 4
    Sat 11:30 am - 12:30 pm

  • Everyone is a hacker. Convert your friends.

    Everyone is a hacker, I've converted a pastor, biomedical engineer, and construction manager to the pentesting way of life. In this talk I'll cover how to think like a hacker to land a job, build a community, and break into the industry.

    Career Village (Talks)
    Sat 11:30 am - 12:00 pm

  • Grokking Machine Learning Performance in Security Applications

    Or, "Is that new fangled ML algorithm really going to work? Maybe."

    Our audience is anyone who wants to intuitively understand the promise and performance limitations of machine learning in the security space. Our goal is to give you a sense of why things that look great in the lab go awry in practice, and to do so in a way that you can apply that intuition to other applications. But we're also going to challenge the obsession with false positives and introduce the real measure that matters outside of the lab. We're going to ground the talk in the reality of detecting data exfiltration over DNS, for which we have a lot of real world experience.

    And try to do all of this in about 24 minutes... ;)

    Track 2
    Sat 12:00 pm - 12:30 pm

  • Hacking the Hiring Process

    Tips and tricks from a security recruiter on how to accelerate your time from application to interview

    Career Village (Talks)
    Sat 12:00 pm - 12:30 pm

  • Lost in Translation - Translating Security Speak to Dev Speak

    Do you hear that? It’s the sound of developers groaning about another security engagement that is cumbersome, unactionable and doesn’t respect product deadlines. Security has often become the office of No and lacks the respect for product ship deadlines and functionality that modern business needs to succeed. Gone are the days where security practitioners sit in their ivory towers dispensing wisdom from on high and expecting compliance without understanding what compliance looks like in terms of dev effort. If you want to be successful in the new modern era of DevSecOps you have to learn to think like a developer and more importantly speak in terms that resonate with developers. At the end of the day, security isn’t sorcery it’s just engineering with a different problem statement.

    In this talk, we’ll discuss:
    How you can integrate into the development process
    How to give actionable security feedback.
    How to empower devs to be their own security champions
    How to turn every crisis into an opportunity for proactive security engineering

    Finally, we’ll talk about how you can integrate into the developer cycle even if you’re not a developer and how to sell security wins as a decrease in run the business costs.

    Track 1
    Sat 1:30 pm - 2:30 pm

  • Using Machine Learning to Classify Security Issues: Why, How and Future Directions

    Introduction:
    A security team in any organization must deal with product security bugs or issues that are usually filed, triaged, and fixed via a ticketing system. However, as the organization grows, multiple teams spawn within security, each with its own specialization and its own way of filing security tickets. Eventually, we not only have a huge volume of these tickets, but we also start losing consistency in how they are categorized and catalogued. Thus, while we get better at finding and fixing security issues with time, we miss the big picture due to these inconsistencies in categorization – Are we finding the same type of issues repeatedly? Are these issues coming in because we are falling short of adhering to certain security best practices? Are we seeing multiple vulnerabilities that have publicly available exploits?

    This presentation will focus on classifying security tickets into simple categories using machine learning, and how this can help us analyze a large volume of tickets in any organization, thereby finding patterns and answering questions such as those outlined above.


    Detailed Outline:
    1. Simplifying Security Categories -
    The first part of the presentation will cover finding a consistent method of categorizing security issues. Although industry standards exist for this, such as, CVE (Common Vulnerabilities and Exposures), they are too many in number (~200k CVEs) and too granular. They can also get confusing, especially when providing security guidance to developers. Thus, we need to find issue categories that are basic, comprehensive, and simple to understand, such as, Input Validation.

    2. Machine Learning to the rescue -
    Once we have identified security categories, we then need to classify hundreds of thousands of tickets in a manner that can be automated and scaled. Security tickets contain detailed issue descriptions which can be utilized for this classification problem. In the second part of the presentation, we will discuss the technical details of how we used Natural Language Processing and Supervised Machine Learning to build models that can take a security issue description as input and classify it into one of the basic security categories.

    3. So we have classified security tickets. Then what? -
    When all security tickets have been classified and tagged, we can start analyzing them to uncover patterns, such as, what percentage of total issues can be attributed to each category, what trends are we seeing in issues belonging to a certain category over time and across products, etc. In the final part of the presentation, we will share some ideas for analyzing security issues after they have been classified, and how such analytics can help an organization zoom out from day-to-day fixing of issues to recognizing overall key areas of security that needed to be improved.


    Key Takeaways/Conclusion:
    1. This talk will provide a fresh perspective on tackling and analyzing security issues at scale and using the inferences as feedback for building a more strategic security program at any organization.

    2. Participants will also walk away with ideas on how to work with huge volumes of security data and find opportunities to leverage machine learning to simplify security tasks and operations for their teams.

    Track 2
    Sat 1:30 pm - 2:30 pm

  • Verifiable Election Technology – How Voters can Check that their Secret Votes are Correctly Counted

    With traditional election technologies, voters have little choice but to trust that others will curate and count their votes properly. They must trust their local election officials; they must trust the equipment that they use and, by extension, the vendors who built and programmed the equipment; and they must trust numerous other individuals and processes of which they may not even be aware. Even with hand-counted paper ballots, individual voters can observe at most a tiny fraction of the process and must trust others to ensure that the election tallies are correct. We can do better.

    This prentation will show how "end-to-end verifiability" can be used in elections to enable voters can confirm for themselves that their votes have been accurately counted - without having to trust any software, hardware, or personnel. This is not just an academic exercise. Systems have been built and piloted in actual elections, and there is reason to be optimistic about broader deployments in the near future.

    Track 3
    Sat 1:30 pm - 2:30 pm

  • Unmasking the Godfather - Reverse Engineering the Latest Android Banking Trojan

    Join me for a deep dive into the world of Android banking trojans where we focus on the pervasive Godfather malware. Banking trojans have been wreaking havoc on users for years with millions of downloads within the Google Play Store. The Godfather malware surfaced towards the end of 2022 as one of the many Android malware families that attempt to steal a user’s credentials and generate malicious transactions. We'll fully reverse engineer a real-world Godfather sample to extract the sneaky tactics it uses to gain access to your sensitive data. This will focus on the analysis of AccessibilityService abuse for additional privileges, SMS message spying, RAT behavior, and even fake HTML overlays designed to trick users into willingly entering credentials. But don’t worry, I’m not just here to scare you! By the end of this talk, you will thoroughly understand the behavior of Android banking trojans and likely think twice before granting application permissions.

    Track 4
    Sat 1:30 pm - 2:30 pm

  • Honey, I'm Home - Workshop! (Customizing honeypots for fun and profit!)

    Honeypots AND live demos all in one place? Yes, why YES I tell you! Sure, honeypots aren’t new, but how they’re used is what makes this talk different. Presented for your viewing pleasure: customized honeypot configurations and how they are used to detect attacks against your environment.

    Honeypots are not new, but how they are customized and deployed is what makes this talk a bit different. In this workshop you will learn about and build customized and specific honeypot configurations. Examples of how they are used to not only catch attacks against your environment but also detect attacks from a compromised device in your infrastructure (you know, that lateral movement thing).

    Introduction to the different types of Honeypots and key issues with planning, architecture and deployment. One of the biggest issues with poor use of honeypots is not about setting them up, but customizing and using them the right way. Now referred to as “deception tech”, honeypots can provide a level of detection and defense against many types of attacks, but when the honeypots are easily detected, they serve no purpose. By customizing and planning deployment methodically and changing the defaults, a real security tool is created.

    We will build a couple of different honeypots from a virtualized environment and review deployment concepts in greater detail. In addition, customization steps will be further showcased as well as steps on combining different types to fully emulate different servers, devices and services. And let’s not forget about logging and monitoring. What good is a detection tool that only logs to itself. I’ll present opensource solutions for collecting and analyzing data from all the honey-sources.

    Key takeaways:
    1. Different types of honeypots
    2. Honeypots and deception tech - not your mother’s honeypot (customizing)
    3. Planning stages - this is CRITICAL for successful deployment
    4. Setting up collectors/SIEM for analysis
    5. CCAD <— now THIS is important
    6. Automation of the deployment cycle
    7. Real world analysis - reducing false positives to .01% (really really small)

    The critical points for this entire workshop will be planning, customizing, building and deploying honeypots in real scenarios and showing how they can protect against rogue attacks as well as insider risk.

    Workshops
    Sat 1:30 pm - 4:30 pm

  • IKIGAI for security professionals!

    Whether it's the great resignation or layoffs due to macroeconomic slowdown, according to CNBC, the average tenure of a security professional has reduced to approximately 18 months. Successful cyber security professionals always seek a meaningful career and environment to support it. However, some of the top reasons why cyber security professionals leave their jobs are mainly skill gaps and reactive nature of most security jobs and as a result increasing high stress levels and burnouts. In this talk, we will present the popular Japanese concept “Flow of IKIGAI” that can be used to assist security professionals to embark on a purposeful career growth journey. Join us to learn how to discover your passion, build the necessary technical domain specific skills and soft skills to make your career profile indispensable. Understand the role networking and giving back to the community plays in creating a top notch security career. Leadership will learn how to hire the best talent and build high performing security teams. The talk will also cover what it takes to create a thriving environment for security team members so that leadership never has to worry about the great resignations.

    Career Village (Talks)
    Sat 2:00 pm - 2:30 pm

  • New Apps, Good Snacks: Threat Modeling a Completely New Feature

    It’s a great day in product security: a team you work with trusted you enough to reach out for a security review on a new feature. The product manager is excited! So are engineering and growth! They just need security’s blessing to move forward. The new feature involves functions, devices, and contexts which have never been considered in the secure design of your product.

    We’ll look at a fictional snack loyalty app that wants to go beyond mobile to have a physical check-in experience. How will users authenticate? What do we need to consider around a new user role or altering an existing one? How can we keep users and their data safe while supporting an easy-to-adopt and fun user experience? We’ll threat model together and then look at how to relate recommendations to diverse teams, leaving the audience with a better sense of how to threat model in complex situations and communicate effectively.

    Track 1
    Sat 2:30 pm - 3:00 pm

  • Web Assembly for Detection Engineering

    Particularly when faced with evasive adversaries, security engineers tasked with defending web applications have historically been forced to make difficult trade-offs in how detections are implemented. Typically, when the detection is located within a component that is external to the system being protected, bypass is an ever-present risk while lost context forces detections to consider only what’s visible over the wire. However, when a detection is placed within application logic, it gains context but may now be both tightly-coupled and less able to shield the system from the impact of volumetric threats.

    Web Assembly offers an alternative option. WASM is sandboxed, flexible, highly performant, and it can be customized to provide guest functions with a comprehensive API for detection engineering purposes. First-party detection functions can use WASM’s capability-based security model to maintain the advantages of full request context while operating at ingress, egress, or even within a service mesh. Third-party detections can even be deployed with confidence due to the sandbox. This type of execution environment is also well-positioned to offer the sort of fine-grained telemetry and observability that security engineers need to achieve high accuracy.

    This talk will cover some of the scenarios that benefit from this type of approach and then explore what a detection environment based on Web Assembly might look like. We’ll look at a range of techniques that can be employed with Web Assembly, including rule-based detections, statistical analysis, and machine learning. Finally, we’ll highlight some of the operational improvements that we can have with a loosely-coupled, fully-programmable detection capability. This talk is for anyone who has ever needed to respond to malicious activity at any layer of an application stack, and inclusive of both security and anti-fraud disciplines.

    Track 2
    Sat 2:30 pm - 3:30 pm

  • FedRAMP as an OnRAMP

    We’ve all heard about it, the big monster that is FedRAMP. It’s huge, endless, and it seems to be coming at you from everywhere all at the same time. StateRAMP, TxRAMP, SBOM, and even the DoD Impact Levels. Yikes!
    Once you understand how FedRAMP works you can use it to create effective dashboards with quantitative numbers around those hard to capture security topics. Numbers you can use to drive investment, engagements, and roadmaps that allow everyone else in the organization to come along with you. When done in this straightforward and stepwise way, FedRAMP gets them to open their wallets for the things we all know are important, but that never seem to be approved.
    FedRAMP is an onramp to a new visibility and confidence in the security of your system and gives you a way to communicate that status to all types of internal and external stakeholders. Also, once you are ready to complete the audit, FedRAMP opens up a major new market: the US Federal sector.

    Track 3
    Sat 2:30 pm - 3:30 pm

  • Minimum Viable Security for Cloud Native Stacks

    If we think about our production microservices operations, in the same way we think about how we design and build our products, we could build and automate minimum viable security plans that we could easily bake into our config files and CI/CD processes. Once we build this foundational framework of security, it will always be possible to iterate and evolve our security framework, for advanced layers of security that often comes with time, increased experience, and greater maturity around security.

    In this talk, we will present what MVS looks like for cloud native operations, how to build a cluster secured by design, continuously monitoring networking, container internals and primitives, and access management with a least privilege principle mindset. In this session we will demonstrate this through code, and even how this can work seamlessly with other the most common DevOps stacks - Terraform, to AWS, Github Actions and more.

    Track 4
    Sat 2:30 pm - 3:30 pm

  • Getting Paid: Proven Compensation Negotiation Techniques

    We love what we do, but it's the income that supports ourselves, our families, and our hobbies. You get paid the amount that you can negotiate. Let's maximize that amount and not leave money on the table!

    I've negotiated base, bonus, and equity compensation in diverse situations, from startups to large tech companies. Through this experience, I've developed a system that works consistently to substantially increase an initial offer, sometimes by as much as 75%. My counter-parties included CEOs and CFOs, who were more eager to bring me on board at the end of the negotiation, not less. On the flip side, I've hired dozens of people and seen the process from the inside.

    In this session, I'll discuss multiple real world examples and show step-by-step how to communicate the value you bring. We'll explore benchmarking, negotiating a framework before talking numbers, and how to keep the conversation positive. You'll come away with a system you can apply to increase your earning potential by at least $1M over the course of your career.

    Career Village (Talks)
    Sat 2:30 pm - 3:00 pm

  • Throw your (App)Integrity out the window: Bypassing Device integrity checks on iOS

    Managing device states and asserting app integrity has always been challenging, but these OS-specific measures work IFF done correctly. In this talk, we will discuss common pitfalls when implementing solutions leveraging iOS’s DeviceCheck framework.
    Targeting the weakest link, we strike the app’s server component which communicates with Apple to attest the validity of the ephemeral tokens identifying the device. Some attacks also feature bypassing client-side restrictions to interact with the backend APIs. We will also discuss dynamic instrumentation techniques patching the key methods to achieve these objectives.
    Security Engineers and developers alike will appreciate these techniques to harden their app implementations.

    Track 1
    Sat 3:00 pm - 3:30 pm

  • GRC and You: Putting your Career on a Rocket Ship

    Many a security practitioner has told me that they see GRC as "the boring, audit stuff". While it is true that GRC includes audits and related activities, it also provides those that are willing to learn an abundance of experiences, perspective, and skills, similar to how security and software engineering goes deeper than typing code to magically make things work. A healthy dose of GRC experience provides a more holisit insight into the "why's" and "how's" of business operations. This insight enables us to be more effective partners across our organization, deliver more value to other teams, and strategically navigate the ever-changing landscape of threats and regulatory requirements.

    During our time together, we will:
    - Briefly define GRC as a set of functions and roles,
    - Discuss how GRC impacts each team/department in an organization,
    - Identify ways to develop and implement GRC skills in your current (or desired) role, and
    - Promote and advocate for GRC as a business enabler

    Career Village (Talks)
    Sat 3:00 pm - 3:30 pm

  • Managing DocuSign’s BugBounty Program

    A bug bounty program for a company should be like a sandwich for Russ Duritz: “There’s safety in sandwiches”. Having a bug bounty program will allow your company to know more about the threats that might have been exposed publicly without you knowing it. Because these threats will be safely reported, the company will have time to solve them and, at the same time, you give appreciation to security researchers by either allowing them to disclose the vulnerability, reward them with cash or both.

    In this talk I’m going to show you how DocuSign set up its bug bounty program with Bugcrowd, what sets DocuSign's program apart from others, what are different ways to structure a bug bounty program and some hints and tips learned from the trenches.

    Track 1
    Sat 3:30 pm - 4:00 pm

  • Managing Coordinated Vulnerability Disclosure - The Art of Wrangling Cats

    Security researchers around the world are doing a great job reporting security vulnerabilities to affected vendors and companies to help protecting users world-wide. We all enjoy learning the technical details and stories behind the vulnerabilities. However, the process of Coordinated Vulnerability Disclosure (CVD) is not always straightforward as it seemed. When a coordinated vulnerability disclosure involves multiple vulnerability and/or vendors, there are a lot more goes into the disclosure process. The Microsoft Vulnerability Research (MSVR) program has been a part of many different CVDs and we are the middle-man that ensures the disclosure is done responsibly. This talk will present you with some insight into the "invisible" but important portion of the CVD that we don't often see or hear about that involves the case management team that coordinates these disclosures.

    Track 2
    Sat 3:30 pm - 4:00 pm

  • Infrastructure Resilience through Cross-Disciplinary Coalitions

    Recent attacks against critical infrastructure have emphasized the importance of holistic resilience and rapid response capability. Addressing emergent threats necessitates collaboration with stakeholders across disciplines and sectors. The most successful strategies empower communities through coalition-building and consent-based governance. This session will explore successful strategies to develop partnerships, while navigating regulatory and data sharing constraints. Case studies will include work with infrastructure service providers, native nations, research institutions, disadvantaged communities, elected officials and more.

    Track 3
    Sat 3:30 pm - 4:30 pm

  • Hiding Your Web Payloads From Those Pesky Researchers

    By using some simple networking tricks, a threat actor is able to hide their malicious web payloads ( C2, cred harvesting page, malicious ad revolver, that sweet Chromium 0day, etc. ) behind a benign web site, similar to a drug running campaign operating out of the back of a seemingly legitimate furniture store. Requests from designated target IP ranges are presented with the payload while requests from elsewhere on the Internet are presented with the benign web site acting as a front. Adding to the frustration for researchers and investigators, the payloads can be stored anywhere with Internet access, including behind NAT and Tor, while the front is hosted on trusted cloud infrastructure.

    This talk will be presented from an offensive perspective due to the fact that it lends itself to a relatable narrative. However, the intent is to raise awareness of this particular technique to defenders so they can reassess their threat models if necessary. The technique presented isn’t just relevant to security practitioners. It can even be applied to a project as pedestrian as putting a Raspberry Pi on the Internet without port forwarding into a home network.

    Track 4
    Sat 3:30 pm - 4:00 pm

  • Incident Handler's Guide to Notifications

    Breaches, data leaks, misconfigurations, increasingly strict laws and regulations have become common enough for IR Teams to require notification strategies. You may be proficient at investigating forensic details, reading packet captures, and analyzing memory dumps but do you have the skills and preparation to write customer notifications of a breach? Can you help translate the details of an incident to your legal team to author the public notice on your website of a personal data leak? If you are part of an Security Incident Response team and want to get ahead of the curve for your media cycle, join us in reviewing the Incident Responders' Guide to Notifications.

    Track 1
    Sat 4:00 pm - 4:30 pm
Session and Speaker Management powered by Sessionize.com