Who Goes There? Actively Detecting Intruders With Cyber Deception Tools

Intrusion detection works best when you can discover the attacker while they are still in the system. Finding out after the fact does little to protect your systems and your data.

Ideally, you would want to set an alarm that an attacker would trigger while limiting the damage to your environment. We can use these behavioral patterns to our advantage by engaging in defensive cyber deception.

You might already be familiar with the concept of honeypots, false systems, or networks meant to lure and ensnare hackers. There is a subclass of honeypots, called honeytokens, that require almost none of the overhead, are simple to deploy, are used by many industries, and lure attackers to trigger alerts while they are trying to gain further access.

Takeaways:
- Analysis of recent breaches for common attack behaviors
- A history of cyber deception and the evolution of honeypots in defensive strategies.
- Understanding how honeytokens work
- Maximizing the impact of honeytokens

What Is Going On In Your Source Code? Understanding SCA In Plain Language

Over the last few years, terms like SBOM, VEX, SLSA, and GUAC have crept into our supply chain security discussions. While we all agree from the surface that knowing what is in our code is likely a good idea, for a lot of teams, this feels like another set of boxes to check when filing security compliance paperwork. But what is really going on here, and what is driving us into this acronym soup?

In this session, we will explore multiple terms and the deeper questions of what they are trying to answer. You will walk away with a more holistic understanding of where we need to go as an industry to protect ourselves from the current and future waves of threats on the horizon. Before you throw another security tool at the problem or throw your hand up in despair, let's explore why better understanding these ideas means being able to better protect your organization.

Stand Up Straight - Security Posture And You

Someone likely told you to stand up or sit up straight at some point in your childhood. We buy ergonomic chairs and desks to help us maintain a healthy posture while we work. We have been told forever that good posture has benefits for our joint and muscle health. We instinctively understand how to straighten our stances and spines. But, a new kind of posture has recently emerged that is not as intuitive: security posture.

Without understanding what good security posture is and how we can measure it, being told to improve it is about as helpful as being told to "get better at security." While there is no 100% right one-size-fits-all way to approach security, mapping your goals against your current tools and processes is going to give you a much better view of how you can improve your security stance.

Solving Secrets Sprawl Takes More Than Security: Why Machine Identity Is Everyone's Problem

When a security event occurs, most teams tend to jump into a circle of blame. Everyone takes their turn saying, "It can't be my fault." Unfortunately, for many companies, the Security team is ultimately seen as at fault when a breach happens; after all, it is a security incident.

Long-lived credential leaks, aka secrets sprawl, are possibly the single largest security risk every organization is currently facing. No security team can solve this growing issue on its own. This is going to take a full team effort and rethinking some of the relationships and silos we have become accustomed to in the tech world. There has never been a better time to rethink how we build complex applications and how they interact with the world.

In this talk, you will:
- Get an update on the latest secrets security research
- Ask who really owns security and identity
- Map possible routes for a secrets-free future
- Rethink git and pull requests workflows and see why that is more involved than you think

Shifting Security All The Way Left: Rethinking The Role Of The Whiteboard

With the rise of DevSecOps, "Shifting Left" has become an industry buzzword. To some, it has been interpreted as 'let the developers figure it out." For a lot of people on the left side of the software development lifecycle, such as developers and platform engineers, this can seem like an oncoming avalanche of standards, 40+ page PDFs, and requirements that come from teams who never talk to an end customer.

But what if we shift all the way left? All the way to before the developers write a single line of code? What if we start building security into our projects while they are still just drawings on a whiteboard? It turns out that a few extra hours and some very inexpensive whiteboard ink, applied early on, can improve security, encourage better cross-team collaboration, and make for a smoother overall build and deployment process.

This session is for any developer who is frustrated with failing tests late in the dev process. This session is also for security teams who feel isolated and who end up in adversarial positions. This is for any team members that hate the current devs vs security mentality that is present inside so many organizations. Let's learn to work together earlier and with better, more secure code as a result.

In this session, we will walk through:
- The issue with security and most teams' SDLC
- What sharing security responsibility was supposed to solve
- A developer's overview of threat modeling
- You want to use what data? How to deal with compliance early
- Establishing an ongoing communication plan

Secrets Security End-To-End

Credentials allow human-to-machine and machine-to-machine communication. According to recent research, 93% of organizations had two or more identity-related breaches in the past year. It is clear that we need to address this growing issue. Unfortunately, many organizations are OK with using plaintext credentials, which we should all know not to do by now.

These go beyond just adding these credentials to build systems and into our code. Secrets sprawl into our local scripts, communication tools, and project management tickets daily. Attackers know this and are counting on you not getting a handle on the problem by the time they break in.

Given the scope of the problem, what can we do? Let's make a plan!
- Secrets Detection
- Secrets Management
- Developer Workflows
- Secrets Scanning
- Automatic Rotation

By the end of this session, you should have a clear roadmap for taming the machine identity mess in your code and pipelines.

Offloading Tribal Knowledge Through Notebooks

When was the last time you looked at your organization's playbook for incident response? Is it up to date? Are you sure?

Playbooks are awesome, in principle. These step-by-step guides can help a new team member onboard quickly and handle incidents like a pro! But that assumes that they exist for your team and that they are up to date.

At the same time, every team has one or two superheroes who have been around long enough to have seen it all, and know exactly what to do when the situation gets rough. But what happens if they leave? Do they have time to train the next turnover of employees to take over?

Borrowing from the toolset of data science, we can turn every incident into an opportunity to define and refine our playbooks by turning them into notebooks.

Jupyter Notebooks are a mature technology that supports many programming languages that allow anyone to run the right code when they need it. They also give anyone the ability to easily update and version control Notebooks to make them easy to distribute and keep current.

Long Live Short Lived Credentials - Auto-rotating Secrets At Scale

By now, you are very likely aware of the problem of secrets sprawl. Millions of hardcoded plaintext credentials keep showing up online in easy-to-scan places year after year. Worse yet, adversaries have gotten very good at exfiltrating and validating these secrets. Rotating the key or password after an attack is far too late.

What if every credential that an adversary could find expired before they could exploit it? What if keys, just a few hours old, no longer worked?

Let's embrace a future of proper secrets management and auto-rotating secrets. It might seem overwhelming at first to consider accomplishing this, especially if you have never tackled secrets management before, but for many systems, this is easier to achieve than you might realize.

In this session, you will
- Get an update on the state of secrets sprawl
- Diagram auto-rotation architectures
- Plan a secrets audit and code refactor strategy
- Start the email that will help you convince the team

I'm A Machine, And You Should Trust Me: The Future Of Non-Human Identity

Security boils down to trust. Trusting that the code will do what is expected and is free from vulnerabilities. Trusting that the entities interacting with our data and resources have the right to access those resources. Our current approach to both human and non-human access uses the same basic flawed pattern: long-lived credentials.

This approach to trusted access does not take into account who or what is requesting that resource. These secrets, which quite often leak, are an attacker's best friend and are how attackers think about getting into and moving throughout your system.

What if instead of simply asking for a security key or credential to gain access, our applications, workloads, and resources asked "Who are you and how can you prove that?" Humans can move towards leveraging our non-changing characteristics, like biometrics. But what about machines? Especially in the world where pods and workloads last for only hours or days?

Hidden Dangers Of AI In Developer Workflows: Navigating Security Risks with Human Insight

AI tools like ChatGPT and Copilot have become indispensable in developers' daily workflows. Whether it is for code samples and scaffolding, prototyping, or documentation, AI can help eliminate a lot of toil from the developer's day-to-day.

However, there are hidden dangers that AI have introduced that are worth exploring. The good news is that for most of these concerns the answer is not more tech or tools, but something we have been getting right for generations - humans in the loop!

This presentation will explore the critical security challenges associated with AI-enhanced development workflows and the essential role of human oversight in mitigating these risks.

We'll look into three major areas of concern:
1. The AI told me to do it that way…
2. Hallucinations everywhere
3. Where did my data go?

Join this talk to see some real examples of AI getting it wrong, but stay for a discussion on how you can leverage already existing tools to make the best use of the most valuable resource in the company…your team's time. Expect to leave with a fresh perspective on how bright a future we can build as people fostering more secure and efficient development practices.

Do you know where your secrets are? Exploring the problem of secret sprawl and secret management

Do you know what Uber, CircleCI, and Toyota all have in common? They had hardcoded credentials in plaintext somewhere in their environments, which led to either a public leak or enabled an attacker to expand their footprint during a breach.

It is easy to understand why hardcoding secrets is a problem, but do you know how widespread this problem is or how fast it is escalating? Do you know how it keeps happening? Do you know what you can do about it?

This session will deep dive into the research around secrets sprawl and compare it with historical data to show how much worse the situation is becoming, as well as what type of secrets are most commonly involved. We will also explore how to evaluate the maturity of your secrets management strategies and what steps you might consider next on your security journey.

In this session, you will:

Hear about the state of secrets sprawl
Discover the most commonly leaked credentials
See how you can stop secrets sprawl in your organization by shifting left
Learn to measure your secrets management maturity.

So My Credentials Have Been Leaked...Now What?

While we can hope our passwords, API Keys, and certificates are secure and private, hope is not a strategy. Sometimes our credentials become published in a log, source code, or some other source a malicious actor can access. In the best-case scenario, you find out immediately and can work to fix the issue without impacting any other systems or teams. In the more likely worst-case scenario, you have to go through some painful conversations and take significant time away from pushing customer delighting code to deal with a pretty scary circumstance.

What makes credential leakage such a terrifying topic is, at least in part, the paralysis of not knowing what to do, or where to start the conversation. In mature organizations, security teams might have protocols and email addresses in place to escalate these situations. In many organizations, you might be starting from scratch.

This session will look at how to deal with credential leaks from detection through closing the final related ticket the incident generated. We will look at topics such as validation of secrets, scoping impact, assembling the right players, to how to offload tribal knowledge with tools like notebooks and playbooks. We will also take a look at how to prevent future leaks with some open source tools and non-intrusive workflow adjustments.

Security Does Not Need To Be Fun: Ignoring OWASP To Have A Terrible Time

When you think about application security, I bet you think of fun times with friends and relaxing weekends at home. Like any other elite DevOps professional, you spend your time figuring out complex business problems and delighting customers with new functionality, not digging through incident reports and mitigating security issues. You learned early on that relying on the standards set by OWASP and baking security into every step of the SDLC not only made DevSecOps inexpensive and easy to deal with but also bought peace of mind from the whole team, who can now spend more time in a conga line instead of the issue queues.

Wait? What? Does not sound like you, or sound like some kind of pipe dream? That’s most likely because you are thinking of security as a set of tools or a specific department, instead of embracing the principles of the Open Web Application Security Project, OWASP. Thousand of the leading minds in security have contributed a lot of time and effort to lay out easy-to-follow guidelines and checklists that you can follow to make security much more manageable.

Yes, security incidents happen to all of us from time to time. But following the best practices, gathered and learned by industry leaders, can help you have a much better time while achieving better security throughout your organization.

In this talk you will hear:

Horror stories of security gone wrong
Navigational advice for parsing the OWASP offerings
Practical advice on how to test like a pro
Some immediate action items which won’t require any new tech investments to start down a better path.

Scaling Security: What Shifting Left Was Supposed To Mean

"Shifting Left" has become an industry buzzword that, to some, means they will finally get the organization to take security and DevOps seriously. But unfortunately, not everyone sees eye to eye on this subject yet. For a lot of people on the left side of the equation such as developers and platform engineers, this can seem like an oncoming avalanche of standards, 40+ page PDFs, and requirements that come from teams that might have never actually talked to the end customer.

In the average organization, the size of the dev team is much larger than the security teams, sometimes by truly staggering amounts. Shifting Left can mean everyone works cohesively to make sure security is implemented, tested, monitored, and reported effectively. We will walk through some of the best practices toward this common goal being implemented and popularized right now, with the goal of revealing the single underlying truth that shifting left can be a very positive thing for everyone involved.

In this session we will walk through:
- A brief history of DevSecOps
- That sharing security responsibility was supposed to solve
- Where the disconnect is happening on most teams
- Approaches to better security throughout the SDLC with minimum disruptions

Stop Committing Your Secrets - GIt Hooks To The Rescue!

No one wants their keys and secrets on GitHub, but one bad push can mean you are suddenly exposed. In the best-case scenario, you discover the issue and fix it before something bad happens, but in the worse case, you don’t find out until it is far too late.

Most devs are familiar with using .gitignore files to prevent Git from tracking specific files and folders, but did you know that you can leverage Git hooks and some open source awesomeness to keep you from accidentally committing your secrets in the first place?

If you are not actively using Git hooks in your workflows, then this talk is for you. Let's look into the .git folder and unlock a whole world of automation possibilities!

While this talk is primarily aimed at junior devs who are still learning the ropes of security and repo hygiene, anyone who is using Git only at the surface level can benefit from a deeper dive into the possibilities Git can really offer.

Demystifying Git - Version Control From First Principles

Git is the defacto standard version control system in use today. Every developer learns the basics of add, commit, branch, merge, pull, and push, and that is about all they learn about Git.

However, if you ask how Git actually works under the covers, most people will tell you they don't really know. Worse yet, when most developers see Git output messages like "detached HEAD state" or "CONFLICT (content): Merge conflict", they get a stress-induced panic.

This session will peel back the shroud of mystery that envelops Git, showing that there is nothing overly complex or terrifying about the inner workings of the world's most popular version control system. This talk is for everyone, from the complete Git novice to folks who have been pushing code for years but maybe have never stopped to look at how Git does its thing.

In this session we will cover:
- A tour of .git folder
- Branches might not be what you think they are
- Rebase is your friend, I swear!
- How reflog can save the day
- The power of Git bisect
- And more....

This session is aimed at beginners and advanced Git users alike and is meant to remove the fear of Detached HEAD state and the other terrifying messages Git tends to present.

Developing For The Web Without Leaving The Browser

One of the most daunting parts of getting started as a developer is setting up your local dev environment. Sorting out all the needed parts can take hours or days, depending on the speed of your machine and the complexity of the project. For non-developers, the learning curve is terrifying and stops a lot of aspiring devs before they even have a chance to write HELLO WORLD.

Fortunately, as technology has shifted to the cloud, things have gotten a lot better! The limitations of needing a hearty processor and a ton of RAM need no longer be an obstacle. On-demand pre-configured development environments are now a reality thanks to platforms like Gitpod, Microsoft's VS Code for the Web, and GitHub's CodeSpaces.

This shift in technology is enabling an entirely new generation of coders to learn and develop without needing to overcome the hurdles of buying and setting up a new dedicated machine. For enterprises with dozens or hundreds of developers, the potential upside to shifting to browser-based development is enormous and should not be ignored!

Walk away from this session with a better idea about:
- How traditional local dev environments are secretly draining your resources
- Overcoming onboarding dread
- The reality of no more underpowered local machines
- Why "it worked on my machine" will soon mean it worked in Dev and Production
- Making your own transition plan

This session will involve some live coding if possible, can be shows in video but live coding drives the point home a bit more, so needs a good internet connection.