Loading…
Attending this event?

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Saturday, June 4
 

9:00am PDT

Breakfast
Sponsors

Saturday June 4, 2022 9:00am - 10:00am PDT
Participation Hall

9:00am PDT

Coffee
Sponsors
avatar for SweetPea

SweetPea

Coffee
avatar for Tailscale

Tailscale

Coffee


Saturday June 4, 2022 9:00am - 4:00pm PDT
Participation Hall

9:00am PDT

Capture the Flag
The CTF is back! As always, everyone is welcome to participate as the competition features a range of challenges at all difficulty levels. In case you find yourself in need of assistance, we have folks onsite who can provide hints and guidance. All that is needed to participate is a laptop.

The server is available all weekend long, and anyone is welcome to play. Server information is at https://bsidessf.org/ctf

At least one player must be onsite to claim any prizes won.

Sponsors
avatar for Google

Google

Leading, CTF


Saturday June 4, 2022 9:00am - 5:00pm PDT
Embarcadero

9:00am PDT

Sponsors
Visit the sponsor booths that line the walls of the Participant Hall and learn more about the companies that have made this year’s event possible. You’ll be introduced to new products, services, and career opportunities. At each booth you can also obtain one of the stamps you need to complete your Sponsor Passport (which can be found in the bag you received at registration).

Saturday June 4, 2022 9:00am - 5:00pm PDT
Participation Hall

9:00am PDT

Car Hacking Village
The Car Hacking Village is a place to connect and ask questions about car hacking as well as to learn about the tools and vehicle systems. When you're ready, join us in our CTF (all skill levels) to start hacking simulated vehicles.


Saturday June 4, 2022 9:00am - 5:00pm PDT
Participation Hall

9:00am PDT

Crypto & Privacy Village
Crypto & Privacy Village helps bring cryptography & privacy knowledge to the hacker community.
Learn how to secure your own systems while also picking up some tips and tricks on how to break classical and modern encryption. The CPV features workshops and lightning talks on a wide range of crypto and privacy topics from experts. We’ll also have an intro to crypto talk for beginners, some crypto-related games, puzzles, and challenge.


Saturday June 4, 2022 9:00am - 5:00pm PDT
Participation Hall

9:00am PDT

IoT Village
IoT Village Hands on Lab: Circumventing Security Controls in IoT Applications

Participate in a self-guided, hands on lab focused on circumventing security controls found on common internet connected devices. You will experience how newly-discovered vulnerabilities were discovered, how they can be exploited, and how this could impact consumers.

Brought to you by ISE (Independent Security Evaluators) and IoT Village


Saturday June 4, 2022 9:00am - 5:00pm PDT
Participation Hall

9:00am PDT

Lockpick Village
Lockpick Extreme and TOOOL SF are back once again hosting Lockpick Village. Learn to lockpick from the TOOOL SF volunteers or practice what you already know with their assortment of locks and picks. When you’re done, you can shop the Lockpick Extreme pop-up shop and take your new hobby home with you.


Saturday June 4, 2022 9:00am - 5:00pm PDT
Participation Hall

9:00am PDT

Bar and Chill Out
Take a break from the day’s events with a stop at the Bar and Chill Out Space. Two complimentary drink tickets were provided to you at registration. We already paid for them, so please use them!

Sponsors

Saturday June 4, 2022 9:00am - 5:30pm PDT
Bar

9:00am PDT

Massage
Let your worries drift away with a complimentary chair massage. Please tip your massage therapist.


Saturday June 4, 2022 9:00am - 5:30pm PDT
Lobby

9:00am PDT

Registration
Saturday June 4, 2022 9:00am - 5:30pm PDT
AMC Mezzanine

9:00am PDT

Info Desk
Sponsors

Saturday June 4, 2022 9:00am - 6:30pm PDT
Lobby

9:00am PDT

Prayer & Mother's Room
Need a quiet place for meditation or mothering duties? Ask at the Info Desk, and we can guide you to a private location.

Saturday June 4, 2022 9:00am - 6:30pm PDT
Lobby

9:00am PDT

Coat Check
Sponsors

Saturday June 4, 2022 9:00am - 10:00pm PDT
Coat Check

10:00am PDT

Opening Remarks
Speakers
avatar for Reed Loden

Reed Loden

Reed Loden is an information security expert, hacker, and developer. Reed worked to secure companies including HackerOne, Lookout Mobile Security, Palantir Technologies, and Mozilla, in addition to his many security consulting roles. He regularly presents on security best practices... Read More →


Saturday June 4, 2022 10:00am - 10:10am PDT
Embarcadero

10:00am PDT

10:00am PDT

Cryptography and Blockchain Security
Event locked in Sched to limit confusion; see registration to determine current session availability.
Registration at https://bsidessf.regfox.com/2022 REQUIRED (cannot be reserved with Sched)


Learn how blockchains, cryptocurrency, coin offerings, and smart contracts work in a series of challenges. We will also cover the underlying cryptography: hashes, symmetric encryption, and asymmetric encryption. We will configure wallets, servers, and vulnerable smart contracts, and exploit them.

We will configure systems using Bitcoin, Ethereum, Hyperledger, Multichain, Stellar, and more. We will perform exploits, including double-spend, reentrancy, integer underflow, and logic flaws.

No previous experience with coding or blockchains is required. The workshop is structured in a CTF format. Each participant works at their own pace. The techniques will be demonstrated with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed to ensure that everyone learns new techniques.

Participants will need a computer with a web browser and either the capability to run virtual machines locally or a credit card and a few dollars to rent cloud servers.

Speakers
avatar for Sam Bowne

Sam Bowne

Professor, City College San Francisco
Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on training at DEF CON, DEF CON China, Black Hat USA, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges.


Saturday June 4, 2022 10:00am - 12:30pm PDT
Theater 11

10:00am PDT

Finding Bugs and Scaling Your Security Program with Semgrep
Event locked in Sched to limit confusion; see registration to determine current session availability.
Registration at https://bsidessf.regfox.com/2022 REQUIRED (cannot be reserved with Sched)


Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up.

This workshop will be a hands-on masterclass of using Semgrep (https://github.com/returntocorp/semgrep), an open source, lightweight static analysis tool, to do just that.

We’ll cover:
* How to use Semgrep to start getting security coverage of all of your repos continuously in CI in minutes
* Best practices in rolling out continuous code scanning -- what to focus on, what to ignore, and how to maintain good working relationships with development teams
* How to use this scanning to enforce secure defaults across your org
* How to write custom Semgrep rules -- find anti-patterns and enforce security best practices unique to your organization
* Advanced mode: We’ll also show how Semgrep can be used like a Swiss army knife for a variety of purposes -- alerting you whenever a new route is added (new attack surface), when new dependencies are added or Dockerfiles are modified (detect potential supply chain risk), or when generally sensitive files are modified, such as core authorization logic or secret management

You’ll leave this workshop with knowledge and skills you can immediately put into practice. For internal security engineers, you’ll have new capabilities for scaling your company’s security. For pen testers and offense-focused security professionals, we’ll up your bug finding game to a new level.

Prerequisites:
* You should be familiar reading and writing code in at least one programming language
* Bring a laptop with a web browser, IDE, git, and the ability to install CLI tools
* Familiarity with common vulnerability classes (e.g. OWASP 10 top) will be helpful but is not required

Speakers
CG

Clint Gibler

r2c
Clint Gibler (@clintgibler) is the Head of Security Research for r2c, a startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, where he helped companies implement security automation and DevSecOps best practices and... Read More →


Saturday June 4, 2022 10:00am - 12:30pm PDT
Theater 15

10:10am PDT

Keynote: We Need More Mediocre Security Engineers
The field of information security remains one of the most isolated - and at times, elitist - bastions in tech. We self-impose the highest cost of entry - be extraordinary or get out. Year over year the demand for security expertise and employees only increases, but our numbers don’t grow to match, and we’re burning out. It’s time to rethink how we talk about what we do, and how we invite others to join our ranks - and convince them to stay.

Speakers
JB

Jackie Bow

Asana
A Jackie-of-all- trades (master of none), Jackie has spent time in roles such as a malware analyst, reverse engineer, security engineer, and head of security at places like as Facebook, Patreon and US government. These days she can be found scaling security teams, coaching, and thinking... Read More →


Saturday June 4, 2022 10:10am - 11:00am PDT
Embarcadero

11:00am PDT

T-Shirt Sales
Saturday June 4, 2022 11:00am - 9:00pm PDT
Coat Check

11:05am PDT

WireGuard from the ground up
What is WireGuard, how does it work, and when should you use it? Simply put, WireGuard offers end to end encryption of traffic between two endpoints. We’ll cover WireGuard's implementation, protocol, and cryptography and compare it to IPsec, ngrok, and OpenVPN in terms of security and performance.

Speakers
avatar for Maya Kaczorowski

Maya Kaczorowski

Product Manager, Software Supply Chain Security, Tailscale
Maya is a Product Manager at Tailscale, providing secure networking for the long tail. She was mostly recently at GitHub in software supply chain security, and previously at Google working on container security, encryption at rest and encryption key management. Prior to Google, she... Read More →
DC

David Crawshaw

Crawshaw likes writing computer programs and accidentally turned it into a career, a decision he works every day to not regret. He’s not a cryptographer or a security person, but he likes maths and thinks elliptic curves are pretty neat and/or infuriating. Worked at Google for a... Read More →


Saturday June 4, 2022 11:05am - 11:30am PDT
Theater 14

11:10am PDT

An Unlikely Friendship: Why Security Engineers and Product Managers Should Be Working Together
Have you had trouble getting security features prioritized by product teams? Learn to expand your technical toolkit by harnessing the power of product managers to evangelize a security-focused roadmap, accelerate your team’s vision and growth, and unlock revenue from security-conscious customers.

Speakers
avatar for Leif Dreizler

Leif Dreizler

Engineering Manager, Security Features, Segment
Leif Dreizler is an information security professional with almost a decade of experience. Leif joined Segment (now part of Twilio) in 2017 and currently manages a team of Software Engineers focused on building security features. Leif joined as an early member of the security team... Read More →
RL

Rachel Landers

Twilio Segment
Rachel Landers is a Product Manager based in San Francisco, CA. Rachel joined Segment (now part of Twilio) in 2019, in which time she has led the product strategy for Enterprise growth and CX at Segment. Rachel’s product focus at Segment leans heavily into product security best... Read More →


Saturday June 4, 2022 11:10am - 12:00pm PDT
Embarcadero

11:35am PDT

Detection-as-code: Why it works and where to start
Detection-as-code principles allow detection and response teams to operate with the efficiency of software engineering teams. By embracing these principles, D&R teams can unlock the benefits of version control, test-driven development, code reuse, and CI/CD automated workflows.

Speakers
KB

Kyle Bailey

Panther Labs
I am passionate about all things threat detection. I spent 5y managing operations for CYBERCOM, and the last 5 years doing detection and response in the tech industry, most recently building and managing the Detection Engineering & Red Team at Box. I currently break things at Panther... Read More →


Saturday June 4, 2022 11:35am - 12:00pm PDT
Theater 14

12:00pm PDT

Lunch
Saturday June 4, 2022 12:00pm - 1:30pm PDT
Participation Hall

12:30pm PDT

Sponsor Raffle
Complete your Sponsor Passport (which can be found in the bag you received at registration). Drop your completed card into the Sponsor Passport raffle box located within Twin Peaks to be entered into the raffle. Winners will be announced at 12:30pm each day (must be present to win).

Saturday June 4, 2022 12:30pm - 1:00pm PDT
Participation Hall

1:00pm PDT

Mobile Application Security
Event locked in Sched to limit confusion; see registration to determine current session availability.
Registration at https://bsidessf.regfox.com/2022 REQUIRED (cannot be reserved with Sched)


From smartphones to tablets to watches, users are relying more and more on the convenience of mobile technology. Organizations must meet this growing trend with greater security measures to support critical business functions and protect sensitive data on enterprise devices. Mobile architectures, applications, networks and services must all be developed and managed in compliance with the oversight of a strong IT workforce.

This course provides an in-depth technical overview of the security features and limitations of modern mobile operating systems, including the top risks and vulnerabilities, every IT professional needs to know.

What you will learn:
Mobile application security measures
Models to develop and secure Android applications
Security detection and measures in iOS
Trends in mobile device management (MDM)

Speakers
avatar for Himanshu Dwivedi

Himanshu Dwivedi

Co-Founder and Chief Executive Officer, Data Theorem, Inc
Himanshu Dwivedi is the CEO of Data Theorem, Inc., an application security company focusing on API Security (RESTful & GraphQL), mobile apps (iOS &Android), Cloud Apps (Serverless), and Single Page WebApps (SPAs). Himanshu has been an avid start-up entrepreneur since 1999, where he... Read More →


Saturday June 4, 2022 1:00pm - 3:30pm PDT
Theater 15

1:00pm PDT

Introduction to Cryptographic Attacks
Event locked in Sched to limit confusion; see registration to determine current session availability.
Registration at https://bsidessf.regfox.com/2022 REQUIRED (cannot be reserved with Sched)


Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world, including CVE-2020-0601. This will be a hands-on workshop where you will implement the attacks after each one is explained. You will be provided with a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com, and see if those look interesting but if you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap. Comfort with math and a programming language like Python will be required to get the most out of the workshop.

Speakers
MC

Matt Cheung

Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementing a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Unfortunately, implementation weaknesses were not... Read More →


Saturday June 4, 2022 1:00pm - 6:00pm PDT
Theater 11

1:30pm PDT

Go With The (Work)flow
An eye-opening look into the world of cloud workflow management platforms and their security risks. This talk will unveil research into the world of misconfigurations, mountains of credentials, sensitive data leakage, insecure coding, and containerized malware.

Speakers
RR

Ryan Robinson

Intezer
Ryan Robinson is a security researcher for Intezer. He specializes in malware reverse engineering and threat intelligence. In previous roles, Ryan has worked as a Security Engineer securing cloud applications and as an analyst in Anomali's Threat Research team.
NF

Nicole Fishbein

Intezer
Nicole Fishbein is a security researcher and malware analyst. Nicole has been part of research that led to discovery of phishing campaigns, undetected malware and attacks on Linux-based cloud environments. Prior to Intezer she was an embedded researcher in the Israel Defense Forces... Read More →


Saturday June 4, 2022 1:30pm - 1:55pm PDT
Theater 14

1:30pm PDT

Embracing Risk Responsibly: Moving beyond inflexible SLAs and exception hell by treating security vulnerabilities and risk like actual debt
At Segment, we were sick of having breached SLAs; we were tired of a junk drawer of exceptions that continued to grow without bound. Two years ago we decided to move beyond inflexible SLAs and permanent exceptions to enable our business to “Embrace Risk Responsibly” by treating vulnerabilities like debt.

Speakers
EE

Eric Ellett

Segment
I have been at Segment since 2018 and built out their application, cloud, and product security program, and now the Senior Director of R&D Security within Twilio. I've been heavily focused on building innovative security programs with a heavy emphasis on engineering principles and... Read More →


Saturday June 4, 2022 1:30pm - 2:20pm PDT
Embarcadero

2:00pm PDT

Let's have fun and fix security awareness training!
Hackers! Brute-force attacks! Nation states surveillance! We think this is exciting, but instead of sharing that passion about infosec with our co-workers, we force them to take the most boring security awareness training ever. Why?? Let's fix that right now and have a little fun in the process.

Speakers
MF

Marisa Fagan

Head of Trust Culture, Atlassian
Marisa Fagan is the Head of Trust Culture and Training at Atlassian. She ensures that every Atlassian employee is empowered to work securely and to protect our customers. Previously, she has worked as a security culture expert at places like Synopsys, Salesforce, Facebook, and Bugcrowd... Read More →


Saturday June 4, 2022 2:00pm - 2:25pm PDT
Theater 14

2:30pm PDT

Got popcorn? What’s on the Vuln Channel tonight?
Developers need fast, automated code scanning and timely information about potential vulnerabilities. Our vision is that receiving vulnerability data should be as simple as streaming the latest episode of your favorite TV series! In this talk, we describe the platform we built to enable our vision.

Speakers
avatar for Rob Jerdonek

Rob Jerdonek

Application Security Engineer, Roku, Inc.
I have more than 10 years of experience building product security programs and tools at companies of all sizes. I have an M.S.E. in Computer Science and Engineering from the U. of Michigan, Ann Arbor. After working in the security field for many years, I have goal of doing more to... Read More →
LC

Lily Chau

Lily Chau is a little blob, inhaling copious amounts of food and is often seen riding a warp star. Lily is a silent spirit using lots of grunts, shouts and cheery elongated mono-syllables. Lily was previously known as a platypus caretaker.


Saturday June 4, 2022 2:30pm - 2:55pm PDT
Theater 14

2:30pm PDT

Buying Security: A Client's Guide
You can’t buy security, but vendors play a key role in effective security programs. This talk will provide a comprehensive guide to buying and getting value, based on experiences on both sides of the marketplace, a comprehensive literature review, and a survey of clients and vendors of all stripes.

Speakers
avatar for Rami McCarthy

Rami McCarthy

Staff Security Engineer, Cedar
Rami McCarthy is a Staff Security Engineer and reformed Security Consultant. He currently works at Cedar, helping scale up security for a health-tech unicorn. Before that, he spent three years performing security assessments of all kinds at NCC Group. Rami is the creator of sadcloud... Read More →


Saturday June 4, 2022 2:30pm - 3:20pm PDT
Embarcadero

3:00pm PDT

The elusive promise of frictionless authentication
New technology like WebAuthn is challenging the premise that we have to choose between more friction or more security for authenticating users. This talk will explore the benefits and drawbacks of frictionless authentication options like biometrics, contextual data, or using devices as secure keys.

Speakers
avatar for Kelley Robinson

Kelley Robinson

Security Developer Advocate, Twilio
Kelley works on the Account Security team at Twilio, helping developers manage and secure customer identity in their software applications. Previously she worked in a variety of infrastructure and data engineering roles at startups. She believes in making technical concepts, especially... Read More →


Saturday June 4, 2022 3:00pm - 3:25pm PDT
Theater 14

3:30pm PDT

Emerging Best Practices in Software Supply Chain Security: What We Can Learn from Google, the White House, OWASP, and Gartner
Attackers are taking advantage of insecure software deployment pipelines; the White House, OWASP, Google, and others have released guidelines on best practices in response. We will break down the key takeaways and compile a list of best practices for mitigating software supply chain security risk.

Speakers
TL

Tony Loehr

Cycode
Tony Loehr is the Developer Advocate for Cycode. Their prerogative is to make it easy for developers to use the Cycode platform, and to help protect data through knowledge sharing. They have professional experience with engineering, marketing, and sales and bring a unique perspective... Read More →


Saturday June 4, 2022 3:30pm - 3:55pm PDT
Theater 14

3:30pm PDT

Redefining Threat Modeling: Security team goes on vacation
Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck.
What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models.

Speakers
JS

Jeevan Singh

Twilio Inc
Jeevan Singh is a Security Engineering Manager for Twilio, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Jeevan is responsible for a... Read More →


Saturday June 4, 2022 3:30pm - 4:20pm PDT
Embarcadero

4:00pm PDT

Abusing The Replicator: Exfiltrating Data with the AWS S3 Replication Service
Would you be able to distinguish between malicious data exfiltration and legitimate backup activities in AWS?
In this talk I will demonstrate how an attacker can abuse S3 Replication to efficiently migrate your data out of your environment all while blending into authorized replication traffic.

Speakers
KT

Kat Traxler

Vectra AI
Kat Traxler is a Senior Security Researcher with Vectra AI focusing on threat detection in AWS and GCP. Her area of research reflect her obsessions with the the attack surface that lies at the confluence of Identity and Cloud. Prior to her current role, she worked in various stages... Read More →


Saturday June 4, 2022 4:00pm - 4:25pm PDT
Theater 15

4:00pm PDT

Avoiding insidious points of compromise in infrastructure access systems
Listen to war stories and learn how to build secure infrastructure access systems! We chat about five classic incidents: FluffyBunny (2001), Operation Aurora (2009), DigiNotar (2011), NotPetya (2017), SolarWinds (2020) and why they suggest the industry definition of "zero-trust" is basically wrong.

Speakers
SG

Sharon Goldberg

BastionZero
Sharon Goldberg is the CEO/Co-Founder of BastionZero, a startup that is reimagining the tools that engineers use to secure remote access to infrastructure. She is also a tenured professor in the Computer Science Department at Boston University. Her research focuses on infrastructure... Read More →


Saturday June 4, 2022 4:00pm - 4:25pm PDT
Theater 14

4:30pm PDT

Read the Fantastic Manual: Writing Security Docs People Will Actually Read
RTFM: a demand that’s rarely useful for people who need information. How do we know docs are the solution? How can security pros write effectively for those who aren’t? And how can we know if our docs work at all? In this talk, we’ll cover IDing needs, strategic and iterative doc creation, and measuring success.

Speakers
avatar for Breanne Boland

Breanne Boland

Application security engineer, Gusto
Breanne Boland is a product security engineer with the Security Partnerships team at Gusto. Before moving into security, she was a site reliability engineer and an infrastructure engineer who did work in healthcare and govtech. Prior to that, she was a professional writer, and she... Read More →


Saturday June 4, 2022 4:30pm - 4:55pm PDT
Theater 15

4:30pm PDT

Achieving the Web Isolation Nirvana - How far along are we?
Security isolation improves the resilience of applications against attacks. This is especially true when untrusted or third party code is included. This talk provides a deep dive on browser isolation mechanisms, their efficacy, current challenges and insights on where Web Isolation needs to go next.

Speakers
PF

Pedro Fortuna

Jscrambler
Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast paced world of entrepreneurship. Started Jscrambler where he leads all security research and drives the company product... Read More →
avatar for Jasvir Nagra

Jasvir Nagra

None, Technical Advisor to Jscrambler
Jasvir Nagra is widely recognized as a thought leader in software protection. He is co-author of Surreptitious Software, the definitive textbook on software protection, and an early researcher in obfuscation, software watermarking, and fingerprinting. With more than 12 years of experience... Read More →


Saturday June 4, 2022 4:30pm - 5:20pm PDT
Embarcadero

4:30pm PDT

Red Teaming macOS Environments with Hermes the Swift Messenger
This talk will dive into the development of a new Swift implant, Hermes, targeting macOS. Hermes hooks into Cody Thomas' Mythic framework, which serves as the C2 controller. We will dive into the internals and capability of the implant as well as ways it can be detected with Apple's ESF.

Speakers
JB

Justin Bui

Zoom
Justin Bui is a red teamer at Zoom and was previously a red team consultant at SpecterOps. He is passionate about all things security and helping organizations improve their security posture. Justin enjoys writing code and developing offensive tools, particularly around Windows/macOS... Read More →


Saturday June 4, 2022 4:30pm - 5:20pm PDT
Theater 14

5:30pm PDT

Happy Hour
Once the last talks of the day are done, join us in the Bar and Chill Out
Space to celebrate a successful day one of the event!

Sponsors
avatar for Pentera

Pentera

Happy Hour
avatar for Vectra AI

Vectra AI

Happy Hour


Saturday June 4, 2022 5:30pm - 6:30pm PDT
Bar

6:30pm PDT

Party
Don't miss out on an awesome party!

Sponsors
avatar for Intezer

Intezer

Supporting, Party


Saturday June 4, 2022 6:30pm - 9:30pm PDT
Embarcadero
 
Sunday, June 5
 

9:00am PDT

Breakfast
Sponsors

Sunday June 5, 2022 9:00am - 10:00am PDT
Participation Hall

9:00am PDT

Coffee
Sponsors
avatar for SweetPea

SweetPea

Coffee
avatar for Tailscale

Tailscale

Coffee


Sunday June 5, 2022 9:00am - 4:00pm PDT
Participation Hall

9:00am PDT

Capture the Flag
The CTF is back! As always, everyone is welcome to participate as the competition features a range of challenges at all difficulty levels. In case you find yourself in need of assistance, we have folks onsite who can provide hints and guidance. All that is needed to participate is a laptop.

The server is available all weekend long, and anyone is welcome to play. Server information is at https://bsidessf.org/ctf

At least one player must be onsite to claim any prizes won.

Sponsors
avatar for Google

Google

Leading, CTF


Sunday June 5, 2022 9:00am - 5:00pm PDT
Embarcadero

9:00am PDT

Info Desk
Sponsors

Sunday June 5, 2022 9:00am - 5:00pm PDT
Lobby

9:00am PDT

Prayer & Mother's Room
Need a quiet place for meditation or mothering duties? Ask at the Info Desk, and we can guide you to a private location.

Sunday June 5, 2022 9:00am - 5:00pm PDT
Lobby

9:00am PDT

Registration
Sunday June 5, 2022 9:00am - 5:00pm PDT
AMC Mezzanine

9:00am PDT

Sponsors
Visit the sponsor booths that line the walls of the Participant Hall and learn more about the companies that have made this year’s event possible. You’ll be introduced to new products, services, and career opportunities. At each booth you can also obtain one of the stamps you need to complete your Sponsor Passport (which can be found in the bag you received at registration).

Sunday June 5, 2022 9:00am - 5:00pm PDT
Participation Hall

9:00am PDT

Car Hacking Village
The Car Hacking Village is a place to connect and ask questions about car hacking as well as to learn about the tools and vehicle systems. When you're ready, join us in our CTF (all skill levels) to start hacking simulated vehicles.


Sunday June 5, 2022 9:00am - 5:00pm PDT
Participation Hall

9:00am PDT

Crypto & Privacy Village
Crypto & Privacy Village helps bring cryptography & privacy knowledge to the hacker community.
Learn how to secure your own systems while also picking up some tips and tricks on how to break classical and modern encryption. The CPV features workshops and lightning talks on a wide range of crypto and privacy topics from experts. We’ll also have an intro to crypto talk for beginners, some crypto-related games, puzzles, and challenge.


Sunday June 5, 2022 9:00am - 5:00pm PDT
Participation Hall

9:00am PDT

IoT Village
IoT Village Hands on Lab: Circumventing Security Controls in IoT Applications

Participate in a self-guided, hands on lab focused on circumventing security controls found on common internet connected devices. You will experience how newly-discovered vulnerabilities were discovered, how they can be exploited, and how this could impact consumers.

Brought to you by ISE (Independent Security Evaluators) and IoT Village


Sunday June 5, 2022 9:00am - 5:00pm PDT
Participation Hall

9:00am PDT

Lockpick Village
Lockpick Extreme and TOOOL SF are back once again hosting Lockpick Village. Learn to lockpick from the TOOOL SF volunteers or practice what you already know with their assortment of locks and picks. When you’re done, you can shop the Lockpick Extreme pop-up shop and take your new hobby home with you.


Sunday June 5, 2022 9:00am - 5:00pm PDT
Participation Hall

9:00am PDT

Bar and Chill Out
Take a break from the day’s events with a stop at the Bar and Chill Out Space. Two complimentary drink tickets were provided to you at registration. We already paid for them, so please use them!

Sponsors

Sunday June 5, 2022 9:00am - 5:30pm PDT
Bar

9:00am PDT

Massage
Let your worries drift away with a complimentary chair massage. Please tip your massage therapist.


Sunday June 5, 2022 9:00am - 5:30pm PDT
Lobby

9:00am PDT

T-Shirt Sales
Sunday June 5, 2022 9:00am - 5:30pm PDT
Coat Check

9:00am PDT

Coat Check
Sponsors

Sunday June 5, 2022 9:00am - 7:00pm PDT
Coat Check

10:00am PDT

Opening Remarks
Speakers
avatar for Reed Loden

Reed Loden

Reed Loden is an information security expert, hacker, and developer. Reed worked to secure companies including HackerOne, Lookout Mobile Security, Palantir Technologies, and Mozilla, in addition to his many security consulting roles. He regularly presents on security best practices... Read More →


Sunday June 5, 2022 10:00am - 10:10am PDT
Embarcadero

10:00am PDT

10:10am PDT

Keynote
Sunday June 5, 2022 10:10am - 11:00am PDT
Embarcadero

11:05am PDT

Exposed secrets - How public git repositories and docker images expose millions of secrets like API keys and security certificates every year
Secrets like API keys are sprawling through the internet at an alarming rate. In 2020, we conducted a research project that uncovered two million leaked secrets. This talk outlines the 2021 results and reveals how secrets end up exposed in public git repos, docker images and packages.

Speakers
avatar for Mackenzie Jackson

Mackenzie Jackson

Developer Advocate, GitGuardian
Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learnt first hand how critical it is to build secure applications with robust developer operations. Today as the Developer Advocate at GitGuardian... Read More →


Sunday June 5, 2022 11:05am - 11:30am PDT
Theater 14

11:10am PDT

Achieving HITRUST on a Budget
HITRUST is the most-sought certification by healthcare organizations but the resources and time required are daunting. On average, the HITRUST certification costs >$300K+ and 22 months. Ginger took a different approach and passed the HITRUST assessment in less than $100K and 11 months.

Speakers
SM

Shobhit Mehta

Ginger (Headspace Health)
Shobhit is a Security & Compliance Lead at Ginger (Headspace Health), an on-demand mental-health company in San Francisco, CA. Prior to Ginger, he worked for 10+ years in different facets of Governance, Risk, & Compliance with companies like HSBC, Deutsche Bank, Credit Suisse, PayPal... Read More →


Sunday June 5, 2022 11:10am - 12:00pm PDT
Theater 15

11:10am PDT

Lessons Learned: Crash Course in ISMS Implementation
Ever wonder how you will get through an ISMS implementation? What you should do to prepare for implementation? Or have struggled to find useful resources on what to do? Well, this is the talk for you. Perfect for all audiences. C-level. GRC. Tech. Individual contributor.

Speakers
RS

Rose Songer

Seiso, LLC
Rose is a Governance, Risk, and Compliance (GRC) Manager with Seiso, LLC. Within her role at Seiso, she oversees all GRC services including execution teams and service delivery. She has spent the last 2 ½ years developing, maturing, and streamlining GRC services to deliver value... Read More →


Sunday June 5, 2022 11:10am - 12:00pm PDT
Embarcadero

11:10am PDT

Threat hunting: Using MITRE ATT&CK against Carbanak malware
This talk demonstrates the MITRE ATT&CK Framework in action for threat hunting with the example of 'Carbanak' backdoor which was designed specifically for banking applications.

Speakers
avatar for Amol Sarwate

Amol Sarwate

VP of Threat Research, Fidelis Cybersecurity
Amol Sarwate heads Fidelis and CloudPassage worldwide threat and security research lab responsible for Network, Endpoint and Cloud. He has devoted his career to protecting, securing, and educating the community from security threats. Sarwate has presented his research on cloud security... Read More →


Sunday June 5, 2022 11:10am - 12:00pm PDT
Theater 11

11:35am PDT

The power of guardrails: How to slash your risk of XSS in half
Why do the same security bugs keep popping up repeatedly, those we all know from the OWASP Top 10? We believe the future of security lies in eliminating vulnerabilities by using secure code defaults and present a study showing that secure defaults can significantly raise a company’s security bar.

Speakers
CD

Colleen Dai

r2c
Colleen Dai is a security software engineer at r2c, a startup working on building static analysis tools that focus on precision and being custom-fit to the consumer. At r2c, Colleen has worked on language parsing along with AST matching. She is also writing rules and performing research... Read More →
GH

Grayson Hardaway

r2c
Grayson Hardaway is a security researcher at r2c, a startup working on static analysis tools purpose-built for the modern workflow. At r2c, Grayson authors static analysis tailored for finding security vulnerabilities in open source code. Previously, Grayson worked for the US Department... Read More →


Sunday June 5, 2022 11:35am - 12:00pm PDT
Theater 14

12:00pm PDT

Lunch
Sunday June 5, 2022 12:00pm - 1:30pm PDT
Participation Hall

12:30pm PDT

Sponsor Raffle
Complete your Sponsor Passport (which can be found in the bag you received at registration). Drop your completed card into the Sponsor Passport raffle box located within Twin Peaks to be entered into the raffle. Winners will be announced at 12:30pm each day (must be present to win).

Sunday June 5, 2022 12:30pm - 1:00pm PDT
Participation Hall

1:30pm PDT

Don't turn your back on Ransomware!
Ransomware is on the loose and attacking us all! Learn and sharpen your blades in order to defend against this multi-headed monster!

Speakers
EH

Erik Heskes

Lemonshark
Security Consultant with a technical background. Handled security topics like: SIEM/SOC, Purple teaming, pentesting and compliance. Mostly within financial institutions. Next to my dayjob as a consultant I am also a musician and I like to ride my motorcycle from time to time. Certifications... Read More →


Sunday June 5, 2022 1:30pm - 1:55pm PDT
Theater 15

1:30pm PDT

Metabadger: Automating IMDS Protection at Scale in AWS
Metabadger is an open source tool that we built at Salesforce that can help you rapidly and safely upgrade your EC2 instances to use IMDSv2 and prevent SSRF-based theft of EC2 Metadata Credentials. In this talk, we'll walk through how we approached and automated this problem to prevent IMDS abuse.

Speakers
avatar for Ashish Patel

Ashish Patel

Product Security Engineer, Salesforce
Ashish is currently a Product Security Engineer at Salesforce. He enjoys automating manual security hardening and letting the robots do the work for you. You'll often find him working on the challenges we come across in the cloud, application, and infrastructure security space. In... Read More →


Sunday June 5, 2022 1:30pm - 1:55pm PDT
Theater 11

1:30pm PDT

Rise of the Vermilion: Cross-Platform Cobalt Strike Beacon Targeting Linux and Windows
This talk is about the first publicly documented cross-platform Cobalt Strike re-implementation active in real world attacks. Because Cobalt Strike is a heavily used red team tool by threat actors, Vermilion Strike is among the key recent unique discoveries in the malware research world.

Speakers
AM

Avigayil Mechtinger

Intezer
Avigayil is a security researcher at Intezer specializing in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms. As part of her ongoing work she has initiated the ELF Malware... Read More →
RR

Ryan Robinson

Intezer
Ryan Robinson is a security researcher for Intezer. He specializes in malware reverse engineering and threat intelligence. In previous roles, Ryan has worked as a Security Engineer securing cloud applications and as an analyst in Anomali's Threat Research team.


Sunday June 5, 2022 1:30pm - 1:55pm PDT
Theater 14

1:30pm PDT

Hook, Line and Sinker - Pillaging API Webhooks
Webhooks are an important part of modern web services. In this talk, I will demonstrate “Webhook Boomerang flaws,” a unique set of attack vectors that allows us to perform SSRF against webhooks leading to cloud-credential compromise even with security protections like Metadata Headers.

Speakers
AB

Abhay Bhargav

we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company and the Chief Research Officer of AppSecEngineer, an elite, hands-on online training platform for AppSec, Cloud-Native Security, Kubernetes Security and DevSecOps. Abhay started his career as a breaker... Read More →


Sunday June 5, 2022 1:30pm - 2:20pm PDT
Embarcadero

2:00pm PDT

Gray Cover: The dangers of cloud shells
A malicious insider or attacker can abuse the Google Cloud Shell service to exfiltrate data and evade detection. All of your G Suite/GCP users have access to it by default, and it is very difficult to detect. With limited detection options, we’ll cover the attack and how to mitigate the risk.

Speakers
avatar for Colin Estep

Colin Estep

Netskope
Colin Estep is currently a threat researcher at Netskope focused on AWS and GCP. Colin was previously the CSO at Sift Security (acquired by Netskope), where he helped move the product into breach detection for IaaS. He was a senior engineer on the security teams at Netflix and Apple... Read More →


Sunday June 5, 2022 2:00pm - 2:25pm PDT
Theater 14

2:00pm PDT

Securing Internal Applications @ Loom
A chain is only as strong as its weakest link' is a common security paradigm that we believe at Loom. Believing in this, we decided to take a security first approach to improve the security posture for our internal applications which are used widely for administrative purposes.

Speakers
avatar for Narayan Gowraj

Narayan Gowraj

Security Engineer, Loom
Loom is a Series C startup and an essential tool for hybrid workplace. Narayan Gowraj is a Security Engineer at Loom where he has been leading and pioneering security initiatives. Narayan has also been actively working on developing hands-on security techniques with product teams... Read More →


Sunday June 5, 2022 2:00pm - 2:25pm PDT
Theater 15

2:00pm PDT

Practical Threat Hunting With Machine Learning
Machine learning, while being one of the most hyped and anticipated technology paradigm shifts, has yet to be widely applied to threat hunting and detection. This talk covers two years of work on machine learning models for threat detection. Case studies will include numerous high-value detections.

Speakers
CC

Craig Chamberlain

Founder, Elastic
Craig has seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion, C-beams glittering in the dark near the Tannhäuser Gate. Craig is a longtime security researcher who has been to the places and done the kinds of things you would expect, most of which... Read More →


Sunday June 5, 2022 2:00pm - 2:50pm PDT
Theater 11

2:30pm PDT

Wins and Learns from the Integration of reCAPTCHA at Pinterest
We'd like to share our experiences in integrating reCAPTCHA at a large scale across multiple client platforms, especially the wins and learnings, to help the community better understand and defend against the evolving threats from automated attacks.

Speakers
YS

Yuru Shao

Pinterest
I have been working on Product Security at Pinterest since 2019. Before joining Pinterest I earned my PhD in Computer Science and Engineering from the University of Michigan, Ann Arbor.


Sunday June 5, 2022 2:30pm - 2:55pm PDT
Theater 15

2:30pm PDT

Hacker TikTok: Community, Creativity, and Controversy
As TikTok surges in popularity, did you know there are security-focused creators on TikTok bringing awareness, humor, and community to an audience hungry to learn about being a hacker? Join our panelists as they discuss their successes and challenges exploring a new frontier in security awareness.

Moderators
KT

Kyle Tobener

Copado
Kyle Tobener is a VP and Head of Security for the DevOps startup Copado. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. He loves application security, third party risk management, and building security programs from... Read More →

Speakers
M

MakeItHackin

MakeItHackin
MakeItHackin began creating content during the pandemic and became the face of the “Tell Me You’re a Hacker” trend on TikTok. His research covers anti-theft devices, license plate camera blockers, circuit board fabrication, and other nerdy projects. When not producing videos... Read More →
S

shenetworks

Serena is a Network Engineer who specializes in Data Center Compute and Virtualization. She has degrees in Computer Information Systems with a concentration on networking and information security and is currently pursuing a master’s in Data Center Systems Engineering. She is most... Read More →
KR

Kylie Robison

Business Insider
I'm an enterprise technology reporter covering developers for Business Insider.


Sunday June 5, 2022 2:30pm - 3:20pm PDT
Theater 14

2:30pm PDT

How to Fake Friends and Find People: A Build-A-Buddy case study
Join us, two prior Special Operations cyber operators, as we share our case study on Operational Security revolving around recent crowdsourced ad-hoc OSINT/Humanitarian missions and how to properly isolate your true identity from your temporary operational online persona.

Speakers
DS

Dahvid Schloss

Echelon Cyber + Risk
Dahvid is the Offensive Security Lead at Echelon Cyber + Risk. As an experienced professional with over 10 years of cyber-attack and defense experience, Dahvid has previously worked as a Red Team Operator with a Big 4 consulting firm leading and conducting Adversarial Emulation exercises... Read More →
AD

Alex Dodd

Attack Research, LLC
Alex is a Penetration Tester and Project Lead with Attack Research, LLC. From software testing to network engineering and IT management to cyber security, Alex has been involved in many levels of cyber security. He also has comprehensive experience in the behaviors, patterns, and... Read More →


Sunday June 5, 2022 2:30pm - 3:20pm PDT
Embarcadero

3:00pm PDT

Burnout: The Weakness to your Security Plan
This talk dives into the factors that lead to burnout among security professionals, the clear line between burnout and failure to retain team members, and how to invest in your team to make sure your team is able to thrive during stressful times.

Speakers
avatar for Chloé Messdaghi

Chloé Messdaghi

Cofounder, We Open Tech
Chloé Messdaghi is a changemaker who focuses on innovating tech and information security sectors to meet today and tomorrow demands. For over 10 years, she has provided solutions that empower organizations, products, and people to stand out from the crowd. Her work has earned her... Read More →


Sunday June 5, 2022 3:00pm - 3:25pm PDT
Theater 15

3:00pm PDT

Log in Your Own Eye - Exploiting a Stealthy C2 Channel in Azure Logging Infrastructure
Cloud logging infrastructure is vital to security threat detection, but what happens when it’s hijacked by an adversary? Join us for a quick dive into abusing Azure Log Analytics as a covert channel (and what to do about it)!

Speakers
DB

Dmitriy Beryoza

Senior Security Researcher, Vectra AI
Dmitriy Beryoza is a Senior Security Researcher with Vectra AI, working on threat detection in the cloud and on-prem networks. Before that he was a penetration tester and secure software development advocate at IBM. Having been a developer for many years, he has built software of... Read More →


Sunday June 5, 2022 3:00pm - 3:25pm PDT
Theater 11

3:30pm PDT

Attacking and Defending Infrastructure with Terraform: How we got admin across cloud environments
In this talk we'll demonstrate how to attack Terraform Enterprise and Terraform Cloud to exfiltrate secrets and deploy malicious applications and infrastructure into production cloud environments undetected. Then we'll show you how we worked with HashiCorp to best mitigate it.

Speakers
avatar for Mike Ruth

Mike Ruth

Staff Security Engineer, Brex
Mike is a Staff Security Engineer at Brex, where he helps in securing one of the world’s best Financial Technology platforms. Previously the technical lead for Infrastructure Security at Cruise, Mike has over a decade of experience securing, designing, and deploying cloud infrastructure... Read More →


Sunday June 5, 2022 3:30pm - 4:20pm PDT
Theater 14

3:30pm PDT

Don’t Fear The SQLite: querying databases for endpoint security
macOS uses an incredible number of SQLite databases at a system and user level, tracking things such as kernel extensions, downloaded files, browser histories, and more. This talk will cover where these databases are, how to extract their data, and then scaling out with osquery’s ATC subsystem.

Speakers
EK

Eric Kaiser

Uptycs, Inc
Eric is a Security Engineer at Uptycs, focused on endpoint and cloud security. He enjoys using his technical and interpersonal skills to build usable & secure infrastructure at scale, and in his spare time is an amateur motorcycle rider and mechanic, a runner, and an avid travele... Read More →


Sunday June 5, 2022 3:30pm - 4:20pm PDT
Theater 15

3:30pm PDT

Ooga Booga - Avoiding Reinvention of the Wheel (Useful Security Tools and Lessons to Know)
Security can be pretty overwhelming, but you don’t have to build anything from scratch! Under resourced security teams often reinvent the wheel when it comes to solving common security problems. Join me as I introduce Marie Kondo-style techniques that should help manage the madness.

Speakers
CS

Carla Sun

Gusto
She/Her Local Area Disaster Former Security Incident Response Lead and Application Security Engineer Security Partner on the Product Security Team @ Gusto


Sunday June 5, 2022 3:30pm - 4:20pm PDT
Embarcadero

3:30pm PDT

So You Think You Can Secure Your Cloud : Red Team Engagements in GCP
This is a detailed guide for adversary simulations in GCP that covers how to get an initial foothold, persist, escalate privileges, use Google's own products as C2, manipulate firewall rules and compute instances, abuse Key Management Service and Google Cloud Storage to decrypt and exfiltrate data.

Speakers
BR

Brad Richardson

Brad Richardson’s security practitioner career spans 15 years in the areas of vulnerability management, security audit, pentest, and red team. Brad began his technology path in system engineering and quickly became interested in how cyber attackers find cracks in the best laid security... Read More →
MB

Madhav Bhatt

Madhav has completed his Master's degree in Computer Engineering with specialization in Cyber Security. He worked as an intern while in college wearing multiple hats such as systems administrator , network architect, penetration tester as well as worked on research projects to design... Read More →


Sunday June 5, 2022 3:30pm - 4:20pm PDT
Theater 11

4:30pm PDT

Biohacker: The Invisible Threat
Security professionals won't allow users into their environment with hacking tools, so how do you address people with implants? People are the attack vector and the tool. The ability to compromise contactless tech threatens physical and digital security. How do you stop a cyber threat from a human?

Speakers
LN

Len Noe

CyberArk Software
Len Noe is a White Hat Hacker and Global Enablement Engineer for CyberArk Software. Together with the CyberArk Global Enablement Engineering team, they are responsible for enabling internal staff and the starting point for escalation for all SEs in the field. They are responsible... Read More →


Sunday June 5, 2022 4:30pm - 5:20pm PDT
Embarcadero

4:30pm PDT

Everyone Can Play! Building Great CTFs To Teach Non-Security Folks
Learn to build fun and interesting CTFs for developers and others. Learn how to automate the CTF development process and easily deploy a custom CTF.

Speakers
avatar for Joe Kuemerle

Joe Kuemerle

Security Engineer, Salesforce
Joe Kuemerle is an application security engineer, developer and speaker in the greater New York City area specializing in application security, development, database and application lifecycle topics. Joe is active in the technical community as well as a speaker at local, regional... Read More →


Sunday June 5, 2022 4:30pm - 5:20pm PDT
Theater 11

4:30pm PDT

JavaScript Obfuscation - It’s All About the P-a-c-k-e-r-s
The usage of JavaScript obfuscation techniques have become prevalent in today’s threats, from phishing, Magecart, and supply chain injection to malware droppers. This talk will introduce a technique that focuses on the detection of JavaScript packers in order to detect obfuscated files.

Speakers
avatar for Or Katz

Or Katz

Researcher, Akamai technologies
Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as principal lead security researcher for Akamai. Katz is a frequent Speaker in security conferences and published numerous articles, blogs and white papers on threat intelligence... Read More →


Sunday June 5, 2022 4:30pm - 5:20pm PDT
Theater 14

4:30pm PDT

XSS mitigation: the state of the art
XSS attacks and mitigations are complex. Between CSPv3, Trusted Types, Strict Dynamic, CORP, and CORB, it's a lot to take in. In this talk, we'll cover what you need to know in order to implement efficient XSS defences at every layer.

Speakers
JA

Jean-Baptiste Aviat

Datadog
Jean-Baptiste Aviat is AppSec staff engineer at Datadog, former CTO and co-founder at Sqreen. He spent half a decade hunting security bugs at Apple, helping developers fix them, and developing protections used by millions of devices. He's the host of the appsecbuilders.com podcast... Read More →


Sunday June 5, 2022 4:30pm - 5:20pm PDT
Theater 15

5:30pm PDT

Closing Ceremony
We will be discussing the logistics and joys of organizing the event. Come hear how it all gets put together and who helps us out!

Speakers
avatar for Reed Loden

Reed Loden

Reed Loden is an information security expert, hacker, and developer. Reed worked to secure companies including HackerOne, Lookout Mobile Security, Palantir Technologies, and Mozilla, in addition to his many security consulting roles. He regularly presents on security best practices... Read More →


Sunday June 5, 2022 5:30pm - 6:30pm PDT
Embarcadero
 


Twitter Feed