Loading…
BSidesSF 2022 has ended
Simple
Expanded
Grid
By Venue
Map
Saturday, June 4
 

9:00am PDT

Breakfast
Sponsors
avatar for HackerOne
avatar for Instacart
avatar for Intel

Intel

Menu
avatar for Teleport

Saturday June 4, 2022 9:00am - 10:00am PDT
Participation Hall
  Food & Drink

9:00am PDT

Coffee
Sponsors
avatar for Sweetpea

Sweetpea

Coffee
avatar for Tailscale

Tailscale

Coffee

Saturday June 4, 2022 9:00am - 4:00pm PDT
Participation Hall
  Food & Drink

9:00am PDT

Capture the Flag
The CTF is back! As always, everyone is welcome to participate as the competition features a range of challenges at all difficulty levels. In case you find yourself in need of assistance, we have folks onsite who can provide hints and guidance. All that is needed to participate is a laptop.

The server is available all weekend long, and anyone is welcome to play. Server information is at https://bsidessf.org/ctf

At least one player must be onsite to claim any prizes won.
Sponsors
avatar for Google

Google

Leading, CTF

Saturday June 4, 2022 9:00am - 5:00pm PDT
Embarcadero
  CTF, Village

9:00am PDT

Sponsors
Visit the sponsor booths that line the walls of the Participant Hall and learn more about the companies that have made this year’s event possible. You’ll be introduced to new products, services, and career opportunities. At each booth you can also obtain one of the stamps you need to complete your Sponsor Passport (which can be found in the bag you received at registration).
Saturday June 4, 2022 9:00am - 5:00pm PDT
Participation Hall
  General

9:00am PDT

Crypto & Privacy Village
Crypto & Privacy Village helps bring cryptography & privacy knowledge to the hacker community.
Learn how to secure your own systems while also picking up some tips and tricks on how to break classical and modern encryption. The CPV features workshops and lightning talks on a wide range of crypto and privacy topics from experts. We’ll also have an intro to crypto talk for beginners, some crypto-related games, puzzles, and challenge.
Sponsors
avatar for Material Security

Saturday June 4, 2022 9:00am - 5:00pm PDT
Participation Hall
  Village

9:00am PDT

Hardware Village
Stop by the Hardware Village to participate in rubber ducky experiments. Each village participant will receive a pre-assembled badge that you can program through Arduino IDE to send automated keystrokes. The village content will be limited to harmless rubber ducky scripts, the kind you use for light-hearted, fun gags. Note: Limited badges are available while supplies last.

Brought to you by Hackerwares
Sponsors
avatar for Material Security

Saturday June 4, 2022 9:00am - 5:00pm PDT
Participation Hall
  Village

9:00am PDT

IoT Village
IoT Village Hands on Lab: Circumventing Security Controls in IoT Applications

Participate in a self-guided, hands on lab focused on circumventing security controls found on common internet connected devices. You will experience how newly-discovered vulnerabilities were discovered, how they can be exploited, and how this could impact consumers.

Brought to you by ISE (Independent Security Evaluators) and IoT Village
Sponsors
avatar for Material Security

Saturday June 4, 2022 9:00am - 5:00pm PDT
Participation Hall
  Village

9:00am PDT

Lockpick Village
Lockpick Extreme and TOOOL SF are back once again hosting Lockpick Village. Learn to lockpick from the TOOOL SF volunteers or practice what you already know with their assortment of locks and picks. When you’re done, you can shop the Lockpick Extreme pop-up shop and take your new hobby home with you.
Sponsors
avatar for Material Security

Saturday June 4, 2022 9:00am - 5:00pm PDT
Participation Hall
  Village

9:00am PDT

Bar and Chill Out
Take a break from the day’s events with a stop at the Bar and Chill Out Space. Two complimentary drink tickets were provided to you at registration. We already paid for them, so please use them!
Sponsors
avatar for Ermetic

Ermetic

Daytime Bar & Chill-Out

Saturday June 4, 2022 9:00am - 5:30pm PDT
Bar
  Food & Drink

9:00am PDT

Massage
Let your worries drift away with a complimentary chair massage.
Sponsors
avatar for Code42

Code42

Massage, Custom/Other
avatar for Sprinkles

Sprinkles

Massage

Saturday June 4, 2022 9:00am - 5:30pm PDT
Lobby
  General

9:00am PDT

Registration
Saturday June 4, 2022 9:00am - 5:30pm PDT
AMC Mezzanine
  General

9:00am PDT

Info Desk
Sponsors
avatar for Cribl

Cribl

Info Desk, Custom/Other

Saturday June 4, 2022 9:00am - 6:30pm PDT
Lobby
  General

9:00am PDT

Prayer & Mother's Room
Need a quiet place for meditation or mothering duties? Ask at the Info Desk, and we can guide you to a private location.
Saturday June 4, 2022 9:00am - 6:30pm PDT
Lobby
  General

9:00am PDT

Coat Check
Sponsors
avatar for Aruba Threat Labs

Saturday June 4, 2022 9:00am - 10:00pm PDT
Coat Check
  General

10:00am PDT

Opening Remarks
Speakers
avatar for Reed Loden

Reed Loden

VP of Security, Teleport
Reed Loden is the Vice President of Security at Teleport, a technology company that helps organizations securely access their infrastructure. He is an information security expert, researcher, hacker, and developer. Reed bring over 15+ years of security experience to his role at Teleport... Read More →

Saturday June 4, 2022 10:00am - 10:10am PDT
Embarcadero
  Simulcast  Talk

10:00am PDT

Simulcast of the Keynote and Opening Remarks
Saturday June 4, 2022 10:00am - 11:00am PDT
Theater 14
  Simulcast  Keynote  Talk

10:00am PDT

Cryptography and Blockchain Security
Event locked in Sched to limit confusion; see registration to determine current session availability.
Registration at https://bsidessf.regfox.com/2022 REQUIRED (cannot be reserved with Sched)


Learn how blockchains, cryptocurrency, coin offerings, and smart contracts work in a series of challenges. We will also cover the underlying cryptography: hashes, symmetric encryption, and asymmetric encryption. We will configure wallets, servers, and vulnerable smart contracts, and exploit them.

We will configure systems using Bitcoin, Ethereum, Hyperledger, Multichain, Stellar, and more. We will perform exploits, including double-spend, reentrancy, integer underflow, and logic flaws.

No previous experience with coding or blockchains is required. The workshop is structured in a CTF format. Each participant works at their own pace. The techniques will be demonstrated with complete step-by-step instructions to lead beginners through the easy challenges. There are also harder challenges for more experienced participants. We will help participants as needed to ensure that everyone learns new techniques.

Participants will need a computer with a web browser and either the capability to run virtual machines locally or a credit card and a few dollars to rent cloud servers.
Speakers
avatar for Sam Bowne

Sam Bowne

Professor, City College San Francisco
Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on training at DEF CON, DEF CON China, Black Hat USA, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges.

Saturday June 4, 2022 10:00am - 12:30pm PDT
Theater 11
  Workshop

10:00am PDT

Finding Bugs and Scaling Your Security Program with Semgrep
Event locked in Sched to limit confusion; see registration to determine current session availability.
Registration at https://bsidessf.regfox.com/2022 REQUIRED (cannot be reserved with Sched)


Between Agile, DevOps, and infrastructure as code, development is happening faster than ever. As a security team, it can be tough to keep up.

This workshop will be a hands-on masterclass of using Semgrep (https://github.com/returntocorp/semgrep), an open source, lightweight static analysis tool, to do just that.

We’ll cover:
* How to use Semgrep to start getting security coverage of all of your repos continuously in CI in minutes
* Best practices in rolling out continuous code scanning -- what to focus on, what to ignore, and how to maintain good working relationships with development teams
* How to use this scanning to enforce secure defaults across your org
* How to write custom Semgrep rules -- find anti-patterns and enforce security best practices unique to your organization
* Advanced mode: We’ll also show how Semgrep can be used like a Swiss army knife for a variety of purposes -- alerting you whenever a new route is added (new attack surface), when new dependencies are added or Dockerfiles are modified (detect potential supply chain risk), or when generally sensitive files are modified, such as core authorization logic or secret management

You’ll leave this workshop with knowledge and skills you can immediately put into practice. For internal security engineers, you’ll have new capabilities for scaling your company’s security. For pen testers and offense-focused security professionals, we’ll up your bug finding game to a new level.

Prerequisites:
* You should be familiar reading and writing code in at least one programming language
* Bring a laptop with a web browser, IDE, git, and the ability to install CLI tools
* Familiarity with common vulnerability classes (e.g. OWASP 10 top) will be helpful but is not required
Speakers
CG

Clint Gibler

r2c
Clint Gibler (@clintgibler) is the Head of Security Research for r2c, a startup working on giving security tools directly to developers. Previously, Clint was a Research Director at NCC Group, where he helped companies implement security automation and DevSecOps best practices and... Read More →

Saturday June 4, 2022 10:00am - 12:30pm PDT
Theater 15
  Workshop

10:10am PDT

Keynote: We Need More Mediocre Security Engineers
The field of information security remains one of the most isolated - and at times, elitist - bastions in tech. We self-impose the highest cost of entry - be extraordinary or get out. Year over year the demand for security expertise and employees only increases, but our numbers don’t grow to match, and we’re burning out. It’s time to rethink how we talk about what we do, and how we invite others to join our ranks - and convince them to stay.
Speakers
avatar for Jackie Bow

Jackie Bow

Head of Detection and Response, Asana
A Jackie-of-all- trades, master of some, Jackie seems to be physically unable to stop returning to threat detection and response. Her 10+ years in the industry have been spent in malware analysis, reverse engineering, and infrastructure and product security. She has been an analyst... Read More →

Saturday June 4, 2022 10:10am - 11:00am PDT
Embarcadero
  Simulcast  Keynote  Talk

11:00am PDT

Speed Mentoring Village
The Mentoring Village connects mentors with mentees in a casual, relaxed environment. Mentors can be an invaluable asset when you’re wondering what the next steps are for advancing your career, weighing the options at a fork in the road, or challenging blockers to your success. BSidesSF Speed Mentoring provides an opportunity to get insights from industry practitioners on the field of security, careers in security, and experiential wisdom.

Sign up now to reserve your spot! To get started, join the BSides Slack org, and then join the speed-mentoring channel. You can also DM Kelly or Liza on BSides Slack to assist you in signing up! We have an incredible lineup, and we’re excited to pair you with the perfect mentor to support your career growth and development.
Sponsors
avatar for Material Security

Saturday June 4, 2022 11:00am - 3:00pm PDT
AMC Lounge
  Village

11:00am PDT

T-Shirt Sales
Pick up pre-purchased event t-shirts and purchase t-shirts for the current and previous years. Please note, we have limited t-shirt quantities.
Proceeds benefit EFF, WISP, and CodePath.org.
Saturday June 4, 2022 11:00am - 9:00pm PDT
Coat Check
  General

11:05am PDT

WireGuard from the ground up
What is WireGuard, how does it work, and when should you use it? Simply put, WireGuard offers end to end encryption of traffic between two endpoints. We’ll cover WireGuard's implementation, protocol, and cryptography and compare it to IPsec, ngrok, and OpenVPN in terms of security and performance.
Speakers
avatar for Maya Kaczorowski

Maya Kaczorowski

Product Manager, Software Supply Chain Security, Tailscale
Maya is a Product Manager at Tailscale, providing secure networking for the long tail. She was mostly recently at GitHub in software supply chain security, and previously at Google working on container security, encryption at rest and encryption key management. Prior to Google, she... Read More →
DC

David Crawshaw

Crawshaw likes writing computer programs and accidentally turned it into a career, a decision he works every day to not regret. He’s not a cryptographer or a security person, but he likes maths and thinks elliptic curves are pretty neat and/or infuriating. Worked at Google for a... Read More →

Saturday June 4, 2022 11:05am - 11:30am PDT
Theater 14
  Talk

11:10am PDT

An Unlikely Friendship: Why Security Engineers and Product Managers Should Be Working Together
Have you had trouble getting security features prioritized by product teams? Learn to expand your technical toolkit by harnessing the power of product managers to evangelize a security-focused roadmap, accelerate your team’s vision and growth, and unlock revenue from security-conscious customers.
Speakers
avatar for Leif Dreizler

Leif Dreizler

Senior Engineering Manager - Security Features, Twilio Segment
Leif Dreizler is an information security professional with over a decade of experience. Leif joined Segment (now part of Twilio) in 2017 and currently manages a team of Software Engineers focused on building security features. Leif joined as an early member of the security team and... Read More →
RL

Rachel Landers

Twilio Segment
Rachel Landers is a Product Manager based in San Francisco, CA. Rachel joined Segment (now part of Twilio) in 2019, in which time she has led the product strategy for Enterprise growth and CX at Segment. Rachel’s product focus at Segment leans heavily into product security best... Read More →

An Unlikely Friendship Why Security Engineers and Product Managers should be working together… pdf
Saturday June 4, 2022 11:10am - 12:00pm PDT
Embarcadero
  Talk

11:35am PDT

Detection-as-code: Why it works and where to start
Detection-as-code principles allow detection and response teams to operate with the efficiency of software engineering teams. By embracing these principles, D&R teams can unlock the benefits of version control, test-driven development, code reuse, and CI/CD automated workflows.
Speakers
KB

Kyle Bailey

Panther Labs
I am passionate about all things threat detection. I spent 5y managing operations for CYBERCOM, and the last 5 years doing detection and response in the tech industry, most recently building and managing the Detection Engineering & Red Team at Box. I currently break things at Panther... Read More →

Saturday June 4, 2022 11:35am - 12:00pm PDT
Theater 14
  Talk

12:00pm PDT

WISP (Women in Security and Privacy) Meet-up
Come join WISP (Women in Security and Privacy) on the outdoor terrace to network with others in a socially distant manner, learn more about the organization, and get free swag!
Saturday June 4, 2022 12:00pm - 1:00pm PDT
Terrace
  Community Organizations

12:00pm PDT

Lunch
Sponsors
avatar for HackerOne
avatar for Instacart
avatar for Intel

Intel

Menu
avatar for Teleport

Saturday June 4, 2022 12:00pm - 1:30pm PDT
Participation Hall
  Food & Drink

12:10pm PDT

CTF Lunch talk 1 - Intro to Pwnables
Introduction to pwnables and walkthrough of tutorial challenges.
Speakers
RB
DT

Saturday June 4, 2022 12:10pm - 1:00pm PDT
TBA
  CTF

12:30pm PDT

Sponsor Raffle
Complete your Sponsor Passport (which can be found in the bag you received at registration). Drop your completed card into the Sponsor Passport raffle box located within Twin Peaks to be entered into the raffle. Winners will be announced at 12:30pm each day (must be present to win).
Saturday June 4, 2022 12:30pm - 1:00pm PDT
Participation Hall
  General

1:00pm PDT

Mobile Application Security
Event locked in Sched to limit confusion; see registration to determine current session availability.
Registration at https://bsidessf.regfox.com/2022 REQUIRED (cannot be reserved with Sched)


From smartphones to tablets to watches, users are relying more and more on the convenience of mobile technology. Organizations must meet this growing trend with greater security measures to support critical business functions and protect sensitive data on enterprise devices. Mobile architectures, applications, networks and services must all be developed and managed in compliance with the oversight of a strong IT workforce.

This course provides an in-depth technical overview of the security features and limitations of modern mobile operating systems, including the top risks and vulnerabilities, every IT professional needs to know.

What you will learn:
Mobile application security measures
Models to develop and secure Android applications
Security detection and measures in iOS
Trends in mobile device management (MDM)
Speakers
avatar for Himanshu Dwivedi

Himanshu Dwivedi

Co-Founder and Chief Executive Officer, Data Theorem, Inc
Himanshu Dwivedi is the CEO of Data Theorem, Inc., an application security company focusing on API Security (RESTful & GraphQL), mobile apps (iOS &Android), Cloud Apps (Serverless), and Single Page WebApps (SPAs). Himanshu has been an avid start-up entrepreneur since 1999, where he... Read More →

Saturday June 4, 2022 1:00pm - 3:30pm PDT
Theater 15
  Workshop

1:00pm PDT

Introduction to Cryptographic Attacks
Event locked in Sched to limit confusion; see registration to determine current session availability.
Registration at https://bsidessf.regfox.com/2022 REQUIRED (cannot be reserved with Sched)


Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world, including CVE-2020-0601. This will be a hands-on workshop where you will implement the attacks after each one is explained. You will be provided with a VM with Python dependencies and skeleton code included so you can focus on implementing the attack. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com, and see if those look interesting but if you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap. Comfort with math and a programming language like Python will be required to get the most out of the workshop.
Speakers
MC

Matt Cheung

Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementing a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Unfortunately, implementation weaknesses were not... Read More →

Saturday June 4, 2022 1:00pm - 6:00pm PDT
Theater 11
  Workshop

1:30pm PDT

Go With The (Work)flow
An eye-opening look into the world of cloud workflow management platforms and their security risks. This talk will unveil research into the world of misconfigurations, mountains of credentials, sensitive data leakage, insecure coding, and containerized malware.
Speakers
RR

Ryan Robinson

Intezer
Ryan Robinson is a security researcher for Intezer. He specializes in malware reverse engineering and threat intelligence. In previous roles, Ryan has worked as a Security Engineer securing cloud applications and as an analyst in Anomali's Threat Research team.
NF

Nicole Fishbein

Intezer
Nicole Fishbein is a security researcher and malware analyst. Nicole has been part of research that led to discovery of phishing campaigns, undetected malware and attacks on Linux-based cloud environments. Prior to Intezer she was an embedded researcher in the Israel Defense Forces... Read More →

Saturday June 4, 2022 1:30pm - 1:55pm PDT
Theater 14
  Talk

1:30pm PDT

Embracing Risk Responsibly: Moving beyond inflexible SLAs and exception hell by treating security vulnerabilities and risk like actual debt
At Segment, we were sick of having breached SLAs; we were tired of a junk drawer of exceptions that continued to grow without bound. Two years ago we decided to move beyond inflexible SLAs and permanent exceptions to enable our business to “Embrace Risk Responsibly” by treating vulnerabilities like debt.
Speakers
EE

Eric Ellett

Segment
I have been at Segment since 2018 and built out their application, cloud, and product security program, and now the Senior Director of R&D Security within Twilio. I've been heavily focused on building innovative security programs with a heavy emphasis on engineering principles and... Read More →

Saturday June 4, 2022 1:30pm - 2:20pm PDT
Embarcadero
  Talk

2:00pm PDT

Read the Fantastic Manual: Writing Security Docs People Will Actually Read
RTFM: a demand that’s rarely useful for people who need information. How do we know docs are the solution? How can security pros write effectively for those who aren’t? And how can we know if our docs work at all? In this talk, we’ll cover IDing needs, strategic and iterative doc creation, and measuring success.
Speakers
avatar for Breanne Boland

Breanne Boland

Product security engineer - security partner, Gusto
Breanne Boland is a product security engineer with the Security Partnerships team at Gusto. Before moving into security, she was a site reliability engineer and an infrastructure engineer, working in healthcare and govtech. Prior to that, she was a professional writer, and she still... Read More →

Breanne Boland, BSides SF 2022 draft slides 27 May 2022 pdf
Saturday June 4, 2022 2:00pm - 2:25pm PDT
Theater 14
  Talk

2:30pm PDT

Buying Security: A Client's Guide
You can’t buy security, but vendors play a key role in effective security programs. This talk will provide a comprehensive guide to buying and getting value, based on experiences on both sides of the marketplace, a comprehensive literature review, and a survey of clients and vendors of all stripes.
Speakers
avatar for Rami McCarthy

Rami McCarthy

Staff Security Engineer, Figma
Rami works on Infrastructure and Cloud Security at Figma. He previously worked as a security consultant and helped scale security for a health-tech unicorn, and infrequently writes about security on tldrsec.com. https://www.twitter.com/ramimacisabird

Buying Security pdf
Saturday June 4, 2022 2:30pm - 3:20pm PDT
Embarcadero
  Talk

3:00pm PDT

Book Signing
Stop by the book signing to receive a copy of Reinventing Cybersecurity signed Breanne Boland , Carla Sun, and others. Reinventing Cybersecurity is a compendium of chapters by 19 women and non-binary individuals in security roles.
Speakers
avatar for Breanne Boland

Breanne Boland

Product security engineer - security partner, Gusto
Breanne Boland is a product security engineer with the Security Partnerships team at Gusto. Before moving into security, she was a site reliability engineer and an infrastructure engineer, working in healthcare and govtech. Prior to that, she was a professional writer, and she still... Read More →
avatar for Carla Sun

Carla Sun

Security Engineer, Gusto
(She/Her),Local Area Disaster,Former Security Incident Response Lead, and Application Security Engineer.Security Partner on the Product Security Team @ Gusto

Sponsors
avatar for Jupiter One

Jupiter One

Book Signing

Saturday June 4, 2022 3:00pm - 4:00pm PDT
Participation Hall
  General

3:30pm PDT

Emerging Best Practices in Software Supply Chain Security: What We Can Learn from Google, the White House, OWASP, and Gartner
Attackers are taking advantage of insecure software deployment pipelines; the White House, OWASP, Google, and others have released guidelines on best practices in response. We will break down the key takeaways and compile a list of best practices for mitigating software supply chain security risk.
Speakers
TL

Tony Loehr

Developer Advocate, Cycode
Tony Loehr is the Developer Advocate for Cycode. Their prerogative is to make it easy for developers to use the Cycode platform, and to help protect data through knowledge sharing. They have professional experience with engineering, marketing, and sales and bring a unique perspective... Read More →

Saturday June 4, 2022 3:30pm - 3:55pm PDT
Theater 14
  Talk

3:30pm PDT

Redefining Threat Modeling: Security team goes on vacation
Threat modeling is an important part of a security program, but as companies grow you will choose which features you want to threat model or become a bottleneck.
What if I told you, you can have your cake and eat it too. It is possible to scale your program and deliver higher quality threat models.
Speakers
JS

Jeevan Singh

Twilio Inc
Jeevan Singh is a Security Engineering Manager for Twilio, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Jeevan is responsible for a... Read More →

Saturday June 4, 2022 3:30pm - 4:20pm PDT
Embarcadero
  Talk

4:00pm PDT

Avoiding insidious points of compromise in infrastructure access systems
Listen to war stories and learn how to build secure infrastructure access systems! We chat about five classic incidents: FluffyBunny (2001), Operation Aurora (2009), DigiNotar (2011), NotPetya (2017), SolarWinds (2020) and why they suggest the industry definition of "zero-trust" is basically wrong.
Speakers
avatar for Dr. Sharon Goldberg

Dr. Sharon Goldberg

Founder/CEO, BastionZero
Sharon Goldberg is the CEO/Co-Founder of BastionZero, a startup that is reimagining the tools that engineers use to secure remote access to infrastructure. She is also a tenured professor in the Computer Science Department at Boston University. Her research focuses on infrastructure... Read More →

Saturday June 4, 2022 4:00pm - 4:25pm PDT
Theater 14
  Talk

4:30pm PDT

Achieving the Web Isolation Nirvana - How far along are we?
Security isolation improves the resilience of applications against attacks. This is especially true when untrusted or third party code is included. This talk provides a deep dive on browser isolation mechanisms, their efficacy, current challenges and insights on where Web Isolation needs to go next.
Speakers
PF

Pedro Fortuna

Jscrambler
Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast paced world of entrepreneurship. Started Jscrambler where he leads all security research and drives the company product... Read More →
avatar for Jasvir Nagra

Jasvir Nagra

None, Technical Advisor to Jscrambler
Jasvir Nagra is widely recognized as a thought leader in software protection. He is co-author of Surreptitious Software, the definitive textbook on software protection, and an early researcher in obfuscation, software watermarking, and fingerprinting. With more than 12 years of experience... Read More →

Saturday June 4, 2022 4:30pm - 5:20pm PDT
Embarcadero
  Talk

4:30pm PDT

Red Teaming macOS Environments with Hermes the Swift Messenger
This talk will dive into the development of a new Swift implant, Hermes, targeting macOS. Hermes hooks into Cody Thomas' Mythic framework, which serves as the C2 controller. We will dive into the internals and capability of the implant as well as ways it can be detected with Apple's ESF.
Speakers
JB

Justin Bui

Zoom
Justin Bui is a red teamer at Zoom and was previously a red team consultant at SpecterOps. He is passionate about all things security and helping organizations improve their security posture. Justin enjoys writing code and developing offensive tools, particularly around Windows/macOS... Read More →

Saturday June 4, 2022 4:30pm - 5:20pm PDT
Theater 14
  Talk

5:30pm PDT

Happy Hour
Once the last talks of the day are done, join us in the Bar and Chill Out
Space to celebrate a successful day one of the event!
Sponsors
avatar for Pentera

Pentera

Happy Hour
avatar for Vectra

Vectra

Happy Hour

Saturday June 4, 2022 5:30pm - 6:30pm PDT
Bar
  Food & Drink

6:30pm PDT

Party
After the last couple of years, we could all use some fun! This year’s party will be a summer time affair complete with food, drinks, music, and great conversation. Head to the bar to try one of the party’s signature cocktails. Or join in on the yard games which will include corn hole, lawn dice, and ladder toss. Or stop by one of the two photo booths for photos to commemorate this year’s event!
Sponsors
avatar for Intezer

Intezer

Supporting, Party

Saturday June 4, 2022 6:30pm - 9:30pm PDT
Embarcadero
  Food & Drink
 
Sunday, June 5
 

9:00am PDT

Breakfast
Sponsors
avatar for HackerOne
avatar for Instacart
avatar for Intel

Intel

Menu
avatar for Teleport

Sunday June 5, 2022 9:00am - 10:00am PDT
Participation Hall
  Food & Drink

9:00am PDT

Coffee
Sponsors
avatar for Sweetpea

Sweetpea

Coffee
avatar for Tailscale

Tailscale

Coffee

Sunday June 5, 2022 9:00am - 4:00pm PDT
Participation Hall
  Food & Drink

9:00am PDT

Capture the Flag
The CTF is back! As always, everyone is welcome to participate as the competition features a range of challenges at all difficulty levels. In case you find yourself in need of assistance, we have folks onsite who can provide hints and guidance. All that is needed to participate is a laptop.

The server is available all weekend long, and anyone is welcome to play. Server information is at https://bsidessf.org/ctf

At least one player must be onsite to claim any prizes won.
Sponsors
avatar for Google

Google

Leading, CTF

Sunday June 5, 2022 9:00am - 5:00pm PDT
Embarcadero
  CTF, Village

9:00am PDT

Info Desk
Sponsors
avatar for Cribl

Cribl

Info Desk, Custom/Other

Sunday June 5, 2022 9:00am - 5:00pm PDT
Lobby
  General

9:00am PDT

Prayer & Mother's Room
Need a quiet place for meditation or mothering duties? Ask at the Info Desk, and we can guide you to a private location.
Sunday June 5, 2022 9:00am - 5:00pm PDT
Lobby
  General

9:00am PDT

Registration
Sunday June 5, 2022 9:00am - 5:00pm PDT
AMC Mezzanine
  General

9:00am PDT

Sponsors
Visit the sponsor booths that line the walls of the Participant Hall and learn more about the companies that have made this year’s event possible. You’ll be introduced to new products, services, and career opportunities. At each booth you can also obtain one of the stamps you need to complete your Sponsor Passport (which can be found in the bag you received at registration).
Sunday June 5, 2022 9:00am - 5:00pm PDT
Participation Hall
  General

9:00am PDT

Crypto & Privacy Village
Crypto & Privacy Village helps bring cryptography & privacy knowledge to the hacker community.
Learn how to secure your own systems while also picking up some tips and tricks on how to break classical and modern encryption. The CPV features workshops and lightning talks on a wide range of crypto and privacy topics from experts. We’ll also have an intro to crypto talk for beginners, some crypto-related games, puzzles, and challenge.
Sponsors
avatar for Material Security

Sunday June 5, 2022 9:00am - 5:00pm PDT
Participation Hall
  Village

9:00am PDT

Hardware Village
Stop by the Hardware Village to participate in rubber ducky experiments. Each village participant will receive a pre-assembled badge that you can program through Arduino IDE to send automated keystrokes. The village content will be limited to harmless rubber ducky scripts, the kind you use for light-hearted, fun gags. Note: Limited badges are available while supplies last.

Brought to you by Hackerwares
Sponsors
avatar for Material Security

Sunday June 5, 2022 9:00am - 5:00pm PDT
Participation Hall
  Village

9:00am PDT

IoT Village
IoT Village Hands on Lab: Circumventing Security Controls in IoT Applications

Participate in a self-guided, hands on lab focused on circumventing security controls found on common internet connected devices. You will experience how newly-discovered vulnerabilities were discovered, how they can be exploited, and how this could impact consumers.

Brought to you by ISE (Independent Security Evaluators) and IoT Village
Sponsors
avatar for Material Security

Sunday June 5, 2022 9:00am - 5:00pm PDT
Participation Hall
  Village

9:00am PDT

Lockpick Village
Lockpick Extreme and TOOOL SF are back once again hosting Lockpick Village. Learn to lockpick from the TOOOL SF volunteers or practice what you already know with their assortment of locks and picks. When you’re done, you can shop the Lockpick Extreme pop-up shop and take your new hobby home with you.
Sponsors
avatar for Material Security

Sunday June 5, 2022 9:00am - 5:00pm PDT
Participation Hall
  Village

9:00am PDT

Bar and Chill Out
Take a break from the day’s events with a stop at the Bar and Chill Out Space. Two complimentary drink tickets were provided to you at registration. We already paid for them, so please use them!
Sponsors
avatar for Ermetic

Ermetic

Daytime Bar & Chill-Out

Sunday June 5, 2022 9:00am - 5:30pm PDT
Bar
  Food & Drink

9:00am PDT

Massage
Let your worries drift away with a complimentary chair massage.
Sponsors
avatar for Code42

Code42

Massage, Custom/Other
avatar for Sprinkles

Sprinkles

Massage

Sunday June 5, 2022 9:00am - 5:30pm PDT
Lobby
  General

9:00am PDT

T-Shirt Sales
Pick up pre-purchased event t-shirts and purchase t-shirts for the current and previous years. Please note, we have limited t-shirt quantities.
Proceeds benefit EFF, WISP, and CodePath.org.
Sunday June 5, 2022 9:00am - 5:30pm PDT
Coat Check
  General

9:00am PDT

Coat Check
Sponsors
avatar for Aruba Threat Labs

Sunday June 5, 2022 9:00am - 7:00pm PDT
Coat Check
  General

10:00am PDT

Opening Remarks
Speakers
avatar for Reed Loden

Reed Loden

VP of Security, Teleport
Reed Loden is the Vice President of Security at Teleport, a technology company that helps organizations securely access their infrastructure. He is an information security expert, researcher, hacker, and developer. Reed bring over 15+ years of security experience to his role at Teleport... Read More →

Sunday June 5, 2022 10:00am - 10:10am PDT
Embarcadero
  Simulcast  Talk

10:00am PDT

Simulcast of the Keynote and Opening Remarks
Sunday June 5, 2022 10:00am - 11:00am PDT
Theater 14
  Simulcast  Keynote  Talk

10:10am PDT

Keynote: Building sustainable security programs
The criticality of information security programs goes hand in hand with the stress and burnout concerns in our industry. Defenders feel the pressure to be “always on” trying to keep up with evolving business needs, lean teams, unrealistic program expectations and changing threat landscapes. This talk will focus on critical elements for building sustainability into your security programs. The topics covered range from risk alignment and prioritization to organizational health and culture.
Speakers
avatar for Astha Singhal

Astha Singhal

Director of Security, Netflix
Astha Singhal is currently a Director of Security at Netflix leading teams responsible for securing Netflix's workforce and product technology footprint in support of the product, studio and enterprise. Prior to this, she was a product security leader leading security for the Salesforce... Read More →

BSidesSF 2022 pdf
Sunday June 5, 2022 10:10am - 11:00am PDT
Embarcadero
  Simulcast  Keynote  Talk

11:00am PDT

Speed Mentoring Village
The Mentoring Village connects mentors with mentees in a casual, relaxed environment. Mentors can be an invaluable asset when you’re wondering what the next steps are for advancing your career, weighing the options at a fork in the road, or challenging blockers to your success. BSidesSF Speed Mentoring provides an opportunity to get insights from industry practitioners on the field of security, careers in security, and experiential wisdom.

Sign up now to reserve your spot! To get started, join the BSides Slack org, and then join the speed-mentoring channel. You can also DM Kelly or Liza on BSides Slack to assist you in signing up! We have an incredible lineup, and we’re excited to pair you with the perfect mentor to support your career growth and development.
Sponsors
avatar for Material Security

Sunday June 5, 2022 11:00am - 3:00pm PDT
AMC Lounge
  Village

11:05am PDT

Exposed secrets - How public git repositories and docker images expose millions of secrets like API keys and security certificates every year
Secrets like API keys are sprawling through the internet at an alarming rate. In 2020, we conducted a research project that uncovered two million leaked secrets. This talk outlines the 2021 results and reveals how secrets end up exposed in public git repos, docker images and packages.
Speakers
avatar for Mackenzie Jackson

Mackenzie Jackson

Developer Advocate, GitGuardian
Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learnt first-hand how critical it is to build secure applications with robust developer operations. Today as the Developer Advocate at GitGuardian... Read More →

Sunday June 5, 2022 11:05am - 11:30am PDT
Theater 14
  Talk

11:10am PDT

Achieving HITRUST on a Budget
HITRUST is the most-sought certification by healthcare organizations but the resources and time required are daunting. On average, the HITRUST certification costs >$300K+ and 22 months. Ginger took a different approach and passed the HITRUST assessment in less than $100K and 11 months.
Speakers
avatar for Shobhit Mehta

Shobhit Mehta

Security & Compliance Director, Headspace Health
Shobhit is the Security & Compliance Director at Headspace Health, an on-demand mental-health company in San Francisco, CA. Prior to Headspace Health, he worked for 11+ years in different facets of Security & Information Assurance with HSBC, Deutsche Bank, Credit Suisse, PayPal... Read More →

Sunday June 5, 2022 11:10am - 12:00pm PDT
Theater 15
  Talk

11:10am PDT

The CISO Panel Discussion
The CISO panel will be a discussion around hiring, retaining and scaling top security teams, and talent.
We will explore how each leader has approached talent attraction and the successes and challenges they've faced when building security teams.
Moderators
avatar for Tom Alcock

Tom Alcock

Partner and Founder, Code Red Partners
Tom Alcock Partner and Founder, Code Red Partners Tom has spent over 12 years in technical recruiting and consulting across Europe and North America. He is passionate about cybersecurity, diversity and inclusivity hiring. I am an experienced and passionate professional, who is keen... Read More →

Speakers
avatar for Caleb Sima

Caleb Sima

Chief Security Officer, Robinhood
Caleb is a seasoned security executive, board member and start-up founder. Caleb has spent his career in growing and scaling top performing security organisation's at Capital One, Databricks and most recently at Robinhood.
avatar for Fermin Serna

Fermin Serna

Chief Security Officer, Databricks
Fermin is a Security executive with 20+ years of experience as a  technical leader of big organizations with deep knowledge in the security/vulnerability assessment and exploit development fields. He is scaled top security engineering and operational talent teams at Google, Citrix... Read More →
avatar for Jessica Ferguson

Jessica Ferguson

Docusign, Docusign
Jessica is the Chief Information Security Officer at DocuSign and is responsible for trust and security initiatives at the company, including the protection of information important to DocuSign. Jessica has more than 20 years of experience in IT and Information Security across security... Read More →

Sunday June 5, 2022 11:10am - 12:00pm PDT
Embarcadero
  Talk, Panel

11:10am PDT

Threat hunting: Using MITRE ATT&CK against Carbanak malware
This talk demonstrates the MITRE ATT&CK Framework in action for threat hunting with the example of 'Carbanak' backdoor which was designed specifically for banking applications.
Speakers
avatar for Amol Sarwate

Amol Sarwate

VP of Threat Research, Fidelis Cybersecurity
Amol Sarwate heads Fidelis and CloudPassage worldwide threat and security research lab responsible for Network, Endpoint and Cloud. He has devoted his career to protecting, securing, and educating the community from security threats. Sarwate has presented his research on cloud security... Read More →

Sunday June 5, 2022 11:10am - 12:00pm PDT
Theater 11
  Talk

11:35am PDT

The power of guardrails: How to slash your risk of XSS in half
Why do the same security bugs keep popping up repeatedly, those we all know from the OWASP Top 10? We believe the future of security lies in eliminating vulnerabilities by using secure code defaults and present a study showing that secure defaults can significantly raise a company’s security bar.
Speakers
CD

Colleen Dai

r2c
Colleen Dai is a security software engineer at r2c, a startup working on building static analysis tools that focus on precision and being custom-fit to the consumer. At r2c, Colleen has worked on language parsing along with AST matching. She is also writing rules and performing research... Read More →
GH

Grayson Hardaway

r2c
Grayson Hardaway is a security researcher at r2c, a startup working on static analysis tools purpose-built for the modern workflow. At r2c, Grayson authors static analysis tailored for finding security vulnerabilities in open source code. Previously, Grayson worked for the US Department... Read More →

Sunday June 5, 2022 11:35am - 12:00pm PDT
Theater 14
  Talk

12:00pm PDT

Lunch
Sponsors
avatar for HackerOne
avatar for Instacart
avatar for Intel

Intel

Menu
avatar for Teleport

Sunday June 5, 2022 12:00pm - 1:30pm PDT
Participation Hall
  Food & Drink

12:10pm PDT

CTF Lunch talk 2 - Crypto and XSS for fun
Introduction to crypto and XSS challenges and walkthroughs.
Speakers
BE
NR

Sunday June 5, 2022 12:10pm - 1:00pm PDT
TBA
  CTF

12:30pm PDT

Sponsor Raffle
Complete your Sponsor Passport (which can be found in the bag you received at registration). Drop your completed card into the Sponsor Passport raffle box located within Twin Peaks to be entered into the raffle. Winners will be announced at 12:30pm each day (must be present to win).
Sunday June 5, 2022 12:30pm - 1:00pm PDT
Participation Hall
  General

1:30pm PDT

Don't turn your back on Ransomware!
Ransomware is on the loose and attacking us all! Learn and sharpen your blades in order to defend against this multi-headed monster!
Speakers
EH

Erik Heskes

Lemonshark
Security Consultant with a technical background. Handled security topics like: SIEM/SOC, Purple teaming, pentesting and compliance. Mostly within financial institutions. Next to my dayjob as a consultant I am also a musician and I like to ride my motorcycle from time to time. Certifications... Read More →

Sunday June 5, 2022 1:30pm - 1:55pm PDT
Theater 15
  Talk, OTR

1:30pm PDT

Metabadger: Automating IMDS Protection at Scale in AWS
Metabadger is an open source tool that we built at Salesforce that can help you rapidly and safely upgrade your EC2 instances to use IMDSv2 and prevent SSRF-based theft of EC2 Metadata Credentials. In this talk, we'll walk through how we approached and automated this problem to prevent IMDS abuse.
Speakers
avatar for Ashish Patel

Ashish Patel

Security Engineer
Ashish enjoys automating manual security hardening and letting the robots do the work for you. You'll often find him working on the challenges we come across in the cloud, application, and infrastructure security space. In his free time, he likes to blog about solving large scale... Read More →

Sunday June 5, 2022 1:30pm - 1:55pm PDT
Theater 11
  Talk

1:30pm PDT

Rise of the Vermilion: Cross-Platform Cobalt Strike Beacon Targeting Linux and Windows
This talk is about the first publicly documented cross-platform Cobalt Strike re-implementation active in real world attacks. Because Cobalt Strike is a heavily used red team tool by threat actors, Vermilion Strike is among the key recent unique discoveries in the malware research world.
Speakers
AM

Avigayil Mechtinger

Intezer
Avigayil is a security researcher at Intezer specializing in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms. As part of her ongoing work she has initiated the ELF Malware... Read More →
RR

Ryan Robinson

Intezer
Ryan Robinson is a security researcher for Intezer. He specializes in malware reverse engineering and threat intelligence. In previous roles, Ryan has worked as a Security Engineer securing cloud applications and as an analyst in Anomali's Threat Research team.

Sunday June 5, 2022 1:30pm - 1:55pm PDT
Theater 14
  Talk

1:30pm PDT

Hook, Line and Sinker - Pillaging API Webhooks
Webhooks are an important part of modern web services. In this talk, I will demonstrate “Webhook Boomerang flaws,” a unique set of attack vectors that allows us to perform SSRF against webhooks leading to cloud-credential compromise even with security protections like Metadata Headers.
Speakers
AB

Abhay Bhargav

we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company and the Chief Research Officer of AppSecEngineer, an elite, hands-on online training platform for AppSec, Cloud-Native Security, Kubernetes Security and DevSecOps. Abhay started his career as a breaker... Read More →

Sunday June 5, 2022 1:30pm - 2:20pm PDT
Embarcadero
  Talk

2:00pm PDT

Got popcorn? What’s on the Vuln Channel tonight?
Developers need fast automated code scanning and timely information about potential vulnerabilities. Our vision is that receiving vulnerability data should be as simple as streaming the latest episode of your favorite TV series! In this talk, we describe the platform we built to enable our vision.
Speakers
avatar for Rob Jerdonek

Rob Jerdonek

Application Security Engineer, Roku, Inc.
I have more than 10 years of experience building product security programs and tools at companies of all sizes. I have an M.S.E. in Computer Science and Engineering from the U. of Michigan, Ann Arbor. After working in the security field for many years, I have goal of doing more to... Read More →
LC

Lily Chau

Lily Chau is a little blob, inhaling copious amounts of food and is often seen riding a warp star. Lily is a silent spirit using lots of grunts, shouts and cheery elongated mono-syllables. Lily was previously known as a platypus caretaker.

Sunday June 5, 2022 2:00pm - 2:25pm PDT
Theater 14
  Talk

2:00pm PDT

Securing Internal Applications @ Loom
A chain is only as strong as its weakest link' is a common security paradigm that we believe at Loom. Believing in this, we decided to take a security first approach to improve the security posture for our internal applications which are used widely for administrative purposes.
Speakers
avatar for Narayan Gowraj

Narayan Gowraj

Security Engineer, Loom
Loom is a Series C startup and an essential tool for hybrid workplace. Narayan Gowraj is a Security Engineer at Loom where he has been leading and pioneering security initiatives. Narayan has also been actively working on developing hands-on security techniques with product teams... Read More →

Sunday June 5, 2022 2:00pm - 2:25pm PDT
Theater 15
  Talk, OTR

2:00pm PDT

Practical Threat Hunting With Machine Learning
Machine learning, while being one of the most hyped and anticipated technology paradigm shifts, has yet to be widely applied to threat hunting and detection. This talk covers two years of work on machine learning models for threat detection. Case studies will include numerous high-value detections.
Speakers
avatar for Omid Mirzaei

Omid Mirzaei

Elastic
Omid Mirzaei is a senior security data scientist on the protections team at Elastic. He develops machine learning tools for the cybersecurity domain and does research on how to build trustworthy ML-based systems. His research interests include computer security, mobile security, malware... Read More →
CC

Craig Chamberlain

Elastic
Craig has seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion, C-beams glittering in the dark near the Tannhäuser Gate. Craig is a longtime security researcher who has been to the places and done the kinds of things you would expect, most of which... Read More →

Sunday June 5, 2022 2:00pm - 2:50pm PDT
Theater 11
  Talk

2:30pm PDT

Wins and Learns from the Integration of reCAPTCHA at Pinterest
We'd like to share our experiences in integrating reCAPTCHA at a large scale across multiple client platforms, especially the wins and learnings, to help the community better understand and defend against the evolving threats from automated attacks.
Speakers
YS

Yuru Shao

Pinterest
Software engineering at Pinterest working on product security.

Sunday June 5, 2022 2:30pm - 2:55pm PDT
Theater 15
  Talk, OTR

2:30pm PDT

Hacker TikTok: Community, Creativity, and Controversy
As TikTok surges in popularity, did you know there are security-focused creators on TikTok bringing awareness, humor, and community to an audience hungry to learn about being a hacker? Join our panelists as they discuss their successes and challenges exploring a new frontier in security awareness.
Moderators
KT

Kyle Tobener

Copado
Kyle Tobener is a VP and Head of Security for the DevOps startup Copado. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. He loves application security, third party risk management, and building security programs from... Read More →

Speakers
M

MakeItHackin

MakeItHackin
MakeItHackin began creating content during the pandemic and became the face of the “Tell Me You’re a Hacker” trend on TikTok. His research covers anti-theft devices, license plate camera blockers, circuit board fabrication, and other nerdy projects. When not producing videos... Read More →
SD

Serena DiPenti (shenetworks)

Security Analyst, Black Hills Information Security
Serena DiPenti is a Penetration Tester at Black Hills Information Security with over a decade of experience in the technology sector. She holds a Bachelor of Science degree in Computer Information Systems from the University of Akron and is currently pursuing a double major in Computer... Read More →
KR

Kylie Robison

Business Insider
I'm an enterprise technology reporter covering developers for Business Insider.

Sunday June 5, 2022 2:30pm - 3:20pm PDT
Theater 14
  Talk, Panel

2:30pm PDT

How to Fake Friends and Find People: A Build-A-Buddy case study
Join us, two prior Special Operations cyber operators, as we share our case study on Operational Security revolving around recent crowdsourced ad-hoc OSINT/Humanitarian missions and how to properly isolate your true identity from your temporary operational online persona.
Speakers
avatar for Dahvid Schloss

Dahvid Schloss

Managing Lead, Offensive Security, Echelon Cyber + Risk
Dahvid is the Managing Lead, Offensive Security at Echelon Risk + Cyber. As an experienced professional with over 12 years of cyber-attack and defense experience, Dahvid has previously worked as a Red Team Operator with a Big 4 consulting firm leading and conducting Adversarial Emulation... Read More →
AD

Alex Dodd

Attack Research, LLC
Alex is a Penetration Tester and Project Lead with Attack Research, LLC. From software testing to network engineering and IT management to cyber security, Alex has been involved in many levels of cyber security. He also has comprehensive experience in the behaviors, patterns, and... Read More →

Sunday June 5, 2022 2:30pm - 3:20pm PDT
Embarcadero
  Talk

3:00pm PDT

Burnout: The Weakness to your Security Plan
This talk dives into the factors that lead to burnout among security professionals, the clear line between burnout and failure to retain team members, and how to invest in your team to make sure your team is able to thrive during stressful times.
Speakers
avatar for Chloé Messdaghi

Chloé Messdaghi

CEO and Founder, Global Secure Partners
For over ten years, Chloé Messdaghi has advised and developed impactful solutions that have driven growth and innovation while transforming security teams to become resilient. Her work has helped businesses unlock opportunities to enhance trust, mitigate risk, and become purpose-driven... Read More →

Sunday June 5, 2022 3:00pm - 3:25pm PDT
Theater 15
  Talk

3:00pm PDT

Log in Your Own Eye - Exploiting a Stealthy C2 Channel in Azure Logging Infrastructure
Cloud logging infrastructure is vital to security threat detection, but what happens when it’s hijacked by an adversary? Join us for a quick dive into abusing Azure Log Analytics as a covert channel (and what to do about it)!
Speakers
avatar for Dmitriy Beryoza

Dmitriy Beryoza

Senior Security Researcher, Vectra AI
Dmitriy Beryoza is a Senior Security Researcher with Vectra AI, working on threat detection in the cloud and on-prem networks. Before that he was a penetration tester and secure software development advocate at IBM. Having been a developer for many years, he has built software of... Read More →

Sunday June 5, 2022 3:00pm - 3:25pm PDT
Theater 11
  Talk

3:30pm PDT

Attacking and Defending Infrastructure with Terraform: How we got admin across cloud environments
In this talk we'll demonstrate how to attack Terraform Enterprise and Terraform Cloud to exfiltrate secrets and deploy malicious applications and infrastructure into production cloud environments undetected. Then we'll show you how we worked with HashiCorp to best mitigate it.
Speakers
avatar for Mike Ruth

Mike Ruth

Staff Security Engineer, Brex
Mike is a Staff Security Engineer at Brex, where he helps in securing one of the world’s best Financial Technology platforms. Previously the technical lead for Infrastructure Security at Cruise, Mike has over a decade of experience securing, designing, and deploying cloud infrastructure... Read More →
avatar for Francisco Oca

Francisco Oca

Offensive Security Engineer, Robinhood
Francisco Oca is an Offensive Security Engineer at Robinhood. He has been in infosec for more than a decade, working on security tools development, pentesting, malware analysis, vulnerability research and red teaming. He co-authored Ponce, winner of the 2016 HexRays IDA Pro Plug-In... Read More →

Attacking and Defending Infrastructure with Terraform How we got admin across cloud environments pdf
Sunday June 5, 2022 3:30pm - 4:20pm PDT
Theater 14
  Talk

3:30pm PDT

Ooga Booga - Avoiding Reinvention of the Wheel (Useful Security Tools and Lessons to Know)
Security can be pretty overwhelming, but you don’t have to build anything from scratch! Under resourced security teams often reinvent the wheel when it comes to solving common security problems. Join me as I introduce Marie Kondo-style techniques that should help manage the madness.
Speakers
avatar for Carla Sun

Carla Sun

Security Engineer, Gusto
(She/Her),Local Area Disaster,Former Security Incident Response Lead, and Application Security Engineer.Security Partner on the Product Security Team @ Gusto

Sunday June 5, 2022 3:30pm - 4:20pm PDT
Embarcadero
  Talk

3:30pm PDT

So You Think You Can Secure Your Cloud : Red Team Engagements in GCP
This is a detailed guide for adversary simulations in GCP that covers how to get an initial foothold, persist, escalate privileges, use Google's own products as C2, manipulate firewall rules and compute instances, abuse Key Management Service and Google Cloud Storage to decrypt and exfiltrate data.
Speakers
BR

Brad Richardson

Brad Richardson’s security practitioner career spans 15 years in the areas of vulnerability management, security audit, pentest, and red team. Brad began his technology path in system engineering and quickly became interested in how cyber attackers find cracks in the best laid security... Read More →
MB

Madhav Bhatt

Madhav has completed his Master's degree in Computer Engineering with specialization in Cyber Security. He worked as an intern while in college wearing multiple hats such as systems administrator , network architect, penetration tester as well as worked on research projects to design... Read More →

Sunday June 5, 2022 3:30pm - 4:20pm PDT
Theater 11
  Talk

4:30pm PDT

Biohacker: The Invisible Threat
Security professionals won't allow users into their environment with hacking tools, so how do you address people with implants? People are the attack vector and the tool. The ability to compromise contactless tech threatens physical and digital security. How do you stop a cyber threat from a human?
Speakers
avatar for Len Noe

Len Noe

Technical Evangelist & Whitehat, CyberArk
Len Noe is a White Hat Hacker and Global Enablement Engineer for CyberArk Software. Together with the CyberArk Global Enablement Engineering team, they are responsible for enabling internal staff and the starting point for escalation for all SEs in the field. They are responsible... Read More →

Sunday June 5, 2022 4:30pm - 5:20pm PDT
Embarcadero
  Talk

4:30pm PDT

JavaScript Obfuscation - It’s All About the P-a-c-k-e-r-s
The usage of JavaScript obfuscation techniques have become prevalent in today’s threats, from phishing, Magecart, and supply chain injection to malware droppers. This talk will introduce a technique that focuses on the detection of JavaScript packers in order to detect obfuscated files.
Speakers
avatar for Or Katz

Or Katz

Researcher, Akamai technologies
Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as principal lead security researcher for Akamai. Katz is a frequent Speaker in security conferences and published numerous articles, blogs and white papers on threat intelligence... Read More →

Sunday June 5, 2022 4:30pm - 5:20pm PDT
Theater 14
  Talk

4:30pm PDT

XSS mitigation: the state of the art
XSS attacks and mitigations are complex. Between CSPv3, Trusted Types, Strict Dynamic, CORP, and CORB, it's a lot to take in. In this talk, we'll cover what you need to know in order to implement efficient XSS defences at every layer.
Speakers
JA

Jean-Baptiste Aviat

Datadog
Jean-Baptiste Aviat is AppSec staff engineer at Datadog, former CTO and co-founder at Sqreen. He spent half a decade hunting security bugs at Apple, helping developers fix them, and developing protections used by millions of devices. He's the host of the appsecbuilders.com podcast... Read More →
avatar for Vladimir de Turckheim

Vladimir de Turckheim

Datadog
Vladimir (he/him) is a software engineer focusing on Application Security at Datadog. He has been working on Node.js security for 5 years and now focuses on Web quality and security at large. Vladimir is in charge of the Node.js bug bounty program.

Sunday June 5, 2022 4:30pm - 5:20pm PDT
Theater 15
  Talk

5:30pm PDT

Closing Ceremony
We will be discussing the logistics and joys of organizing the event. Come hear how it all gets put together and who helps us out!
Speakers
avatar for Reed Loden

Reed Loden

VP of Security, Teleport
Reed Loden is the Vice President of Security at Teleport, a technology company that helps organizations securely access their infrastructure. He is an information security expert, researcher, hacker, and developer. Reed bring over 15+ years of security experience to his role at Teleport... Read More →

Sunday June 5, 2022 5:30pm - 6:30pm PDT
Embarcadero
  Closing Ceremony
 

Twitter Feed

Filter sessions
Apply filters to sessions.
Saturday, June 4
Sunday, June 5
AMC Lounge
AMC Mezzanine
Bar
Coat Check
Embarcadero
Lobby
Participation Hall
TBA
Terrace
Theater 11
Theater 14
Theater 15
  • Closing Ceremony
  • Community Organizations
  • CTF
  • Food & Drink
  • General
  • Keynote
  • Simulcast
  • Talk
  • Village
  • Workshop
  • Popular