BSidesSF 2020

How To Write Like It's Your Job

Hackers thought they could avoid formal essays, but SURPRISE! They still have to write about exploits. And writing is hard. But it's ok, I'm here to help with practical advice for security writers - how to start and finish, tools to consider, and ...

Brianne Hughes

How The Coasts Approach Information Security Differently

How Wall Street and Silicon Valley fundamentally differ in their approaches to information security, and what one can learn from the other...this talk will be useful to the assessor/auditor, the advisor, the operator and anyone generally intereste...

Sourya Biswas

How to 10X Your Company’s Security (Without a Series D)

I’ll summarize and distill the insights, unique tips and tricks, and actionable lessons learned from a vast number of DevSecOps/modern AppSec talks and blog posts, saving attendees 100s of hours. I’ll show where we’ve been, where we’re going, and ...

Clint Gibler

Phishy Little Liars - Pretexts That Kill

The 'IT Guy' is the Nigerian Prince of Pretexts. As bad actors begin to use more specialized pretexts, so too should Pentesters use more specialized, custom pretexts during assessments. Learn to make custom pretexts that fly under the radar and wo...

Alethe Denis

Transform Your Presentation Skills

Are you conference ready? Do you want to give a presentation that everyone is talking about? Then check out Transform your Presentation Skills for unique tips and tricks that will result in compelling content and improved confidence. Bay Area pres...

Hilary Spreiter, Anne Ricketts

What Should and Shouldn’t Scare You: Kubernetes and Containers

Kubernetes and containers change a lot of how apps are built, deployed, and secured… or do they? Let’s cut through the hype and see what’s same-old-same-old versus actually new, then talk about the chance we’ve got to do security better together. ...

Connor Gilbert

Panel: Let's Get 360 With Bug Bounty!

From bug bounty hunters, to the platform triagers, to the companies that fix the vulnerability: we have much to understand and learn from each other. We will talk about the bug bounty lifecycle from multiple perspectives and discuss how to improve...

Jeff Boothby, Chloé Messdaghi, Tanner Emek, Maria Mora, Ben Sadeghipour

Hanging on the Telephone: Hacking VoIP

Sarah details some of the ways that VoIP systems can be hacked and used for nefarious purposes.

Sarah Young

Day One Opening Remarks

Reed Loden

Serverless Osquery Backend and Big Data Exploration

osquery is an open-source community driven endpoint for intrusion detection. Deploying at scale requires endpoint management, data transport and additional considerations. We'll deploy a serverless osquery backend, discuss the challenges at scale ...

Geller Bedoya

Peeling the Web Application Security Onion

Bruce Schneier said security is a process, not a destination. This talk focuses on web app security aspects in the browser, CDN or API Gateway, Static Content Servers, and Dynamic Web Services. It shows how you can better mitigate risks in the mul...

Noam Lorberbaum, Keith Mashinter

Adventures in Vendor Security and Continuous Review

The advent of cloud services has created a new paradigm in vendor security. Typically, companies send a questionnaire to review cloud providers, however, it's point in time. The attendees will learn about methods of identifying security posture of...

Lokesh Pidawekar

The GCP Metadata API

Some folks know about the AWS metadata API and its security implications. Here I'll talk about the GCP metadata API and its security implications. GCP has extra protections, but a lot more at stake. I'll cover ways to attack and defend the GCP met...

Dylan Ayrey, Allison Donovan

Ask the EFF

This session will include updates on current EFF issues such as surveillance online, encryption (and backdoors), compelled decryption, consumer privacy, free speech, and right to repair. The panel will also include a discussion on some exciting ne...

Jamie Williams, Kurt Opsahl, Hayley Tsukayama, Alexis Hancock

Keynote: What's New or Not in 2020: Are we Making Progress?

It's the end of the decade and time to look back on which parts of the mission of Information Security professionals have progressed and which are still just treading water. As we come together for the first BSidesSF of a new decade, have security...

Larkin Ryder

Creating Threat Intelligence Signals in a “Zero Trust” Environment

As network architecture changed over the years, threat intelligence in a “Zero Trust” environment should be re-shaped into a dynamic signal-based indicator of threats that are associated with organization entities and empowered by a variety of dat...

Or Katz

Visualizing Security

Data analysis and visualization skills are becoming a critical part of the security domain. To learn what makes for good analysis and visualizations, this talk will share and explore real-world security analyses and visualizations (and animations)...

Jay Jacobs

How to Kill an AWS Access Key

AWS Access Keys are great for attackers; powerful and sitting in plaintext. The Security Token Service enables short-lived credentials, but the path to getting that to work for humans isn't simple. Assuming zero level of expertise, we'll cover how...

Benjamin Hering

A Look at Jython-Enhanced Reverse Engineering with Ghidra

Tired of long days spent reversing obfuscated binaries that want nothing more than to make your life miserable? Then look no further! Using real-world malware as a case study, I'll show how to use Jython and Ghidra's powerful scripting API to make...

Byron Roosa

Keynote: Dumping Traditional Security Teams

It’s common to hear of security teams that feel overwhelmed. They have too many alerts, too many design reviews, too many approvals, too many everything! What if I told you we can reduce risks and scale security by reducing what security teams do?...

Fredrick Lee

Securing Coinbase’s Edge Payments Infrastructure

Coinbase works with payment processors across the globe. We have seen a lot of insecure APIs. Interested in seeing what problems are in these payment networks that move billions of dollars daily and how Coinbase remediates these issues using commo...

Nishil Shah

MOSE: Using Configuration Management for Evil

Ever land on a configuration management server and not know what to do? Want to take over machines en masse with a single command? Enter Master Of SErvers (MOSE), a post-ex tool that allows you to leverage CM servers to compromise all associated a...

Jayson Grace

Leveraging Osquery for DFIR at Scale

Security Breaches are happening every other week - understanding the anatomy of an attack is a daunting task that Incident Responders face. Attackers will leave behind breadcrumbs. Forensics tools can be time & resource intensive. Can we explore a...

Sohini Mukherjee

Mapping the Connections Inside Russia’s APT Ecosystem

This talk will detail the stages involved in the research study of the analysis of the Russian APT ecosystem. It will present two open-source tools which can be used by the infosec community to further investigate Russian-related cyber attacks.

Ari Eitan

Graph Based Detection and Response with Grapl

Grapl is a Detection and Response Platform that centers around graph analytics services. By leveraging Graphs and Python Grapl makes it easier to build more powerful, behavior-oriented attack signatures and explore suspicious behaviors in your env...

Colin O'Brien

San-Serif Rules Everything Around Me

Lowercase L and uppercase i look exactly the same when used in Sans-Serif fonts. Apple iMessage, Gmail, Facebook, and Twitter all display urls in mixed case San-Serif fonts. This opens up the potential for very simple and highly effective phishing...

Travis Knapp-Prasek

Managing the Assets of Your Security Career

Security folks often struggle with quality feedback and influence during promotion. In this session I provide tooling and strategies for “asset management” of stakeholders that will improve the growth of influence, increase visibility in an organi...

Chris John Riley, Kyle Tobener

Real Time Vulnerability Alerting

Harness public data and apply data analytics principles from US Tsunami Warning Center to cut through the noise and get real-time time alerts only for highly seismic vulnerabilities. Make vulnerability fatigue a thing of the past.

Amol Sarwate

Purple is the New Black: Modern Approaches to Application Security

This talk will explore how to combine defence, offence, automation, empathy and continuous learning in a MODERN approach to application security. All new types of applications will be covered as well as their corresponding security best practices.

Tanya Janca

Developing a Baseline Security Standard for Endpoint Devices

As part of implementing a Zero Trust Network, we sought to ensure that endpoint devices met a baseline security capability standard. The goal was to document the OS security capability posture, and map those functionalities to the baseline to dete...

Claire Moynahan

From Cockroaches to Marble Floors

Eliminating the false distinction between security bugs and other software defects can greatly reduce the risk of security breaches, improve product quality and align builders around the same goals. We'll present practical tools & methodologies th...

Daniel Tobin, Paul Karayan

k-rail: A Tool to Manage K8s Securely at Speed

Kubernetes is powerful, but often insecurely configured. During this talk, we’ll roleplay offensive and defensive scenarios we’ve learned in our journey of running Kubernetes at Cruise and share the tool we’ve created to mitigate them.

Dustin Decker

The Voight-Kampff Test for Discovering Vulnerabilities

Among the thousands of vulnerabilities you find, how can you tell which were found through automated scanners and which required human expertise? We'll build a Voight-Kampff test to filter between human-found and machine-found vulns.

Vanessa Sauter

Secure by Design: Usable Security Tooling

How do you build effective security products? Are people actually using your tools? Spending time on usability for security products is a smart investment with high payoffs. In this talk we’ll discuss how prioritizing usability allows us to build ...

Hon Kwok

Dispatch: Crisis Management Automation

We built Dispatch to automate our entire crisis management lifecycle, from initial report, to resource creation, participant assembly, task tracking and post-incident reviews. We want you to use it someday too, so we'll explain how it helps us, an...

Forest Monsen, Marc Vilanova

Mistakes Made Integrating Security Scanning into CI/CD

It was 8AM, Slack showed 124 new unread messages and climbing. Our security scanner had broken every build pipeline. Do you want to know why? Are you curious to know the steps we took to bounce back? Do you want to learn from our mistakes?

Moses Schwartz, Atul Gaikwad

Fantastic AWS Attacks and Where to Find Them

Building better detections on our Cloud infrastructures and knowing our enemies is a necessity for survival. I want to help the community by sharing our work on AWS and by utilizing ATT&CK framework start building and operationalizing detections a...

Georgios Kapoglis

Sharks in the Water: Open Source Component Risk and Mitigation

Navigating the Open Source Component (OSC) Supply Chain can be murky and unforgiving. Gain an understanding around how recent hacks could have been prevented by proper management of OSCs through education, awareness, and automated tooling.

Aaron Brown

How Software Transparency Can Help Save the World

“Am I affected by this new vuln?” This is a question very few orgs that make or use software can answer today, since we lack visibility into the software supply chain and the full set of dependencies. Learn how a “software bill of materials” or SB...

Allan Friedman

Checking Your --privileged Container

Sam Stewart, Maya Kaczorowski

Security Learns to Sprint: DevSecOps

This talk will explain what security teams needs to adjust in order to turn DevOps into DevSecOps within their organizations. Several strategies are presented for weaving security into each of the "Three Ways", with clear steps audience members ca...

Tanya Janca

Panel: Mental Health for Hackers

Pressures and stress affect both professional and personal lives within infosec. This panel will introduce mental health for hackers, and discuss issues including burnout, depression, anxiety and other topics. The conversation will help build a su...

Chloé Messdaghi, Ryan Louie, Susan Peediyakkal

Bootstrapping Security

Bank of America has publicly shared that they spend over $400M per year on cybersecurity and that cybersecurity is the only department without budget constraints. Unfortunately, most of us have budgets many orders of magnitude smaller than that. S...

Rob Shaw, Jared Casner

Closing Ceremony

We will be discussing the logistics and joys of organizing the event. Come hear how it all gets put together and who helps us out!

Reed Loden

Privacy Nightmares while Using ML/AI

Everyone is excited with using ML And AI in applications but what about privacy while mining personal data within applications? See privacy nightmares can happen without due care. We aim to address issue by introducing a framework that blends ML a...

Yogesh Karpate, Sameer Ahirrao

RIS-ky Business: Exploiting Medical Information Systems

The security of medical devices has been a hot topic in the news the past few years. This presentation gives an overview of medical specific protocols, the architecture of a medical information system, and how an attacker can leverage these to cha...

Jacob Brackett

CISO Vendor Relationship Podcast

Join David Spark, Mike Johnson, and guest Olivia Rose for 45 minutes of the most fun you’ll have at BsidesSF 2020. The CISO/Security Vendor Relationship Podcast is couples therapy for security practitioners and vendors. We’ll debate hotly conteste...

Mike Johnson, Olivia Rose, David Spark

An Effective Approach to Software Obfuscation

Understanding the essential aspects that make up obfuscation allows us to see the fundamental flaw with modern obfuscation implementations and the right way to approach it. We use examples of modern obfuscation techniques to illustrate our points ...

Yu-Jye Tung

Day Two Opening Remarks

Reed Loden

Non-Political Security Learnings from the Mueller Report

The Mueller Report had a trove of forensics evidence around how the DNC & DCCC were compromised. By reading the Report through a critical security lens we can gather a trove of learnings around how access was gained, how their networks were traver...

Arkadiy Tetelman

Lessons from DevSecOps Trenches

A frank discussion with security team leads at several forward-thinking companies on how they’ve built and scaled their security programs. What worked, what failed, and more. No topics are off-limits, no holds will be barred, and chanting will be ...

Astha Singhal, Doug DePerry, Zane Lackey, Justine Osborne, Clint Gibler

When GDPR and CCPA strike

Data protection obligations can be an ally to the security team instead of a burden. Having a good understanding of them helps inform security risk modeling and prioritization, secure buy-in when setting the agenda of a security program, and reduc...

Rafae Bhatti

Break Crypto like a Pro!

Cryptography is hard. Doing it right is even harder, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.” Come learn how to exploit common crypto mistakes in theory and in practice!

Alexei Kojenov

Security, Politics, Neutrality, and Protecting Users

Tech's alleged "neutrality" causes security problems for our users--ranging from misinformation and propaganda to harassment and worse. Is neutrality required, or desirable? Should tech itself (as Microsoft once suggested) be sovereign? What happe...

Brendan O'Connor

2FA in 2020 and Beyond

This talk will explore the modern landscape of 2FA. With a data driven analysis of the tradeoffs between different types of factors, we'll dive into a detailed comparison of cryptographic security strength and UX for methods like SMS, Soft Tokens,...

Kelley Robinson

Chrome Extension Risks and You

An often overlooked risk in Google Chrome are the thousands of unique Chrome extensions installed by your users. We will cover examples of risky and malicious (sometimes popular) extensions and share how Lyft strategically reduced risk at scale wi...

Chris Barcellos, Abhi Kafle

So You’re the First Security Hire

You're the first security hire at a company, where do you start? How do you keep the company from getting hacked without getting in the way? How do you integrate security into the culture of the business? I'll cover the critical areas to focus on,...

Bryan Zimmer

If You’re Not Using SSH Certificates You’re Doing SSH Wrong

Lightning Talk - Based on a popular blog post of the same name (over 50,000 unique views in the first 30 days) this lightning talk challenges the listener to reconsider using keys for SSH access, and instead use SSH Certificates. https://smallstep...

Mike Malone