The cybersecurity industry has 5,000+ startups yet many key problems are overlooked for not being "venture scale." This talk explores alternative paths (bootstrapping, Silicon Valley Small Businesses) & talks why niche markets and smaller ideas can drive impactful solutions without unicorn pressure.
“The Four Tribes of Security Champions” is a framework to describe successful security champion programs. The tribes include: The Apprentices, The Fan Club, The Learners, and The Sentinels. We’ll explore a benchmarking tool for each tribe to pick which approach is right for you!
Explore the escalating issues in CVE data: inconsistent reporting, low-quality submissions, and outdated info. Learn why these threaten cybersecurity and what solutions can restore trust in this critical database.
We established Stanford's product security clinic in 2023 to help community organizations secure the software services they offer, diverging from traditional university cybersecurity clinics that focus on corporate security. Here's what we learned from our first two years of operation.
Most people aren’t dragon slayers. There are dragon slayers out there, but they’re not us. EDR isn’t a dragon slayer. Neither is the SOC. That’s okay - when the dragon comes, the goal should be *survival,* not going out in a blaze of glory.
Policymakers worldwide have recently taken up product security, making prominent topics like memory safety. In this talk, hear from former CISA Senior Advisor Jack Cable on lessons learned leading CISA's Secure by Design initiative, and what a shift towards product security means for the industry.
Quantum computing is breaking RSA/ECC, your PKI is at risk !. This session delivers a live demo on quantum-safe PKI upgrades: discover certificate weaknesses, map hybrid replacements, and align with NIST PQC standards. Learn to secure cryptographic resilience for the post-quantum era.
Security’s weakest link comes with ten fingers, ten toes and an uncanny ability to find ways past your thoughtfully implemented controls. Learn well-tested psychology principles that drive positive security outcomes. From social proof to reciprocity, small changes in approach bring outsized results.
The Secure Shell (SSH) is the most commonly exposed dedicated management protocol, second only to HTTP in terms of internet-wide exposure, and it’s had a rocky year. This presentation explores the multitude of SSH implementations, their specific weaknesses and real-world exposures.
This talk explores the discovery of a long-standing CSRF (Cross-Site Request Forgery) vulnerability in the popular gorilla/csrf Go library. The goal is to encourage the audience to perform vulnerability research experiments in their own commonly used tools.
Operational Technology (OT) describes devices that control things in the real world like factories and generators. This talk discusses the security implications of the convergence of IT and OT, with deep dives into OT protocols and device discovery -- even behind legacy protocol gateways.
Condemning “check-box” vendor risk management and security questionnaires is a hot talking point nowadays. This talk will discuss the related but distinct problems in the TPRM space and offer practical, creative solutions to help deliver high-value outcomes via third-party risk management.
The presentation will cover research into pig butchering scams connected to FUNNULL CDN-hosted money laundering, retail phishing campaigns targeting luxury brands, and more. Technical analysis step will be provided and explained in-depth as we cover this threat which we have dubbed “Triad Nexus."
Using cryptography solves certain problems but adds a new challenge: key management. This talk explores how various key types require different management approaches, then walks though an example of securing a long-lived code-signing key in an HSM, with a look at operational burdens and pitfalls.
Privacy-Enhancing Technologies (PETs) are transforming data handling by ensuring privacy and security throughout the data lifecycle. This talk explores the latest advancements in PETs, focusing on Secure Multiparty Computation (MPC), Homomorphic Encryption (HE), and their real-world applications.
Security practitioners are put in tough positions whether you're new to security or an experienced CISO. Based on "Radical Candor", you'll leave this talk with new perspective on the way security teams are perceived by their peers and how to optimize the good and minimize the unavoidable bad.
Learn how Anthropic automates dependency security at scale across diverse infrastructure and environments while still letting engineers use the tools and dependencies they need. We'll explore Dependant, our tool to enforce our dependency posture at the network level, and how users interact with it.
Discover how the Cyberhaven breach case exposed critical Shadow IT risks—and the proactive allowlist strategy that minimized business disruption. The proactive controls saved our 40M+ users from being impacted. Gain insights, metrics, and a blueprint for continuous monitoring
Being the first security leader at a startup is a wild ride. This talk explores "Trust Engineering," a hands-on approach to earn trust, navigate chaos, and build a security foundation with limited resources. Learn how to handle executive expectations and support fast-paced growth.
GRC teams can be more than just gridlock, red tape, and checklists. By prioritizing a risk-first approach, leveraging both quantitative and qualitative methodologies, and adopting principles-based compliance, GRC becomes a proactive force that empowers organizations to effectively combat security.
In this talk, I’ll discuss hiring trends for Security Engineers and Leaders in 2024, covering metrics like time to hire, interview rounds, formats, and rejection trends. Data comes from 30+ placements at 10+ tech startups, mainly in SF, offering insights into the cybersecurity hiring landscape.
Attackers making money from MY 2FA? It's more likely than you think! SMS is a common 2FA method but creates risk: International Revenue Share Fraud, inflating SMS traffic to siphon revenue. Attendees will learn how to detect and mitigate IRSF with Cloudflare, OpenAI, and Datadog.
