Information stealer malware is underestimated by our industry. In this deep-dive, we look into what is captured by them – desktop screenshots, password vaults, browser extensions, MFA bypass material, etc. –, cover the Redline takedown, and offer defensive countermeasures including code and samples.
Learn to build your own treasure map of how attackers might move laterally through your company’s assets. We’ll provide a conceptual engineering framework for attack path analysis, recommend no- or low-cost tools, share examples, and release an open-source attack graph ontology to learn from.
What does it take to secure 3 billion users on the world’s leading mobile platform? This session dives into Android security from a holistic perspective.
While seemingly local, services running on localhost are accessible to the browser using a flaw we found, exposing the ports on the localhost network interface, and leaving the floodgates ajar to remote network attacks. This session will dive into the 0.0.0.0 exploit research conducted by the team.
Discover how Yelp's Infrastructure Security team transformed past challenges and failures into success by shifting authentication and authorization from the infrastructure to the application layer. Learn how this pragmatic approach met all security requirements applicable to Yelp's threat model.
From p0f to MuonFP and JA4+, learn how network fingerprinting evolved. See how each step helps security teams spot malicious traffic, detect scanners, and more. Attendees gain real-world use cases and practical tips to deploy fingerprinting for monitoring and threat hunting.
Shift-left sounds great—catch issues early, save time, empower devs—but too often it backfires, creating noise and chaos. Learn from real-world fails, laugh at sh*t-left stories, and discover practical strategies to make shift-left work. Let’s fix AppSec, one bug at a time.
Ever wonder how your data is really handled in the cloud? Confidential Computing gives you an answer by isolating your data and cryptographically proving what code was ran. This talk dives into the hardware and software behind Confidential Computing, and how to ship it in real-world cases.
This talk explores the discovery of a long-standing CSRF (Cross-Site Request Forgery) vulnerability in the popular gorilla/csrf Go library. The goal is to encourage the audience to perform vulnerability research experiments in their own commonly used tools.
Using cryptography solves certain problems but adds a new challenge: key management. This talk explores how various key types require different management approaches, then walks though an example of securing a long-lived code-signing key in an HSM, with a look at operational burdens and pitfalls.
Discover how the Cyberhaven breach case exposed critical Shadow IT risks—and the proactive allowlist strategy that minimized business disruption. The proactive controls saved our 40M+ users from being impacted. Gain insights, metrics, and a blueprint for continuous monitoring
Attackers making money from MY 2FA? It's more likely than you think! SMS is a common 2FA method but creates risk: International Revenue Share Fraud, inflating SMS traffic to siphon revenue. Attendees will learn how to detect and mitigate IRSF with Cloudflare, OpenAI, and Datadog.
