Saturday, November 4th, 2023

Sunday, November 5th, 2023

As a recent founder who has spent a lot of the last year helping other founders with their security, I've come to realise that there is a lot of mystery and basic knowledge gap when it comes to keeping your product and infrastructure secure that the average technical founder or small team simply doesn't have a grasp on. In this talk I'll dive into many of the security issues SaaS and tech enabled companies tend to encounter as well as how to prevent and detect them without spending $$$$$. From the OWASP top 10, SAST tooling, compliance frameworks, and even building out a VDP and shutting down "beg" bounty hunters, I'll walk through a check list of everything a company can do to increase their security posture without dramatically increasing spend.

Bio: "GlitchWitch is a highly skilled and passionate hacker with a deep technical background. With a demonstrated passion for fortifying the digital realm, they are constantly pushing the boundaries to improve web security and develop cutting-edge security automation solutions. GlitchWitch currently works as the Founder & Principal Security Consultant of GlitchSecure, a Winnipeg based cybersecurity company developing continuous security testing software."

Slides

Is it secure? I'm asked this on a daily basis and I believe I might have a pragmatic answer. This submission introduces a refined approach to enhance security, quality, and consistency in solution delivery through Test-Driven Architecture (TDA). The core challenge addressed is the prevalence of inconsistent and frequently overlooked security requirements, resulting in vulnerabilities, compliance issues, and business risks. Our solution centers around the systematic codification of security requirements within a publicly accessible repository, bolstered by an automated framework that seamlessly integrates with existing tools. The outcomes are clear: consistent inclusion of security requirements, proactive risk mitigation, expedited delivery, sustained visibility, and cost reduction. The overarching vision extends beyond security alone. It envisions a world where all requirements, not just security, are captured in structured and testable formats. This framework can be universally applied, improving solutions across industries and domains. TDA, the proposed methodology, is the linchpin that defines solutions through tangible, testable requirements. This submission delineates the essential building blocks of this transformative approach. Gherkin, a versatile language for documenting requirements, forms the foundation. Low-code tools cater to non-technical users, simplifying the process of requirement collection and management. Converters that transition Gherkin to Policy as Code (PaC) bridge the gap between requirements and implementation, while orchestration through CI/CD hooks ensures seamless integration into existing workflows. In conclusion, TDA emerges as a potent methodology, capable of elevating solution quality, consistency, and security to unprecedented levels. I call upon the community to validate the approach. If it is sound, let us join forces in codifying security requirements and crafting the essential framework and tools. Collaboration is the key to realizing this transformative vision. Let us embark on this journey towards a secure, efficient, and harmonized future of solutions delivery.

Bio: "With significant experience in cloud and on-premise solutions, Ole excels in blending waterfall and agile delivery. As an Enterprise Security Architecture leader for almost a decade, he navigated modern and traditional team dynamics, fostering a holistic approach to development. Ole's unique strength lies in bridging technical concepts and business needs. He seamlessly interacts with executives and engineering teams, ensuring mutual understanding."

Slides

SSO is everywhere, but how does it work? As a defender, what parts do you need to be worried about? This talk will cover CAS protocol, SAML 2, and potentially OIDC. We will learn what front channel and back channel communication is. We will see how this works in a multilateral federation.

Bio: "Richard is a software engineer that primarily focuses on IAM (Identity and Access Management). He is involved with InCommon, a US based organization focusing on federation and IAM in higher education."

Slides

Evading modern AV & EDR can seem daunting and near impossible to the uninitiated. If the idea of trying to get a payload past these defences seems unattainable or too 'l337', this talk is for you! I'll cover basic concepts and tools you can use to start evading detection and get payloads running.

Bio: "Mike Saunders (@hardwaterhacker) is Red Siege Information Security's Principal Consultant and lead Red Team Operator."

Slides

Deploying LoRaWAN and cellular devices in remote location to service agricultural clients has some unexpected challenges. From high delay/unreliable carriers to extremes in temperatures and power to retrofitting legacy industrial equipment, there are some unique deployment and management challenges. Come along with me as I share problems and some solutions in the world of IoT in the world of Big Ag.

Bio: "Network Nerd"

Slides

Mark is fresh off his first dive into Ansible, the popular system automation tool. His first reaction to the technology was to imagine the security dangers of an overly powerful Ansible controller. Mark will share some of his first experience mitigating risk while also bringing the technological benefits into his workplace.

Bio: "Mark is 17 years into his career as a an 'opdev', a system operator who knows how to program. As a long time member of Skullspace, he founded the hacker space festival Hax, with inspiration taken from The Long Con. Mark is also an organizer of casual chess meetups, you may find him sitting with a chess board ready to take a break from conference watching."

Slides

Endpoints are still a thing even though everyone has their heads in the clouds. There are many ways to deploy Sysmon to endpoints and get the logs that matter to enrich a story even when the EDR's fails. We will walk through an easy way to deploy and manage a Sysmon stack which uses Mitre as detections.

Bio: "In IT for 20+ years, Cyber for the last 5 or 6, I do threat detection engineering!"

Slides

Badgelife culture involves making custom badges for various events and conferences. Though not always, these badges are often electronic. Many creators may have ideas, but have never made a custom PCB or custom electronic device. This talk is intended to take those who may have played with an Arduino and help them understand the process -- and difficulties -- in turning their idea into a functional badge, along with caveats and suggestions for their first attempt. Even if you've never built anything electronic, it's my hope you'll understand what's involved, and maybe be inspired to go forth and build something yourself. I'll cover refining your idea for badgelife, realistic projects for a first try, and setting up a timeline. Then I'll discuss the steps -- schematic capture, PCB layout, PCB manufacture, PCB assembly (both paid and DIY), and firmware options.

Bio: "David is a senior engineer and tech lead of the internal Red Team at Google. When not breaking things, he enjoys making electronics and teaching others about security and electronics. He has spoken at DEF CON, BSidesLV, BSidesSF, and other events."

Slides

How do Red Teams continually improve the effectiveness of Blue teams? Watch this talk to find out! This talk deep dives into how Red and Blue teams help improve each other through doing Offensive Security exercises. We cover the full life cycle from what an offensive security exercise is, how we plan, execute and measure them. This talk is targeted at giving all everyone a behind the scenes look at how incident response and offensive teams operate. Note: This presentation was not recorded.

Bio: "William has been in the Information Security field for 10 years. William worked as an Information Security Specialist at MTS conducting penetration testing, vulnerability management and risk assessments. He then moved to Great-West Life to specialize in penetration testing and red teaming. Most recently he started as a Security Engineer on Amazon's Red Team out of Seattle, WA. William has a Bachelor of Computer Science from the University of Manitoba and has obtained his Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE) certifications."

When it comes to meaningful improvements to your security posture, there is nothing that gives you better value for your money than a comprehensive log collection and aggregation deployment. In this talk, Travis will persuade you of the value of a formal logging program, compare and contrast this to a SIEM, and talk about how you can get going with logging today.

Bio: "Autopilot Software. InfoSec in Education. AWS Infrastructure. Is there anything Travis can't do? Whistle. And swim. But that's it."

Slides

Security by obscurity doesn't work, so why are so many people terrified about talking about their security programs without an NDA? Security measures, when well implemented, should be able to withstand someone learning about them. Let's talk openly about our security, we can all benefit from it!

Bio: "Jack of all trades, master of absolutely nothing. Security, privacy, and open source geek. Attempting to make security products and platforms less crappy one day at a time. "

Slides

There are two types of multitasking - I'll let you guess what they are - but when we invented those, we started down a path that inexorably led us to the worst possible outcome. And then after that, Kubernetes. This talk discusses how we got here, why we should have made a left, not a right, maybe, back at that old house with angry badgers in it, and why Kubernetes is what it is, isn't what it isn't, and where we might end up next.

Bio: "Ask Mike about math, AWS, photography, science, space, or dad jokes, and you'll found someone who will to talk for a lot longer than is socially acceptable, or respectful. He's got no formal training in his day job, and pretends, at length, to be good at it. Ask him about math.... I dare you."

Slides

We're going to look at popular smart bulbs and plugs, how to reverse-engineer them and repurpose those devices into low-cost computers for our internet of things projects. We'll also have some fun abusing that hardware and cover all the things it shouldn't do - but can do.

Bio: "William has been a tech enthusiast his entire life and worked with computers and radio communications since the 90s. Along that journey he became interested in building low cost network-connected projects which lead to skills in what is now known as the Internet of Things."

Pledge is a system call that empowers a program to limit itself. Originally coming out of OpenBSD, this concept is seeing increased usage and has been ported to Linux. If a process breaks a pledge that it has made it is terminated. This allows programmers to increase security, and heavily mitigates supply chain attacks. It can also be used in a wrapper, effectively guarding against malicious actions. This is an introductory talk and will go over basic usage.

Bio: "Rob lives on a forested property outside of Winnipeg MB with his wife and many musical instruments. He has a background in computer science, and dabbles in almost everything from chemistry to metalworking. He runs a R&D company (Reconfigurable Computing) and works at the Internet Archive."

Slides