Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL

Speaker slides & videos

Presentation slides will be made available after the session has concluded and the speaker has given us the files. Check back if you don't see the file you're looking for—it might be available later! (However, please note some speakers choose not to share their presentations.)

Using social logins is a good way to boost security. However, this often makes site owners complacent, skipping security measures they still need to maintain. Ido Safruti and Tomer Cohen explain how attackers have found ways to exploit this and bypass the auth providers’ defenses, attacking some of the world’s largest services, and demonstrate how to protect yourself from such attacks.
Alex Pinto demonstrates how to apply descriptive statistics, graph theory, and nonlinear scoring techniques on the relationships of known network IOCs to log data and how to use those techniques to empower IR teams to encode analyst intuition into repeatable data techniques that can be used to simplify the triage stage and get actionable information with minimal human interaction.
Clair is an open source container image security analyzer that enables developers to build services that scan containers for security threats and vulnerabilities. Quentin Machu offers an overview of Clair and explores a real-life example to demonstrate how Clair is able to automatically detect known vulnerabilities in Docker and rkt containers before they get exploited.
Rudder is an open source IT compliance automation tool that focuses on continuously checking configurations to provide a real-time high-level compliance status or break down noncompliance issues to a deep technical level. Jonathan Clarke offers an overview of Rudder and demonstrates how to use it to drill down to any issues that need remediating.
As traffic to websites and web applications increases, infrastructure must be put in place to handle scaling—but with that comes an increased risk for security breaches. James Baker and Mira Thambireddy dive into specific client-side vulnerabilities, discussing design patterns that scale an application securely and which frameworks currently in the market already employ these practices.
Algorithms influence our everyday decision making, but at what point does innovation turn into invasion? Matthew Carroll discusses how regulators and consumers can take back control by inserting legal checks and balances into the data science process.
Katie Moussouris, Founder & CEO, Luta Security
Brian Sletten introduces Google Macaroons, a fine-grained, decentralized authorization mechanism that is web friendly and suitable for cloud and microservices.
Nothing good or bad can happen on the Internet without involving the Domain Name System (DNS), which provides visibility of the global Internet and unparalleled intelligence on cybercriminals and attack methods. Merike Käo discusses the value of DNS to cyber investigations and explores how real-time DNS observations can improve accuracy and response time to cyberattacks.
Current approaches to threat modeling emphasize manual analysis by trained teams, which can result in a bottleneck in the development process, reducing the appeal of performing this activity. Stephen de Vries presents a technique that uses reusable risk patterns to open the door to automated and scalable threat modeling.
Security people are "only members of the public who are paid to give full-time attention to duties which are incumbent on every citizen in the intent of the community welfare," but often the relationship between security and everyone else is fraught. Brendan O'Connor explores how another group charged with protecting everyone handled this problem with humor, kindness, and a commitment to service.
Why do certain devices, programs, or companies lead to utter frustration while others consistently delight us? What can we learn from these insights when dealing with human behavior related to security? Jelle Niemantsverdriet explores user-centered design methods in other disciplines like economy, psychology and marketing that can help us build security in a truly usable way.
HTTPS is no longer only for sensitive sites; it’s a critical piece of the web user experience and necessary for the long-term health of the Web. Google is methodically hunting and tackling major hurdles for TLS adoption to guide the Web toward HTTPS everywhere. Emily Schechter shares lessons learned on the road to ubiquitous HTTPS, focusing on the benefits of HTTPS.
Bots are a reality, and it’s hard to separate your users and good bots (e.g., search) from the bad ones (brute force, fraud, scrapers, etc.). Ido Safruti and Ariel Sirota review how bots work, explain how to operate a few common bots, and, most importantly, show what you can do to detect and block malicious activity while enabling your users and good bots to work uninterrupted.
Dyn was recently the subject of a major DDoS attack, its first significant disruption in over 15 years of operation. Phil Stanhope shares Dyn's experience before exploring the rapid evolution of multilayer attacks happening on the Internet and outlining the steps to take to deal with them from an ops perspective.