How to Slay a Dragon

In this talk, Adrienne describes three ways to tackle fundamentally hard problems, using challenges the Chrome security team has faced as illustrative examples.

How to Start a Cyber War: Lessons from Brussels-EU Cyber Warfare Exercises

Chris describes her experiences running a workshop in Brussels with diplomats from various EU countries in which they collectively worked through a number of cyberwarfare-type scenarios.

Inducing Amnesia in Browsers: the Clear Site Data Header

The new Clear-Site-Data HTTP header allows a website to tell a user’s browser to clear various browsing data (cookies, storage, cache, executionContexts) associated with the website.

It depends…

Kristen and Tania describe what a PSIRT team is, Dell’s PSIRT team’s workflow, common challenges, and how PSIRT teams can work earlier in the SDLC with development teams to develop more secure applications.

Leveraging Users’ Engagement to Improve Account Security

Amine describes how Pinterest protects users who have had their credentials leaked in third-party breaches using a combination of programmatic and user-driven actions. He refers to these users as “high risk users” (HRU).

Node.js and NPM Ecosystem: What are the Security Stakes?

Talk structure: some history and background about NodeJS, overview of several vulnerability classes, attacks on the NPM ecosystem, and best practice security recommendations.

Offensive Threat Models Against the Supply Chain

In this talk, Tony discusses the economic and geopolitical impacts of supply chain attacks, a walkthrough of supply chain threat modeling from a manufacturer’s perspective, and tips and best practices in threat modeling your supply chain.

Preventing Mobile App and API Abuse

An overview of the mobile and API security cat and mouse game (securely storing secrets, TLS, cert pinning, bypassing protections via decompiling apps and hooking key functionality, OAuth2, etc.), described through an example back and forth between a package delivery service company and an attacker-run website trying to exploit it.

Securing Third Party Applications at Scale

This talk describes each step of a methodology to secure third-party apps in general, and then how they do it at Salesforce. A nice combination of both principles and implementation.

Slack App Security: Securing your Workspaces from a Bot Uprising

Kelly and Nikki discuss the fundamental challenges in securing Slack apps and the App Directory, the steps Slack is taking now, and what Slack is planning to do in the future.

Startup Security: Starting a Security Program at a Startup

The Call is Coming From Inside the House: Lessons in Securing Internal Apps