Will describes a process he developed at Netflix to detect compromised AWS instance credentials (STS credentials) used outside of the environment in which they were issued. And it doesn’t even use ML!
History: Lessons from Electrical Work
Adam Shostack and Mark Vinkovits describe the Elevation of Privilege card game, built to make learning and doing threat modelling fun, and how it’s been extended to include privacy.
In this talk, Sarah discusses container and Kubernetes best practices, insecure defaults to watch out for, and what happens when you do everything wrong and make your container or cluster publicly available on the Internet.
In this talk, Adrienne describes three ways to tackle fundamentally hard problems, using challenges the Chrome security team has faced as illustrative examples.
Chris describes her experiences running a workshop in Brussels with diplomats from various EU countries in which they collectively worked through a number of cyberwarfare-type scenarios.
The new Clear-Site-Data HTTP header allows a website to tell a user’s browser to clear various browsing data (cookies, storage, cache, executionContexts) associated with the website.
Kristen and Tania describe what a PSIRT team is, Dell’s PSIRT team’s workflow, common challenges, and how PSIRT teams can work earlier in the SDLC with development teams to develop more secure applications.
Amine describes how Pinterest protects users who have had their credentials leaked in third-party breaches using a combination of programmatic and user-driven actions. He refers to these users as “high risk users” (HRU).
Talk structure: some history and background about NodeJS, overview of several vulnerability classes, attacks on the NPM ecosystem, and best practice security recommendations.