It depends…

Kristen and Tania describe what a PSIRT team is, Dell’s PSIRT team’s workflow, common challenges, and how PSIRT teams can work earlier in the SDLC with development teams to develop more secure applications.

Leveraging Users’ Engagement to Improve Account Security

Amine describes how Pinterest protects users who have had their credentials leaked in third-party breaches using a combination of programmatic and user-driven actions. He refers to these users as “high risk users” (HRU).

Node.js and NPM Ecosystem: What are the Security Stakes?

Talk structure: some history and background about NodeJS, overview of several vulnerability classes, attacks on the NPM ecosystem, and best practice security recommendations.

Offensive Threat Models Against the Supply Chain

In this talk, Tony discusses the economic and geopolitical impacts of supply chain attacks, a walkthrough of supply chain threat modeling from a manufacturer’s perspective, and tips and best practices in threat modeling your supply chain.

Preventing Mobile App and API Abuse

An overview of the mobile and API security cat and mouse game (securely storing secrets, TLS, cert pinning, bypassing protections via decompiling apps and hooking key functionality, OAuth2, etc.), described through an example back and forth between a package delivery service company and an attacker-run website trying to exploit it.

Securing Third Party Applications at Scale

This talk describes each step of a methodology to secure third-party apps in general, and then how they do it at Salesforce. A nice combination of both principles and implementation.

Slack App Security: Securing your Workspaces from a Bot Uprising

Kelly and Nikki discuss the fundamental challenges in securing Slack apps and the App Directory, the steps Slack is taking now, and what Slack is planning to do in the future.

Startup Security: Starting a Security Program at a Startup

The Call is Coming From Inside the House: Lessons in Securing Internal Apps

The Unabridged History of Application Security

Jim gives a fun and engaging history of computer security, with an overall encouraging message

The White Hat’s Advantage: Open-source OWASP tools to aid in penetration testing coverage

Vincent describes how two OWASP tools, Attack Surface Detector and Code Pulse, can make penetration testers more effective and demos using them.

Threat Model Every Story: Practical Continuous Threat Modeling Work for Your Team

Izar describes the attributes required by threat modelling approaches in order to succeed in Agile dev environments, how to build an organization that continuously threat models new stories, how to educate devs and raise security awareness, and PyTM, a tool that lets you express TMs via Python code and output data flow diagrams, sequence diagras, and reports.