BSides Toronto 2022

To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
09:30
09:30
30min
Opening Remarks
ENG-103
10:00
10:00
25min
Controlled Flight into Terrain: How [NOT] to Succeed at Cybersecurity Startups.
Georgia Weidman

Have you ever gotten off the plane at BlackHat or RSA and seen the security vendor ads lining the corridors? Or made your way through a crowded vendor hall with the multistory booths larger and more elaborate than a typical city apartment and thought to yourself, that could be me? Then this talk is for you. Are you ready to never work again and enter the privileged world of successful entrepreneurs permanently on vacation? Just kidding! Are you ready to work so hard any potential reward will come out to well below minimum wage when you calculate the hours, blood/sweat/tears, and mental health crises that went into it? Then maybe it is time to start a cybersecurity startup. In this talk we will take a dive into the exciting world of turning your hacking tool into a successful product company and how to avoid the common pitfalls encountered by the speaker and her merry band of startup world survivors. We will cover exciting topics such as venture capital funding, startup accelerators, and making your first sale. We will also discuss not as exciting but equally important topics as corporate structures, hiring a CEO, and board meetings. Filled with info and direct quotes from real security practitioners turned startup founders, venture capital investors, and serial expert advisors, this talk will get you ready to start down the path of your own startup journey, or run screaming in the other direction.

ENG-103
10:30
10:30
25min
Threat Modeling Wins for Agile AppSec
Rahul Raghavan

Threat modeling for long has been a “design level” activity that fit in right at the beginning of a well defined application security strategy, and rightfully so. However, the current speed and scale of product and security engineering has forced software teams to overlook this very critical element of software security...and rightfully so!

ENG-103
11:00
11:00
25min
Lesson Learned from Detection Engineering
Mangatas Tondang, Avneet Singh

In the modern world of cyber security, you as a defender for sure overwhelmed by numerous technology and strategy to prevent cyber attack in your organization. In the Detection Engineering front, it becomes more confusing since there is no clear right or wrong of what Detection Engineering is.

In this presentation, we will uncover things that worked in the Industry and numerous organizations, based on presenter's years of experience and community voice. It will touch both the management and technical aspect of Detection Engineering. Hopefully this will help both companies who just started building their Detection Engineering function and the ones who already running it.

ENG-103
11:30
11:30
25min
Layers of Cloud: Azure and the (Mis-)Storage of Secrets
Katie Knowles

Where are secrets stored in Azure? Is it even safe to put secrets in the cloud to begin with? There's so many services in Azure that this isn't easy to answer. We'll start by taking a look at common ways passwords should be stored, and how these services have grown through patching recent vulnerabilities. Then we'll shift to look at common spots where it looks like passwords should go... but really shouldn't. We'll end with how to ensure your secrets the shared responsibility model, and a quick reflection on the shared responsibility model. Both new & experienced cloud lovers welcome!

ENG-103
12:00
12:00
70min
Lunch
ENG-103
13:10
13:10
25min
We Taught Burp to Speak GraphQL: Automated Security Scanning of Your GraphQL API With Burp
Jared Meit

Rest APIs have been the backbone of webapps for over a decade now, and it’s treated us well. Inevitably, a challenger has approached and is gradually becoming the new industry standard. That is GraphQL, a query a language for your API. But shifts in tech trends also bring another inevitability, new and interesting ways to hack stuff. GraphQL is a growing target, and the pentesting tools have yet to keep up, leaving the criminals with more time and opportunity to probe and exploit vulnerabilities in your web apps.
Burp Suite has been the defacto tool for Application Security professionals running DAST scans and penetration tests against web apps, and it’s amazing Active Scan feature badly needed to be able to parse GraphQL. Our new plugin for Burp Suite allows the Active Scanner to competently point it’s library of payloads at a GraphQL API, giving the defenders a chance to detect vulnerabilities before the criminals do.

ENG-103
13:40
13:40
25min
Cyber security's new silver bullets - Privacy and Insurance
Alan McDermott, Cat Coode, Ken Rayner, Chinmayee Paunikar

Privacy laws like CCPA, PIPEDA and GDPR are getting teeth. Cyber Insurance is getting more expensive and difficult to get. Are these just more hurdle's for beleaguered security professionals to overcome or will it become the forcing function that finally gets the attention of the C-suite?

ENG-103
14:10
14:10
25min
Defrauding merchants like it’s Y2K
Yuk Fai Chan, Craig Barretto

In 2022, most of us have bought goods and services online or using mobile apps, for convenience, for safety (e.g., pandemic) or as a matter of personal preference. As mobile payments and integrations with third-party payment processors become more and more prevalent, common AppSec mistakes from the past reappear under new forms. Merchants who overlook security best practices and fail to secure their systems can be victims of fraud.

In this talk, we will cover some examples of payment APIs and mobile in-app purchases (e.g., with Apple Pay or Google Play Store) that fail to perform sufficient validation in ways that may have devastating financial and reputational impact to merchants. We aim to bring awareness to these often-overlooked issues and provide recommendations to avoid these vulnerabilities with real-world examples.

ENG-103
14:40
14:40
30min
Break
ENG-103
15:10
15:10
25min
NoiseTotal - the opposite of VirusTotal
Peter Luo

Security teams are constantly frustrated due to the number of false positives in security tools. The time wasted on false positives is enormous. The time it takes to identify something as a false positive is significant and it is risky to mark something as a false positive. It is a problem we all face, and we need the community to help fight this problem together. In this talk, we would like to introduce a project called NoiseTotal which consolidates open-source intelligence for noises in security tools and calls for the community to share and contribute. We will also walk through how it benefits the everyone in blue team.

ENG-103
15:40
15:40
35min
5 Minute Lightning Talks
ENG-103
16:15
16:15
30min
Closing Remarks
ENG-103