June 21

Event takeaways: BSidesMeSh21 – day 1


My key takeaways

  • Security in sprints vs whole security sprints?
    • Smaller activities from the very beginning. It is not full time, but always ongoing. And maybe, if the situation is very tricky, entire sprints might be necessary, too. — Thomas Fricke

  • Kubernetes does its best to be secure inside. Unfortunatly it is not configured so by default. Challenge: every developer has learn what are the critical settings
  • You can ask AWS if a bucket exists with aws s3api get-bucket-acl --bucket <guessed bucket name>
  • Use bucket logging to get notified if something was (maliciously) changed. Or get pwnd and have your bucket mine monero 😉
  • Port 10250 can be Kublet, so Kubernetes
  • Infrastructure as code will lead to security by design – Dr. Morton Swimmer

  • kubectl auth can-i --list will show the privileges for the Kubernetes service account
  • Kubernetes and containerization in general is one of the most important upcoming technologies. But it is also very complex and needs a whole new mindset about security compare to the on-prem-mindset
    • we are in a transition period where management is used to on-prem and the next generation is already thinking in containers
  • Edge computing brings back some computing power to a device on the edge of the network
    • Edge computing is a distributed architecture design that places computing nodes at the edge of the network. This brings them much closer to information-gathering sensors and devices, thereby eliminating the need to send large amounts of data to computational services in distant locations. As a result, latency and other issues that might hinder or slow down enterprise operations are resolved. — Trend Micro

  • 3 questions to define a threat model:
    • What are we protecting?
    • What are we assuming?
    • Protecting from whom?
  • Pi 4 and Pi0W supports "gadget mode" on USB C port
  • the open session idea is important for security people to keep up with developments
  • IKEA believes that having one security savy person in each product team will go a long way
  • What we can learn from Dale Carnegies "security hat" story: ask the user why not liking the idea and pointing out the advantages for the users
  • very generic awareness trainings lead to security fatigue
  • TPB: Theory of planned behavior
    • positiv to the individium + social proof = motivation
  • Motivation needs more:
    • TPB + ability to do it + intention to comply
  • But the indivdual cost-benefit-analysis per situation (productivity vs security) might outplay any motivation
  • There is also a priorities triangle in security: Security <> Productivity <> Time
  • What drives non-compliant behaviour:
    • there is no reason to comply
    • the cost of complying is to high
    • inability to comply
  • To change a behavior, you first have to change the attitude, thoughs and feelings associated to it — Christina Lekati

  • security initatives must be communicated as "enablers" not as "necessary evils"
  • Germans are probably less prone to click on social media related phishing mails but highly affected by authoritive topcis and spear phishing


additional links



  • 13:00 – 13:10
    • Opening Day 1
  • 13:10 – 13:45
    • Elbsides Keynote – Practice DevSecOps and Beyond ; Thomas Fricke
  • 13:45 – 14:05
    • Dr.Morton Swimmer ; Vulnerable as a Service
  • 14:05 – 14:40
    • Vasant Chinnipilli & Pralhad Chaskar ; Demystifying the state of kubernetes cluster security – the cloud native way
  • 14:40 – 15:00
    • Coffee Break ;
  • 15:00 – 15:23
    • Sreenidhi Ramadurgam ; Abracadabra – A researcher’s reversing spell!
  • 15:23 – 15:45
    • Dr. Vincenzo Ciancaglini ; Joey Costoya ; On the edge with access control devices
  • 15:45 – 16:15
    • Tim Panton ; How to build better more secure KVM with off-the shelf hardware.
  • 16:15 – 16:35
    • Coffee Break ;
  • 16:35 – 17:10
    • Rise of the Cyber Jedi – Building a security community of practice ; Gustav Lundsgård
  • 17:10 – 17:45
    • “If Only They Would Take Us Seriously” : The Behavioral Science Influencing Your Cybersecurity Culture ; Christina Lekati
  • 17:45 – 17:50
    • Closing Day 1


BSides, conference, containers, DevSecOps, edge computing, IoT, malware, social engineering

You may also like

Webinar takeaway – Nuclear Ransomware 3.0: We Thought It Was Bad and Then It Got Even Worse

Webinar takeaway – Nuclear Ransomware 3.0: We Thought It Was Bad and Then It Got Even Worse

Event takeaway: Layer8 Conference

Event takeaway: Layer8 Conference
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}