2024 has been my year for security conferences: CloudNativeSecurityCon North America, BSides Las Vegas, Black Hat, DEFCON 32, and today - BlueHat 2024.

BlueHat stood out immediately. No vendors, no sales pitches, smaller scale, and completely free. Just pure technical content. Day one offered two tracks: Cloud & Identity Security, and OS & App Security. While I have experience across both domains, I gravitated toward the Cloud & Identity Security track.

Chris Wysopal’s (Weld Pond) keynote had me taking notes frantically. I’ve sat through countless conference keynotes - some inspiring, others forgettable - but rarely do I walk away with specific action items. This time I did:

Two ISO standards to investigate:

  • ISO 29147 (Information technology — Security techniques — Vulnerability disclosure)
  • ISO 27034 (Information technology — Security techniques — Application security)

Chris Wysopal keynote at BlueHat 2024

What made this conference unique was the dual perspective approach. Many talks featured both a security researcher/bug bounty hunter and someone from Microsoft’s Security Response Center who had to triage and fix the vulnerability. This format delivered three key insights:

1. My Microsoft cloud knowledge has gaps. I picked up several details about roles and entitlements within their ecosystem that I need to dig deeper into (time permitting - does it ever really permit?).

2. Microsoft faces the same operational challenges we all do. Seeing them deal with poorly written vulnerability reports, reproduction issues, and communication breakdowns was oddly comforting. The scale is different, but the fundamental problems are identical.

3. Security challenges are universal. Whether it’s Microsoft or a startup launching their first product, the issues are the same: developers pushing secrets to source control, overly privileged tokens ending up in logged URLs, authorization complexity nightmares. The response process is also universal: finding the right team, assessing architectural changes, identifying compensating controls, balancing risk and urgency.

BlueHat exceeded expectations. Already planning to return next year.