2 minute read

I have been very fortunate to be able to attend a number of security conferences this year. CloudNativeSecurityCon North America, BSides Las Vegas, Black Hat, DEFCON 32, and then today - BlueHat 2024.

Each conference has its own strengths and weaknesses, but BlueHat stood out as something special. There were no vendors or sales pitches, and it was on the smaller side—plus, it was free. Day one featured two tracks: Cloud & Identity Security and OS & App Security. While I have experience in all four areas, I found myself particularly drawn to the Cloud & Identity Security track. Before the sessions began, Chris Wysopal (also known as Weld Pond) delivered an insightful keynote. I’ve seen many keynotes over the years—some thought-provoking, others less so—but it’s rare for me to take notes like I did today. By the end of his presentation, I had jotted down a reminder to check two ISO guidelines related to vulnerability disclosure and the software development lifecycle (SDLC).

  • ISO 29147 (Information technology — Security techniques — Vulnerability disclosure)
  • ISO 27034 (Information technology — Security techniques — Application security)

image-center

Several talks included a point of view from a security researcher/bug bounty hunter as well as from someone working in the Microsoft Security Response Center that would have to triage and address the vulnerability. I found this particularly interesting for a number of reasons.

  1. I learned pretty quickly that my knowledge of roles and entitlements within the Microsoft cloud ecosystem was lacking - I picked up several smaller tidbits, but plan to dig into here as time permits (does it ever really permit?)
  2. Seeing Microsoft deal with many of the same issues that I have had to deal with (poorly written reports, not being able to reproduce, etc.) was somehow a little comforting.
  3. It reinforced the idea that every security team faces similar challenges, just at different scales. Whether it’s developers accidentally pushing secrets into source control, using overly privileged tokens in URLs that get logged or accessed by anyone, or navigating the complexities of authorization, these issues arise at both Microsoft and small startups launching their first product. The response process is consistent across the board and often involves familiar challenges: identifying the right person or team to address the problem, assessing whether architectural or systemic changes are needed, determining if there are compensating controls to mitigate risk and urgency, and much more.

As a first timer to BlueHat, I was impressed. Already looking forward to coming back in years to come.