Saturday, November 16, 2024

BSides Munich 2024 - We Belong

Last year, I've attended my first security conference with BSides Munich. It was an awesome experience connecting with the community. This year, it was clear to me to come back as participant. Yet when the call for papers started, I figured: why not try my chances? I dared to submit my brand-new talk "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" to BSides Munich. You can imagine my joy when it was indeed accepted! So, here's my recap from this year's conference as participant and speaker.

 

Workshop Day

Tickets for this conference are usually quickly gone, so I made it a point to decide on my workshops early on and then grab the tickets as soon as they went online. It worked! This time, I decided to go for two half-day workshops.

In the morning, I joined "Backdoors & Breaches: Simulating Cyber Security Incidents" by Klaus-E. Klingner. I wanted to give the Backdoors & Breaches card game a try for quite a while, so here was my chance. Klaus started setting the scene describing how classic incident response simulations can be tedious and require a lot of preparation effort. In contrast, using game-based learning, like playing a round of Backdoors & Breaches, can be done very quickly and provide playful insights. Backdoors & Breaches is designed based on the tabletop role-playing game Dungeons & Dragons. Instead of a game master, you have an incident master. They choose the attack scenario that led to the incident, which the group has to figure out - how did the attackers manage to compromise the system, move deeper, maintain persistence in the system, and finally exfiltrate data? What happened? The group has procedures they can use to find out more about what happened - yet depending on how they roll the dice, they won't always succeed! There's a bit more to it, just check out the complete rules for yourself. What a fun game; it led to really insightful conversations in my group. There are expansion packs already enabling further scenarios, and you can also play it online, either using Klaus' version or the official one.

In the afternoon, I participated in the "How to Hack your Web Application" workshop by Janosch Braukmann. I really liked his introductory web app hacking challenges offering simple yet not uncommon mistakes to exploit. A really nice hands-on connection to the topic, allowing him to gauge the context of the audience just as well. It made his point very clear: don't trust anything coming from the client side, it's not in our hands. We've walked through the OWASP Top 10 together and how to mitigate the respective risks. Then it was time for practice again: we got our hands on a vulnerable web application he provided for the duration of the workshop. It's usually insightful and fun to see what people find and what approaches they come up with to do so. Practice didn't stop here, how do we prevent these issues in the first place? The most effective and simplest way Janosch has seen so far are malicious user stories: user stories from a malicious actor's point of view. We then just need to flip the acceptance criteria to build an implementation that prevents the threat actor from being successful with their attempt. This can easily be done along with any usual ideation and refinement activities as part of the development life cycle that teams tend to be used to. Even though I've heard the content before, I like joining these workshops in order to get surprised of what I didn't know yet, and to learn about different approaches to convey the respective concepts and skills to folks.

All in all, the workshops were great. Even better, this day already granted space to check in with people! It was awesome to meet Claudius Link again in person, my Open Security Conference (osco) co-organizer fellow. It's been great to re-connect with a few folks I've met at last year's BSides. And I really enjoyed getting to know Yin Yin Wu-Hanke and Lisa Aichele!


Conference Day

The day started very early for me. Being a local meant commuting to the venue, and being a speaker meant showing up at 7:30 am for the tech setup check. If you've met me, you know I'm a night owl, so this hurt quite a bit. And yet I was excited to have this opportunity at re-connecting with the community and also presenting my own content at the event. 

This conference has an amazing organizer team and so many people volunteered to help and ensure it's running smoothly. Many thanks to all of you for creating and holding this space for us! This year's main organizer was Sneha Rajguru. When she opened the conference officially, she emphasized that this event is for all of us in all our diversity, and her words stuck with me: "You belong." Last year was my first BSides. This year, I've really felt I do belong indeed. We all do. 

Overall, BSides Munich had once again a lot to offer. More than I could try out myself! A hardware hacking village, a CTF, a retro-gaming area, the sponsors exhibition, and more. I mostly focused on the talks myself, while at times taking a break to chat with folks in between. Here are the presentations I've attended.

Finally, a huge shout-out to lots of amazing people I've connected with during the day! I really appreciated meeting Van Nguyen, Clara Kowalsky, Sujaritha, Dagmar Swimmer, Morton Swimmer, Tobias Schuster, Julien Reisdorffer, Konstantin Weddige, Stuart McMurray, and Rudolf Kaertner whom I've first met at osco this year.

At the end of the day, the organizers invited all speakers to a fabulous speakers dinner where we enjoyed great food in great company. What an amazing closing for the day.


BSides Munich 2025

One thing is for sure, I'll do what I can to make it to BSides Munich next year as well! If you have the opportunity, seize it to experience it for yourself. Maybe even submit a proposal to share your own stories with the community, or offer to be a volunteer. It's been a great event once again this year and I'm happy to have been part of it.

Need more reasons to join? The recordings for this year had already been published! Have a look by taking the direct links from this year's agenda, and check out past years' recordings on the BSides Munich YouTube channel.

See you in 2025!