BSides Munich 2024 - We Belong

Last year, I've attended my first security conference with BSides Munich. It was an awesome experience connecting with the community. This year, it was clear to me to come back as participant. Yet when the call for papers started, I figured: why not try my chances? I dared to submit my brand-new talk "A Security Champion’s Journey - How to Make Things a Bit More Secure than Yesterday Every Day" to BSides Munich. You can imagine my joy when it was indeed accepted! So, here's my recap from this year's conference as participant and speaker.

 

Workshop Day

Tickets for this conference are usually quickly gone, so I made it a point to decide on my workshops early on and then grab the tickets as soon as they went online. It worked! This time, I decided to go for two half-day workshops.

In the morning, I joined "Backdoors & Breaches: Simulating Cyber Security Incidents" by Klaus-E. Klingner. I wanted to give the Backdoors & Breaches card game a try for quite a while, so here was my chance. Klaus started setting the scene describing how classic incident response simulations can be tedious and require a lot of preparation effort. In contrast, using game-based learning, like playing a round of Backdoors & Breaches, can be done very quickly and provide playful insights. Backdoors & Breaches is designed based on the tabletop role-playing game Dungeons & Dragons. Instead of a game master, you have an incident master. They choose the attack scenario that led to the incident, which the group has to figure out - how did the attackers manage to compromise the system, move deeper, maintain persistence in the system, and finally exfiltrate data? What happened? The group has procedures they can use to find out more about what happened - yet depending on how they roll the dice, they won't always succeed! There's a bit more to it, just check out the complete rules for yourself. What a fun game; it led to really insightful conversations in my group. There are expansion packs already enabling further scenarios, and you can also play it online, either using Klaus' version or the official one.

In the afternoon, I participated in the "How to Hack your Web Application" workshop by Janosch Braukmann. I really liked his introductory web app hacking challenges offering simple yet not uncommon mistakes to exploit. A really nice hands-on connection to the topic, allowing him to gauge the context of the audience just as well. It made his point very clear: don't trust anything coming from the client side, it's not in our hands. We've walked through the OWASP Top 10 together and how to mitigate the respective risks. Then it was time for practice again: we got our hands on a vulnerable web application he provided for the duration of the workshop. It's usually insightful and fun to see what people find and what approaches they come up with to do so. Practice didn't stop here, how do we prevent these issues in the first place? The most effective and simplest way Janosch has seen so far are malicious user stories: user stories from a malicious actor's point of view. We then just need to flip the acceptance criteria to build an implementation that prevents the threat actor from being successful with their attempt. This can easily be done along with any usual ideation and refinement activities as part of the development life cycle that teams tend to be used to. Even though I've heard the content before, I like joining these workshops in order to get surprised of what I didn't know yet, and to learn about different approaches to convey the respective concepts and skills to folks.

All in all, the workshops were great. Even better, this day already granted space to check in with people! It was awesome to meet Claudius Link again in person, my Open Security Conference (osco) co-organizer fellow. It's been great to re-connect with a few folks I've met at last year's BSides. And I really enjoyed getting to know Yin Yin Wu-Hanke and Lisa Aichele!

Conference Day

The day started very early for me. Being a local meant commuting to the venue, and being a speaker meant showing up at 7:30 am for the tech setup check. If you've met me, you know I'm a night owl, so this hurt quite a bit. And yet I was excited to have this opportunity at re-connecting with the community and also presenting my own content at the event. 

This conference has an amazing organizer team and so many people volunteered to help and ensure it's running smoothly. Many thanks to all of you for creating and holding this space for us! This year's main organizer was Sneha Rajguru. When she opened the conference officially, she emphasized that this event is for all of us in all our diversity, and her words stuck with me: "You belong." Last year was my first BSides. This year, I've really felt I do belong indeed. We all do. 

Overall, BSides Munich had once again a lot to offer. More than I could try out myself! A hardware hacking village, a CTF, a retro-gaming area, the sponsors exhibition, and more. I mostly focused on the talks myself, while at times taking a break to chat with folks in between. Here are the presentations I've attended.

• Keynote: "8 Bits Wisdom to Secure the Code of Life" by Desiree Sacher-Boldewin. A great opener for the conference addressing a very real and pressing topic for the tech world and security in specifics: burnout, depression, anxiety, and more. Desiree shared concrete advice what can help us navigate around these and keep doing what we love doing.
  
  
• "Leaking Kakao: How I found a 1-Click Exploit in Korea's Biggest Chat App" by Dawin Schmidt. Having worked on a mobile app myself, I've encountered a few usual suspects in this great talk. Dawin presented an interesting attack vector and quite a bleak look at a world of rather easily exploitable applications a lot of people use every day.
  
  
• "Demystifying the First Few Minutes After Compromising a Container" by Stuart McMurray. Stuart took us through a speed run of all things containers, what makes them more relatable than you might think, and (of course) how to hack them. I really enjoyed Stuart's view on containers from lots of different angles.
  
  
• "A Security Champion's Journey - How to Make Things a Bit More Secure than Yesterday Every Day" by me. I've given many conference sessions by now, and yet this one was a personal highlight for me. My first ever talk at a security conference! Really glad to have heard lots of positive feedback from folks, the talk seemed to have been received well. You can check it out yourself, slides and the video recording are already published online.
  
  
• "Kobold Letters and Other Mischief - How Emails Can Deceive You" by Konstantin Weddige. A great showcase on two vulnerabilities when it comes to emails that can easily trick users into seeing different content than originally intended, and what we can do about it. Well, if email clients don't offer further guardrails, in the end it's up to us to be careful - so let's spread awareness of what's possible.
  
  
• "Demystifying Cloud Infrastructure Attacks" by Alexander. This was an interesting take on cloud security and its components. Alexander's points on Jenkins made me think in particular. How many times have you seen Jenkins be a central hub for all the things, enabling so many people to execute custom scripts while having all the permissions on all environments?
  
  
• "Beyond Manual: Enhancing and Scaling Security with Automation" by Christian Bauer. Scaling security across the company is a huge topic as there are only so many experts available with only so much capacity. Automation to the rescue! We can use it for lots of work like alerting on misconfiguration or extending our reach beyond what we can perform manually.
  
  
• "Help, My Application Is Vulnerable, but How Bad Is It? - Practical Vulnerability Analysis for Development Teams" by Michael Helwig and Alvaro Martinez. There are lots of categorizations trying to help us evaluate vulnerabilities, and yet they all have shortcomings. Michael and Alvaro suggested a simple enough and practical procedure to make the best of them while not overly relying on any of them.
  
  
• Keynote: "Empowering Pentesters: Strategies for Team Motivation, Purpose and Success" by Bettina Haas. Pentesters, like other security and tech folks, need the right environment to thrive. Bettina pointed out what's especially important to keep people motivated, foster a more effective security culture and protect from harm.
  
  

Finally, a huge shout-out to lots of amazing people I've connected with during the day! I really appreciated meeting Van Nguyen, Clara Kowalsky, Sujaritha, Dagmar Swimmer, Morton Swimmer, Tobias Schuster, Julien Reisdorffer, Konstantin Weddige, Stuart McMurray, and Rudolf Kaertner whom I've first met at osco this year.

At the end of the day, the organizers invited all speakers to a fabulous speakers dinner where we enjoyed great food in great company. What an amazing closing for the day.

BSides Munich 2025

One thing is for sure, I'll do what I can to make it to BSides Munich next year as well! If you have the opportunity, seize it to experience it for yourself. Maybe even submit a proposal to share your own stories with the community, or offer to be a volunteer. It's been a great event once again this year and I'm happy to have been part of it.

Need more reasons to join? The recordings for this year had already been published! Have a look by taking the direct links from this year's agenda, and check out past years' recordings on the BSides Munich YouTube channel.

See you in 2025!