I've been to BSides Munich for the last three years, and it's been a pleasure each time. So while it wasn't my first time to attend the conference, there were other first times to be celebrated. It's been my first time giving a workshop at a security conference. It's been my first time as a session chair for speakers. It's been my first time that I've been together with the other half of my team at a conference. And for one of them it's even been their very first conference! That alone is already making my year. Especially as that specific teammate dove into the full experience, connecting with folks, joining a dinner group in the evening, exchanging experience. Just love it when good things happen.
Workshop Day
My day started out with meeting some known and new people on my way to the venue (we all ended up at a slightly wrong address at first, which was rather a connecting experience). On entering the (actual) building, there were more folks to greet. Some from other conferences, some from BSides Munich the last years. Grabbing a quick breakfast, it was time to start learning together.
In the morning, I joined the half day workshop "Cloud-Native Chaos: Hacking CI/CD and Cloud Environments" by Samuel Hopstock and Daniel Schwendner. This was a really cool session and an actual workshop, fully hands-on and even exploratory! I know it's literally in the name of a "workshop", yet at times they end up as lectures instead of actual interactive hands-on learning sessions. So this was a really nice experience. We formed a group of three to tackle our task: given a practice app, gain full access to the Kubernetes cluster it's running on. The challenge was on! I loved that we had decent time to really try ourselves, not too many spoilers but help when needed. Perfect combination. I'm not going to spoil this workshop and the attack path we discovered, yet we could really make use of leftovers, misconfigurations, and oversights all the way. It was very interesting to see for myself how easy it can be to escape a Docker container to the host. It's different to know about it theoretically and to actually see it and especially to do it yourself. Another aha moment for me was to learn how to upgrade a non-interactive reverse shell to an interactive one - super useful for my next CTF sessions.
After great conversations over lunch, it was time for the afternoon workshops. First, I joined "Developing Universal AI Agents for Static Code Analysis via MCP" by Sunil Kumar. My own workshop had been moved to a later slot and this one was the only session fitting in before. Good thing it was also on a topic I know I need to learn more about. Admittedly, I couldn't fully focus with my own workshop coming up right afterwards, yet it did showcase how MCP servers are built and configured, and demonstrated how they could be used afterwards. More to dive into for sure.
Then it was time for my own workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day". It was not set up for a good start - there was no break scheduled in between the two workshops, and people joining both definitely needed some time to breathe. To add to this, I learned about yet another scenario how things can go wrong when presenting. This time, the projector and my laptop both decided to connect shortly at first, but when I attempted to mirror the screen instead of extending it they said enough is enough - we're not working together any longer. Luckily, it's not my first rodeo so it didn't bother me (what a nice surprise to be calm for change), plus showing my screen was anyways only a nice bonus for my workshop. We found a quick solution, and once people were back from their break we could finally start. But well, that definitely cut as around 15min from the already short time. People told me afterwards they definitely wanted more time, it was flying for them! They had fun trying their hands on the exercises and there was more to explore. While some things are not in my hands, I'm taking this as a very positive signal.
The workshops were done and yet not everyone was ready to call it a day. My dear CTF team Mireia Cano and Martin Schmidt, one of my colleagues and I all headed for dinner to extend the conversations and have a nice conclusion for the day.
Conference Day
Already at the beginning of the day, I've met many familiar faces and we all prepared together for a busy day ahead full of talks, conversations and insights. Here are the sessions I attended.
- Keynote: "The art of saying NEIN (in security)" by Martin Brunner. Cybersecurity is a lot about trust, and we need to learn how to say "no" more often, especially from a defender's standpoint. Also, this talk made a new connection across domains: What we have in security with attackers, defenders and victims resembles the drama triangle with persecutor, rescuer and victim a lot. So also here, you can only stop playing the game. In general, Martin encouraged us to be very intentional what you say yes to, what you say not to, and why.
- "Fantastic clear-text passwords and where to collect them" by Stephan Berger. This talk showed up a lot of interesting ways how to get your hands-on passwords on Windows systems. Easily. Honestly, too easily. Stephan reminded us that you often don't need fancy new tools, you just need to take the time instead and get your hands dirty.
- "Structuring (cyber) incident root-cause investigations: a practical walk-through" by João Collier de Mendonca. This was a nice demonstration how incidents look in a very real scenario and what constraints come with it. Like in the medical and healthcare domain. Also, I'm curious to check out the mentioned DFIQ framework of forensic questions and approaches.
- "Trust Issues: How Gen Z Attackers Hack Without Exploits" by Tom Barnea. Tom explained how Gen Z aims for the weakest link: the human. They are hacking trust as this is way easier than hacking systems. Going for everyday unsuspicious tooling and activities which evades traditional defenses is not only smart but also efficient. We need to rethink and change our approaches accordingly.
- "Translating mobile app security lessons to the Flutter stack" by Samuel Hopstock. Having worked with ReactNative apps, I was curious how Flutter differentiates when it comes to security. It wasn't very surprising yet still pretty interesting to hear the answer: Flutter apps are just mobile apps and show the same issues as any other mobile app, so we can use the same approaches to find weaknesses.
- "In Scope, Out of Sight Why NIS-2 Isn’t Landing in German SMEs" by Younes Ahmadzei. A lot of comnpanies are in scope of the new regulation. Nearly none of them are aware of this fact. And even if they are, they still lack understanding on what it actually means to them and what they have to do - such uncertainty can be paralyzing.
- "Why I Go to the Dark Web Every Day" by Alex Holden. Alex shared super interesting stories on what he learned when trying to gain the trust of cybercriminals, where they work, what they think. He emphasized that if you don’t know what’s going on on the dark web you have to assume the worst in case of breaches (e.g. you won’t notice that an attack is going on and how it ended, if the attacker aborted or pulled through). Also, corporate data is extremely valuable, and it’s everywhere in the supply chain - we tend to forget about this aspect. We better know our enemies and threats to stay ahead.
- "The Perks and Perils of Persistence: AWS Attacker Techniques" by Oisín B. This talk shared lots of tangible actions that attacker will try, how discoverable such attacks are, how we can spot them and what we can do to prevent these paths. It was targeted on AWS, yet the core ideas are transferable to other cloud providers.
- "Turning Off the Internet: Technical Tactics of State-Scale Censorship and Shutdowns" by Reza Sharifi. A lot of people witness shutdowns way more than others - they are reality nonetheless. Censorship thrives where the network is centralized as central points create control points. The tactics and techniques applied differ, however, based on which layer of the stack they target. This talk could have gone easily for a lot longer, there's a lot to talk about on this topic.
- "NTLM reflection is dead, long live NTLM reflection: Story of an accidental Windows RCE" by Guillaume André and Wilfried Bécard. Here's a story of how the researchers found a trivial logic vulnerability allowing authenticated RCE - by accident. They couldn't believe it at first, yet in the end had to emphasize in this talk: high-impact, simple and stable logical vulnerabilities still exist.
- "Cloud IR: A Rapid Guide for AWS, Azure & GCP" by Erblind Morina. It doesn't come to any surprise, yet sometimes we need to hear messages on repeat: lack of logging means limited evidence. Visibility and logging coverage are key for incident response. Erblind encouraged us to start using the incident response cheat sheet of our cloud provider and to check out the Incident Response Hierarchy of Needs.
- Keynote: "Oops, I pwned it again!" by David Elze. I love it when people share failure stories and what they learned from them. We all have failure stories - and some are more epic than others. David shared five situations where things went awry and the lessons they gained from them. Including the last: sometimes we do have to take certain risk that comes with the nature of our job.
For two of these talks, I've also had the honor to support as session host. I tried to find the speakers already beforehand, yet I didn't spot them in the crowd. This meant we could only check in shortly before their talk on what they needed regarding setup, timekeeping, introduction and so on. And then it was already on! Welcoming the audience to the room, having them seated, getting their attention, and having them cheer. Welcoming the speakers to the stage, getting them briefly introduced and then out of their way. During the talk, keeping track of time and signaling notes according to speaker needs. Afterwards, coordinating questions from the crowd, ensuring the program schedule can be maintained. Thanking the speakers, making sure they got what they needed. And a few more things, huge kudos to BSides Munich organizers for preparing a comprehensive cheat sheet upfront for session chairs! They also went the extra mile and prepared both bio notes for the speaker introduction as well as potential fallback questions for each talk in case the audience wasn't ready to engage. All this went pretty well. Once again I found myself in a situation where I was glad to have been doing public speaking engagements for so many years by now, and where the respective skills gained really pay off.
The additional challenge I had: how to do sketchnotes while also being a session chair? Well, I dared to go full in, and it did turn out to be pretty stressful. I also missed parts of the talks and my sketchnotes don't do them justice. But well, I learned that's part of doing sketchnotes anyways. There are constraints and you have to live with them. Whatever you have on paper in the end you have, whatever you didn't note you didn't. It's a perception and interpretation of the talk anyways and you just do what you can do in the specific moment. I also learned over the years that I'm doing this, that no matter whether I like how a specific sketchnote turned out or not, it might still help others and it's usually appreciated by speakers. So I'm sharing them anyways.
The conference day was over super fast, with the packed schedule and lots of conversations and also duties to fulfill. Also on this day, not everyone was ready to leave just yet and instead hang around and stayed for a while, still enjoying each other's company.
Then it was time to join the organizers and my fellow speakers to go to the speakers dinner. We concluded the day with a really delicious meal among great people. We made new connections, we exchanged our favorite licorice products, conference venue struggles, insights on local security communities, and much more. As you do.
Thank you everyone for making this yet another great conference! Won't be my last BSides Munich for sure.