This document summarizes talks from the 2017 San Francisco BSides security conference. It lists the names, titles, and brief descriptions of talks given by various speakers, including discussions on application security programs, Docker image security, access control tools, ransomware strategies, SSH management, and the underground economy of stolen Apple IDs. The document concludes by providing links for more information on security news and upcoming BSides events.

1. Top Talks
from
2017
San Francisco

2. JASON TRUPPI
Illusion vs.
Reality
@NOTTRUPPI
Having experience in both
the commercial and private
sector, Truppi shares what
organizations are actually
experiencing in an effort to
help the government focus
on the areas that will be
most effective at
combating today’s threats.

3. TIM JARRETT
5 Keys to Building an
Application Security
Program in the
Age of DevOps
@TOJARRETT
For development to
deliver more secure
code at DevOps speed,
it requires security to
adapt to the principles
that have proven
successful for DevOps.

4. MANIDEEP
KONAKANDLA
How Secure Are Your
Docker Images?
WWW.MANIDEEPK.COM
In this presentation,
Manideep explains the
various security issues
that can happen in
each stage of the
Docker image lifecycle,
and how each of them
can be fixed.

5. JEFF MAN
Does DoD-Level
Security Work in the
Real World?
@MRJEFFMAN
After 20 years in the private
sector, and especially over
the past 2-3 years with the
proliferation of data
breaches against major
companies, Man explains
why organizations really do
need DoD-level security.

6. JIM O’LEARY
Size Up Your AppSec
Program with
New Metrics
@JIMIO
O’Leary proposes
several approaches for
generating metrics that
measure and improve
your appsec work, from
monitoring bug-bounty
operational health to
incentivizing long-term
secure framework bets.

7. DANIEL POPESCU
Make Alerts
Great Again
@DANIELPOPES
Popescu shares the tools
and processes adopted by
Yelp to enable its security
team to keep a handle on
alerts by making them
actionable and
maintainable, such as
knowing how often they
are firing and having a
run-book for writing new
alerts.

8. E. COLEEN COOLIDGE
How to Build a
Security Team and
Program
@COLEENCOOLIDGE
Coolidge shares her war
stories on how she was
able to build a security
team and program from
scratch, sharing lessons
learned on getting
executives on board and
hiring and retaining talent.

9. KARTHIK RANGARAJAN
Access Control
with Concierge
@ADDEPAR
Third-party SaaS services
are common among
startups – ITOps teams
have to live the nightmare
of managing access to
these tools in addition to
internal services.
Rangarajan discusses how
Concierge can help make
this process less painful.

10. TONY MARTIN-VEGUE
Game Theory&
Ransomware
In the event of a
ransomware infection,
should you pay? The
answer is a little more
nuanced than “never pay”
or “always pay.” Martin-
Vegue introduces concepts
of game theory to help
analyze this complex
scenario of incentives and
payoffs.
@TDMV

11. RUSSELL C. THOMAS
The Cyber
Insurance Emperor
Has No Clothes
Thomas offers an
alternative point of view
on cyber insurance,
describing 10 reasons
why cyber insurance is a
misfit for the ‘job to be
done.’
@EXPLPOSSIBILITY

12. CHRIS STEIPP
Better SSH
Management with
Ephemeral Keys
Steipp and Ho describe
how the combination of
Netflix’s Bless and Lyft’s
open-source Blessclient
has allowed Lyft to improve
the security of its SSH
accounts, as well as
empower engineers to
manage their SSH keys
themselves.
VIVIAN HO

13. ROBERT WOOD
Regulation vs.
Security
@ROBERTWOOD50
Wood deliberates
strategies that security
teams and leaders can
use to navigate the
murky waters of
bureaucracy, compliance
and politics to achieve
the security goals they’re
striving for.

14. JONATHAN FREEDMAN
Opinion-less
Enforcement of Opinions
on Operational Secrets
@OTAKUP0PE
“I felt people needed to
know what space they
were in, in order to have
a sense of their rights,”
he said, recalling the
time when he realized
the federal government
had discovered the
Internet.
Freedman and team
developed a new tool to
provide a data-driven
approach for provisioning
secrets into Vault – their
storage tool of choice – in
order to prevent an
irreconcilable mess of
operational secrets.

15. CLAUD XIAO
The Underground
Economy of
Apple ID
@CLAUD_XIAO
Xiao presents several real-
world attacks involving
Apple IDs, which have
affected a huge number of
users globally. Xiao
explains how the attacks
could have been carried
out, what Apple has done
to mitigate the issue, and
how we can protect
ourselves with existing
solutions.

16. For the latest security news, trends and
insights, visit:
WWW.TRIPWIRE.COM/BLOG
Don’t miss the next BSides event near you!
For more information, visit:
WWW.SECURITYBSIDES.COM