CFPs

Inspired by Justin Garrison, I’m sharing a log of all my CFP submissions.

Slides are available for all given talks over on SpeakerDeck.

2025

You Are Not Netflix: Learning from Conference Talks

Accepted fwd:cloudsec USA 2025

Conference talks share solutions built for specific contexts—scale, constraints, and resources that likely don’t match yours. This talk teaches how to extract actionable insights while avoiding the trap of cargo-culting Netflix-scale solutions.

Scale Security Programs with Scorecarding

Accepted OWASP AppSec EU 2025

Security scorecards provide visibility, accountability, and a framework for prioritization. This talk covers how to design, implement, and iterate on scorecarding programs that actually drive security improvements.

2024

Lessons in Security Partnership

Rejected SecurityFest 2025

As security moves beyond the “Department of No,” partnership has become core for baking security into software. However, security teams are often reinventing and rediscovering partnership skills from scratch. This talk will use personal narratives of effective and ineffective partnerships to teach how to build a proactive and collaborative relationship between Security and its key stakeholders. Learn from my mistakes. Leave this talk empowered and informed with specific tactics to build focus, leverage, and alignment.

Outline

Story 1: A story of bad Security Partnership, told via slack screenshots.

Introduction: Security Partnership

  • Engagement Models: Consultative, Embedded, Champions. Proactive, Reactive.
  • The stakeholders: Eng ICs, PMs, Eng Leaders, Security

Building a foundation for partnership

  • Understand engineering processes
  • Understand the product and the business
  • Credibility: gained in ounces, lost in pounds
  • Relationship: built through proactive partnership
  • The role of internal standards

Story 2: Successful partnership - patch management, aligning on timelines and mitigating controls.

Handling Stakeholders: learn to speak their language

  • PMs want predictability and clean interfaces
  • EMs/TLs want predictability and care about technical requirements
  • Eng ICs care about implementation details

The role of standards

  • Blind application and inconsistent application both have risks
  • Goal: reduce amount of direct partnership (“every consultation is a failure”)
  • Hook into existing processes, like design document templates

Communication guidelines

  • Communicate with empathy
  • Realistic trade-offs
  • Vulnerability impact without jargon
  • Reward communication with the team

Story 3: Multi-quarter CI/CD security project with stumbles but ultimate success.

Partnering - reactive

  • Discovery: build trust and show context
  • Setting security requirements and acceptance criteria
  • Getting agreement: broad framing, minimize work, center impact on people
  • Getting the work done: ownership and sustainability
  • Providing feedback: security should bear the burden of false positives

Escalations

  • Too many escalations are a sign of dysfunction
  • Clean escalations: background, alternatives, tradeoffs in neutral language

How to 10X Your Cloud Security (Without the Series D)

Accepted fwd:cloudsec EU 2024

I’ll summarize and distill the actionable guidance for scaling Cloud Security programs from the vast array of talks and blog posts out there. We’ll blaze through a dense view of what cloud security is, how you can do it more effectively, and what the near future looks like. After the talk, you’ll have practical takeaways, and a lengthy, curated bibliography to lean on.

Outline

This is a blatant rip off of Clint Gibler’s BSidesSF 2020 talk, but focused on cloud security programs (he’s cool with it!).

Previous related talks:

We’ll cover over a dozen tactics, building on the amazing work in the cloud security community. For example:

  • Service allowlisting massively reduces the area you need to control
  • Once you have service allowlisting, how do you review new services effectively?
  • What can we learn from TrustOnCloud’s threat model approach, Sp0oKeR’s detection engineering, and Wiz’s Cloud Threat Landscape?

The Path to Zero-Touch Production

Accepted fwd:cloudsec 2024

Zero Touch Prod is a Google-ism, and also a good idea. It’s common that engineers, even at companies with strong security programs and cloud-native architecture, organically evolve operational processes that require they touch production daily.

As security practitioners, it’s our job to keep our companies safe—both from bad actors, and from humans making mistakes. This talk shares my universal theory of how to incrementally and collaboratively move a cloud-native organization to Zero Touch Prod. We’ll talk about why people touch prod, how they touch prod, and what we can do about it.

Outline

Intro (5m)

  • You start with SSH to production boxes
  • Maybe you move to SSM (no internet exposure) or a bastion host
  • Engineers are often touching production for good reason
  • Introduce Zero Touch Prod concept

Values behind Zero Touch Production (5m)

  • Consider your organization and DevEx
  • Values tradeoffs: carrot or stick, paved roads or goat paths, early launch timing

Taxonomy of production access needs (5m)

  • Script running - predefined commands with safe arguments
  • Scheduled Jobs - async, recurring, backfills
  • UI-based Internal Tools
  • Workbench with production data framework
  • Read-only access to safe production data subset
  • Break-glass JIT/Temporal Access

AWS Primitives & Vendor options (10m)

  • Port Forwarding, RDS IAM auth, RunCommand as script runner
  • AWS Verified Access, Cloudflare Access, Okta ASA, ZTNA tools
  • JIT Access synthesis

Case Studies in DevEx (5m)

  • Browser extension for Identity Center sessions
  • Single opinionated CLI flow (aws-vault, granted)
  • Wrapping CLIs for smart role selection, JIT integration, error guidance
  • Single CLI for production access hiding SSM vs EC2 Instance Connect complexity

Securing Terraform with Hybrid SaaS

Rejected BSidesSF 2024 / fwd:cloudsec EU 2024

This talk breaks down the controls and compromises in a real world deployment of a Hybrid SaaS architecture for Terraform Automation. It shows how to make such a system both secure and user-friendly.

Outline

Introduction (5m)

  • Refresher on Terraform Architecture
  • Third party modules and providers

Attacking Terraform Automation (<10m)

  • Review various vendor and OSS solutions
  • Malicious providers and modules
  • RCE in Terraform Plan / “Apply-in-Plan”
  • Secrets in State Files
  • “Task Runs”

Hybrid SaaS (<10m)

  • SaaS control plane, customer owned compute
  • Pros/Cons: customer ownership, management overhead
  • Examples: Buildkite, Spacelift
  • Security model: signed payloads, decreasing trust in control plane

Securing Spacelift @ Figma

Four threats:

  1. “proposed runs” → if you can put up a PR, you can run a Plan
  2. Compromise of engineer session on control plane
  3. Compromise of admin session or Spacelift itself
  4. “tracked runs” → code in master = Apply

Controls:

  • GitHub Approvals + Commit Integrity
  • Private Worker Pool (account isolation)
  • Worker-side validation via GitHub APIs
  • Permission Segmentation between Plans/Applies
  • Semgrep for static analysis
  • Spacelift Policies with role-based approval
  • RBAC in control plane
  • Disable “Task Runs”
  • JIT authorization + detective controls
  • Vendor all terraform modules
  • Mirror for all Terraform providers
  • Secrets scanning for terraform state

2023

Beyond the Baseline: Horizons for Cloud Security Programs

Accepted SEC-T OxOF (2023)

There is a definitive resource for cloud-native companies to build a security program and posture in AWS: Scott Piper’s AWS Security Maturity Roadmap. However, mature programs quickly progress past the end of Scott’s roadmap. This talk takes you on a rapid fire tour beyond the roadmap, focusing on the problems you’ll encounter scaling a cloud security program.

Outline

Context (12m)

  • Biases: engineering oriented security program, zero trust, selling a software product
  • The baseline via Scott’s Cloud Security Maturity roadmap
  • The Netflix influence: “Netflix exists in order to spite the gods, copy them not”
  • Build v. Buy framework from Sabry Tozin

Meat (25m)

Problem space and solutions for:

  • Asset inventory / continuous compliance
  • Secrets Management
  • Secure IAC modules
  • SSH replacement
  • Least Privilege / IAM
  • Account management, vending, and sandbox accounts
  • DFIR
  • Automated remediation
  • Runtime Security
  • Endpoint Monitoring
  • Egress / Perimeter (data, network)
  • Honeytokens

Beyond the AWS Security Maturity Roadmap

Accepted fwd:cloudsec 2023

Scott’s AWS Security Maturity Roadmap is the definitive resource for cloud-native companies to build a security program in AWS. However, for many fwd:cloudsec attendees the roadmap ends too soon. This talk takes you on a rapid fire tour beyond the paved road, comparing approaches and avoiding the trap of undifferentiated work.

Outline

Context (6m)

  • Biases on “the sort of cloud security program” I’m talking about
  • The Netflix influence
  • When I joined Figma: “we’ve shipped the roadmap, help us figure out what’s next”
  • Build v. Buy framework

Meat (14m)

Specific OSS and commercial solutions for:

  • Asset inventory / continuous compliance
  • Secrets Management
  • Secure IAC modules
  • SSH replacement
  • Least Privilege / IAM
  • Account management and sandbox accounts
  • DFIR
  • Automated remediation
  • Runtime Security
  • Endpoint Monitoring
  • Egress / Perimeter
  • Honeytokens

Level Up Your Career: A Panel on Staff+ Engineering

Accepted BSidesSF 2023

What does it mean to be a Staff+ engineer in security, and how can you get there? Come hear our panelists discuss what it’s really like, how you go from Senior to Staff, or whatever you want to learn more about.

Outline

This panel gathers participants from the tldrsec Staff+ Engineering guide.

Format:

  • 90 second introductions from each panelist
  • Pre-seeded questions to start discussion
  • Open floor for audience questions

Sample questions:

  • What’s a week like as a Staff+ engineer?
  • What are the hardest parts of being a Staff+ engineer?
  • What should you do if you feel “stuck” at Senior?
  • What about your Staff+ journey is specific to Security?
  • Is there an IC/Manager Pendulum in Security?
  • What comes after Staff+ for you?

2022

Buying Security: A Client’s Guide

Accepted BSidesSF 2022

You can’t buy security, but vendors play a key role in effective security programs. This talk provides a comprehensive guide to buying and getting value, based on experiences on both sides of the marketplace, a comprehensive literature review, and a survey of clients and vendors of all stripes.

Outline

Why this talk?

  1. Vendor agnostic (⅔ of sources reviewed were vendor blogs)
  2. Built on comprehensive literature review (PTES, Gartner, CREST, NCSC)
  3. Includes survey data from TL;DR Sec’s 8,000+ community

Outline:

  1. Types of Security Services
  2. Common motivations: Compliance, Sales, Investment/M&A, internal attestation, post-breach, risk reduction
  3. Types of Vendors: Enterprise consulting, boutique, specialty, sole practitioner, MSSP, VAR
  4. How to find vendors: Network, research, conference speakers, published research, certifications
  5. Client-side scoping and requirements
  6. Requesting and reviewing proposals (RFP process)
  7. Contracting: Quotes, negotiation, vetting, rules of engagement
  8. Pre-assessment preparation
  9. After the assessment: Readout, reading reports, ingesting results
  10. What comes next

Steal this Security Program

Rejected ShmooCon 2022

Bezos coined “undifferentiated heavy lifting” in 2006. Security is an industry mired in the muck. Much of this work is common and has been solved many times before. This talk separates signal from noise and highlights the best public resources you can use to build your security program.

Outline

Operating principles:

  • This is a maturity shortcut
  • Focus on separating signal from noise
  • Only bring things into your program that you understand
  • Identify a need → fill it

Resources covered:

  • Training: PagerDuty’s sudo, PortSwigger Web Security Academy, Security Champions Playbook
  • Incident management: PagerDuty response guide, Etsy’s blameless postmortems
  • Risk Assessment: Mozilla’s Rapid Risk Assessment, Google’s VSA process
  • Vulnerability Reporting: Disclose.io, Bug Bounty COI
  • Compliance: Adobe CCF, GDPR Checklist, JupiterOne policy templates
  • Hiring: Interview question collections
  • Full programs: GitLab handbook, 18F engineering security

2021

Cloud Security Orienteering

Accepted DEF CON Cloud Village 2021

Most of us are not lucky enough to have architected the perfect cloud environment. Over the course of a career in cloud security, you’ll likely find yourself walking into a new environment and needing to rapidly orient yourself to mitigate risks and develop a sustainable roadmap.

This talk presents a cloud and environment agnostic methodology for getting your bearings when tasked with securing a novel cloud environment.

Full outline: tldrsec.com/p/blog-cloud-security-orienteering

2020

Learning from AWS (Customer) Security Incidents

Accepted BSidesCT 2020

With a focus on AWS, this talk discusses over a dozen different public breaches. We walk through the technical details, establish common root causes, and establish how you can proactively secure your environment against these real world risks.

Outline

Prior art:

  • SANS Cloud Security Summit talks
  • fwd:cloudsec “The Usual Suspects”
  • F5 breach highlights

Case Studies:

  • Exposed S3 buckets, managed Elasticsearch
  • CapitalOne
  • Code Spaces
  • DNC Hack (GRU)
  • LA Times, OneLogin, Uber, Imperva, Tesla
  • JW Player, TeamTNT botnet, Cryptomining AMI

Root Causes: Correlate breaches and establish common root causes, comparing to MITRE ATT&CK Cloud matrix.

AWS Security: Easy Wins and Enterprise Scale

Accepted BSidesBOS 2020

Whether your organization has two feet in the cloud, is dipping a toe, or you’re wondering “where do I even start,” this talk covers both extremes: easy wins anyone can apply, and big picture problems to consider as your security maturity or AWS usage grows.

Outline

Introduction (10m)

  • The Cloud, AWS, Shared Responsibility Model
  • Key background: VPCs, EC2, security groups, NACLs
  • IAM: Principal Types, Credentials, Policies, Policy Evaluation

Easy (15-20m)

  • Single account best practices and security services
  • Common account compromise footholds
  • Single account auditing
  • Turnkey encryption

Hard (15-20m)

  • Organizational Architecture
  • Security at scale
  • Encryption and Least Privilege
  • Logging/Monitoring/Alerting
  • Preparing for Incident Response
  • Visibility and multi-account auditing
  • Governance: IaC, AWS Config, SCPs
  • Automatic Remediation

2019

  • Building Castles in the Cloud: AWS Security and Self-Assessment — BSidesCT 2019 (Accepted)
  • AWS Cloud Security Fundamentals (4-hour workshop) — OWASP BASC 2019 (Accepted)