There are a ton of infosec conferences throughout the world, which means there’s lots of opportunity to deliver research, ideas, and educational presentations.

OWASP and Security BSides provide community support for small regional events. BSides launched in 2009 and celebrated its 1,000th event almost exactly 15 years later in July 2024.

So yeah, lots of opportunities.

All those events need speakers! Many conferences even provide resources for first-time speakers. Giving presentations is an excellent way to develop and practice communication skills. Of course, not everyone needs to (or wants to) present to a group of strangers. But those communication skills are equally useful in smaller group settings in a work environment.

Odds are good that you’ll find the need to present something about your work more than once throughout your career.

Here’s a recap of some past episodes and references.

Crafting CFPs

Be clear, avoid filler words. Generate excitement in the abstract and show why your work stands out.

An LLM might be helpful for a first draft, especially if you’re submitting to an English-language conference and English doesn’t come naturally for you. But LLMs are going to add a lot of filler and throwaway phrases – keep the writing concise, focused, and in your own voice.

Your voice is what makes an abstract stand out and a presentation more enjoyable to attend.

Drafting Presentations

There’s a ton of subjective preferences. But a lot of people agreed on avoiding walls of text in your slides, using humor in a way that feels comfortable for you to deliver (and move on from if it bombs), and crafting your message to reinforce a few take-aways rather than overwhelming the audience with everything you think they should know.

Practicing the Presentation

Practice. Practice with someone who will give constructive feedback.

If you’re going to do a demo, always have a recorded version ready.

Episodes

Pointers and Perils for Presentations (ep. 251)

Josh Goldberg talked about communication skills, putting together presentations, and the stumbles he’s made along the way. It’s a topic that should appeal to anyone who wants to speak at conferences.

No one wants to sit through a boring presentation. No one wants to deliver a boring presentation, either. Josh shared tips and techniques for creating abstracts for CFPs and drafting slides for success. John Kinsella helped round out the segment with several stories and advice of his own.

Creating Presentations and Training That Engage an Audience (ep. 257)

Lina Lau gave us examples of how she crafts and delivers presentations. We talked about what kinds of presentations keep our attention and the kinds that put us to sleep.

This segment also highlighted crafting presentations to a specific context and audience. Lina has given rundowns of APT activity to executives and board members, technical presentations at conferences, and multi-day training courses. Each of those scenarios requires a different approach in the level of detail, calls to action, and even interaction with the audience.

Communicating Technical Topics Without Being Boring (ep. 269)

Eve Maler shared recommendations for communicating technical topics to different audiences. This time we focused on the importance of communication skills at work. Be clear about the audience, develop an audience persona, empathize with it. CISOs tend to be a skeptical audience.

One of Eve’s points really stood out for me:

Don’t share with the audience everything you know, share what they can absorb.

Getting Your First Conference Presentation (ep. 271)

Sarah Harvey gave a conference organizer’s perspective. She shared some of her own techniques for crafting slides and giving a coherent conference talk. She also explained how conferences like BSides SF actively support new speakers by offering practice sessions and constructive feedback. Giving constructive feedback is its own skill and one that’s relevant to corporate environments in addition to conferences.

Sarah also had a great comment on inspiration:

For a while I always hated giving presentations, but that was because it was a topic I didn’t like.

Find a topic you like. Research it. Write down ideas. Share your work!

Subscribe to ASW to find these episodes and more! Then check out the previous topic recap on AI & LLMs.

February should have been cybersecurity awareness month. It’s the shortest month and occasionally off by one.

We filled up every Monday with a fun new conversation.

Ep. 316 - Threat Modeling That Helps the Business

Threat modeling has been in appsec’s toolbox for decades. But it hasn’t always been used and it hasn’t always been useful. Sandy Carielli shared what she learned from interviewing orgs about what succeeded and what failed in their approaches to threat modeling. Akira Brand returned to talk about her direct experience in creating threat models with developers.

One of my biggest recommendations on threat modeling is to use it to talk about the features and workflows being built. Don’t go through every endpoint and ask if it’s vulnerable to XSS or SQL injection. Focus on what the app is intended to do and how the developers intended it to work. Save the endpoint enumeration for scanners.

Ep. 317 - Code Scanning That Works With Your Code

Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and a few fancy regular expressions are enough to find many obvious software mistakes. Scott Norberg shared his experience with encountering code scanners that didn’t find the .NET vuln classes he needed to find and why that led him to create a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET’s compiler made his decisions easier.

Scott’s approach to pentesting really resonated with me:

I view it as my job not to find all the instances of three different classes of vulnerabilities; it’s to find as many different classes of vulnerabilities as I can.

Ep. 318 - Top 10 Web Hacking Techniques of 2024

We’re close to two full decades of celebrating web hacking techniques. James Kettle shared his favorite ones, the list’s importance to the web hacking community, and what inspires the kind of research that makes it onto the list.

We discussed why eternal flaws like XSS and SQL injection keep showing up on these lists year after year and how clever research is still finding new attack surfaces in old technologies. He also explained how there’s a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly.

Ep. 319 - Developer Environments, Developer Experience, and Security

Understanding developer needs and what makes for a positive developer experience makes appsec more successful. Dan Moore stopped by to talk about what devs are doing to make their lives better and where security has the opportunity to assist.

I’m thankful to see appsec move on from checklists. However, a whole lot of the “shift left” concept sounds like a checklist by any other name. We discussed where it makes sense to run security tools and why trust boundaries need to be part of any discussion around securing dev environments and CI/CD pipelines.

Subscribe to ASW to find these episodes and more! Then check out the January 2025 recap.

Thanks for keeping us company throughout 2024 and joining us for a new year!

We started another solar cycle of appsec with a simple desire: Let’s have designs and defaults that minimize flaws, and reduce the damage that an exploit can cause.

Ep. 312 - DefectDojo and Bringing Quality Appsec Tools to Small Appsec Teams

Greg Anderson talked about the origins of OWASP’s DefectDojo and why orgs still struggle to distinguish flaws they need to fix from those with negligible risk. The conversation turned to familiar challenges like tool quality, vuln prioritization, and proactive security practices. But we also talked a bit about the types of flaws (hi business logic!) that all scanners struggle to identify.

Ep. 313 - Discussing Useful Security Requirements with Developers

Then we went to the dev side of security with Ixchel Ruiz. She brought her experience as a Java developer to help us talk about what good security requirements can look like. Developers don’t approach areas like quality and performance with the expectation to fix all those things at once. They measure and prioritize, looking for ways to make a big, positive impact on their code. Having clear goals and requirements for security makes its parallels with software quality even more obvious.

Ep. 314 - Appsec Predictions for 2025

It took us three weeks to get into the 2025 predictions game. Cody Scott shared what he and his colleagues see for cybersecurity and privacy throughout this year. Sure, it’s a safe bet to mention genAI, but in this case we went looking for its value to appsec and came up short. And, if CISOs are being cautious with their budgets for genAI-powered appsec tools, they’re shoring them up for breach-related costs. Surprisingly (to me, at least) OT made the list for this year, so Cody had to explain why it’s more than just the perennial technical concern about code quality. We’ll make sure to have him back in December to see how these predictions held up.

Ep. 315 - Securing the AI SDLC

Niv Braun closed out the month with a conversation on the AI SDLC. My immediate question when seeing adjectives before SDLC is what makes it different from “just software” like we’ve had for decades. Niv noted how ML and data science teams have had security needs for years before we started calling everything AI. Then he illustrated the differences between AI-related and AI-specific security concerns with handling data and designing systems. I enjoyed hearing examples and advice that called out FUD and focused on real problems that orgs have today.

Subscribe to ASW to find these episodes and more! Also check out the December 2024 recap.