(coming soon!)
October 2018 DevSecCon London 2018 Building Effective DevSecOps
Teams Through Role-Playing Games


October 2018 (ISC)2 Security Congress DevOps Is Automation, DevSecOps Is People
October 2018 STAR West Software Testing Conference Measuring and Maximizing Crowdsourced Vuln Discovery


February 2018 DevSecCon Singapore Measuring and Maximizing Vuln Discovery Efforts
January 2018 OWASP AppSec Cali 2018 DevOps Is Automation, DevSecOps Is People


October 2017 DevSecCon London The Flaws in Hordes, the Security in Crowds
September 2017 (ISC)2 Security Congress Crowdsourced Security: The Good, the Bad, and the Ugly


June 2017 RVASec 2017 Managing Crowdsourced Security Testing


May 2017 AppSec EU 2017 The Flaws in Hordes, the Security in Crowds


April 2017 SOURCE Boston 2017 Crowdsourced Security — The Good, the Bad, and the Ugly
November 2016 ISACA Silicon Valley 2016
Fall Conference
Evolving a Bug Bounty Program
October 2016 SOURCE Seattle 2016 Evolving a Bug Bounty Program

(preview on Brakeing Security podcast)

October 2015 SOURCE Seattle 2015 Battling Geologic Time
July 2014 RSA APJ 2014 CDS-W07 – Building and Breaking Privacy Barriers
February 2014 RSA USA 2014 DSP-R04A – Is your browser a User Agent, or a Double Agent?
October 2013 Hack in the Box Kuala Lumpur CSRF Lab & Session Origin Security
September 2013 Hacker Halted USA Using HTML5 to Make JavaScript (Mostly) Harmless
July 2013 BlackHat USA Dissecting CSRF Attacks & Countermeasures

(co-speaker with @tukharian)

May 2013 RVAsec 2013 JavaScript Security & HTML5


February 2013 RSA USA 2013 ASEC-F41 – Using HTML5 WebSockets Securely
February 2013 B-Sides San Francisco 2013 JavaScript Security and HTML5


December 2012 BayThreat 2012 WebSockets Unplugged

(co-speaker with @sshekyan and @tukharian. video)

October 2012 RSA Europe 2012 ASEC-303 – Cases of JavaScript Misuse and How to Avoid Them
August 2012 BlackHat USA 2012 Hacking With WebSockets

(co-speaker with @sshekyan and @tukharian)

May 2012 ITWeb Security Summit HTML5 Unbound: A Security & Privacy Drama

(Check out the supplemental article, then parts II, III, and IV.)

May 2012 OWASP/ISSA Bletchley Park Graveyards & Zombies: How HTML5 Improves Security. Mostly.
October 2011 RSA Europe 2011 ASEC-201 – HTML5 Security Pitfalls
February 2010 RSA USA 2010 SPO1-203 – Does Web 2.0 Need Security 2.0?
January 2006 IT Underground, Berlin 2006 Automating SQL Injection Exploits

(Conference was canceled, but slides were finished.)

Podcasts & Webcasts

September 11, 2018 Humans of Infosec An interview in purple — Ep 14 Tanya Janca: Hacking Purple and Defending Developers
August 7, 2018 Humans of Infosec Interviewing a pen tester — Ep 12 Georgia Weidman: Writing books, riding horses, and starting companies
February 26, 2018 Humans of Infosec Kicking off the podcast — Ep. 1 – Mike Shema
March 2017 A Promethean Struggle —
PCI’s Lessons for Passwords
slides | video (behind regwall) | notes
February 2017 Out of the AppSec Abyss —
What’s making modern appsec effective?
slides | video (behind regwall) | notes