Images courtesy of Nathan Latsha.

As I've continued to pivot my career into cybersecurity, I had the pleasure of attending BSides Austin this past December for my first conference as a professional! The organizers did a fantastic job, and I got so much more out of it than I was expecting.

Held in the J.J. Pickle Research Campus (a mysterious network of buildings next to The Domain that has eluded me for years), the conference took place over two days with plenty of fantastic speakers, workshops, and networking opportunities. I took my laptop to take notes in every session and I highly recommend it—as I was able to save so many great resources for my reference later (i.e. links to GitHub repos and LinkedIn profiles to connect with the speakers after the conference).

While I was attending talks, I was balancing my time with buying my first house—so things were hectic to be sure! But once everything slowed down, I took some time to look back over my notes and figure out what the key takeaways were across this event.

"Fancy" AI doesn't require fancy security

In what was by far the best talk I went to at BSides, the hilarious and charismatic Google Engineer Kat Fitzgerald set out to dismantle the perceived advantages from a surge in AI security tools. Through a combination of statistical evidence and funny anecdotes from her career in penetration testing, she proved effectively that we as engineers need to take a step back and recognize the power of our existing toolkits.

Much of her experiences laid out how she used tools she already trusted such as Prowler and Wazuh to find vulnerabilities relating to Generative AI. And she called back to the fact that many security holes in AI have their roots at the same common places we've known for years—such as misconfigurations in cloud environments.

Fitzgerald was not the only one to raise this point amongst the speakers. And the irony was palpable given that, outside these same conference rooms, there were a litany of companies all selling an AI SOC solution with a pretty bow on it!

Pipelines continue to be neglected

Many organizations continue to overlook the importance of security in their CI/CD systems. And this is where consequences can be the most dire; imagine a virus is packaged with one of your Docker containers and then deployed everywhere!

Mistakes here can bring down an entire cloud infrastructure. Furthermore, most CI/CD providers operate the same way, so the exploitation of one can result in the exploitation of all! Talks such as those given by Offensive Security Engineer Blake Hudson highlighted great strategies to search for vulnerabilities in pipelines. A few examples included searching for hardcoded secrets, finding ". folders", and examining YAML files to pen test the pipelines.

Blake was super nice to talk to as well! He recommended some great resources to learn penetration testing such as IppSec's video walkthroughs of HackTheBox.

The cybersecurity field is more important than ever!

One of the most common sentiments across the entire conference is the idea that we are needed more than ever. In 2023, data breaches went up by 72% compared to 2021, even while companies continue to allocate record budgets to security. The payoff from these investments is clearly not there yet. Thus, we have a necessity for innovation, a proactive versus reactive security mindset, and a higher security awareness among all sides of the business as we look to continue shifting leftward.

The event was an absolute joy and I think BSides is a great first tech conference for people new to this field. The smaller environment and more personable setting makes everything very approachable. I walked away feeling enlightened, forming new connections, improving my security toolkit, and adding some more mugs to my coffee cabinet!