Day 1 (Thursday) - Main Track

This panel features senior cybersecurity leaders and covers real security issues and priorities facing both private and public sector organizations.
Topics covered will range from Quantum to compliance to AI with an emphasis on what’s needed to make implementations successful.

Laptops have become ubiquitous in modern times. An all but guaranteed organizational asset that quite literally holds keys to the kingdom, in every employee’s hands. For an attacker, what’s not to love? From large government organizations to fortune 500 companies, these assets are constantly on the move and often poorly secured against advanced threat actors seeking to extract their secrets. Encryption at rest is NOT enough in 2025! And I can show you why.

This talk will showcase methodologies used by our offensive security team to penetrate well-hardened, modern laptops during engagements we call “stolen laptop scenarios”. No power? No credentials? No problem! We push the envelope to the limit of what can be realistically expected of next-generation adversaries. We begin by exploring the potential impact that a compromised laptop can have on an organization, briefly discussing potential lateral movement through extracted domain credentials, tickets, certificates, cookies, and sensitive data. After exposing the audience to the value obtained through physical compromise, we will discuss real attack vectors, with examples and video demos.

We will explore together direct-memory access attacks, the physical and logical implementations of these techniques, defenses, bypasses, and more. On the menu is an overview of PCI Express technology, DMA hardware including FPGA boards and what we do with them, practical demonstrations of attacks against modern laptops, countermeasures introduced by hardware vendors to protect against these attacks, and ways that attackers circumvent these protection mechanisms. Naturally, we will discuss BIOS/UEFI security, how it relates to DMA, and how we exploit pre-boot environments to gain access to a stolen computer. This includes showcasing physical attacks against BIOS EEPROM chips using a universal programmer.

Finally, we will talk about encryption at rest, specifically BitLocker, TPM implementation, and the potential implications of using these technologies for attackers, with a focus on why these are not sufficient for preventing attackers with physical access from compromising a PC. This section will culminate with an exploit demonstration compromising windows OS from UEFI via DMA when all modern countermeasures are enabled. Of course, we will discuss proper configuration that can limit or eliminate these attack vectors as well! We will discuss open-source tooling such as PCILeech, MemProcFS, UEFITool, etc, and some closed source tooling including XGPro.

Cyber defenders wage daily battles against increasingly sophisticated threat actors. In many cases the tools defenders use remain unchanged for decades. If defenders are to gain the upper hand, we need to take new approaches and evolve the rules. After all, those who write the rules, win (leges qui scribit, imperat). Join John Weigelt, CTO Microsoft Canada, as he provides a backdrop of the controls and rules that guide cyber, discusses the gaps and explores opportunities for change.

What happens when a late-night napkin sketch turns into a mobile app that must pass TSA checkpoints and government audits?

This is the real-world story of how we partnered with an ambitious state government to transform the physical driver’s license into a Digital ID — a mobile identity platform trusted by police, retailers, and airport security. Built from the ground up, the app enables users to prove identity, purchase age-restricted items, and even board flights — all from their phone.

But this wasn’t just an app launch. It was a high-stakes journey where security was the product — and there was no playbook to follow.

In this 45-minute talk, we’ll walk through the technical and organizational gauntlet we faced, and share real artifacts, patterns, and missteps from taking a net-new product through:
– SOC2 certification (including the app, cloud stack, and even manufacturing plants),
– biometric verification challenges,
– evolving privacy regulations,
– and eventual TSA acceptance.

Updated in this version of the talk: We’ll highlight lessons learned post-launch — what worked, what didn’t, and how real-world usage patterns forced critical design changes. We’ll explore how some well-meaning security decisions, like one-time tokens or strict expiration windows, backfired by confusing users or blocking adoption — and how we course-corrected under pressure.

You’ll walk away with:
– A reusable blueprint for building certification-ready products from scratch.
– A DevSecOps pipeline pattern that enforces security, triages defects, and feeds directly back to developer queues.
– A proven threat modeling approach that builds cross-team trust fast.
– Tactics for executive risk scoring that move audits and legislation forward.
– Lessons from breaking (and fixing) facial recognition, blockchain-based claims, and 3rd-party identity verifiers.
– How to detect and resolve security features that hurt usability or adoption, including warning signs from live telemetry, user support channels, and conflicting 3rd-party expectations.

We’ll unpack key stories:
– How digital identity actually works — and how to test what can go wrong.
– Where real-world standards failed us — and how we adapted.
– The surprising ways 3rd-party assurance almost derailed launch.
– What happens when a production endpoint is stolen and taken to a dark alley.
– Getting TSA sign-off (and how our users helped us get there).

If you’ve ever been told “make it secure and ship it fast” with no roadmap and public scrutiny looming — this talk is your playbook

The rapid evolution of software engineering has transformed Application Security (AppSec) into a constantly shifting battlefield. Traditional security approaches are no longer enough—modern pipelines demand a strategic, multi-layered defense. In this talk, we’ll explore how AppSec practitioners must adapt to stay ahead of emerging threats.

I’ll introduce the three essential disciplines of AppSec:

Security In the Pipeline (SIP): Protecting the code, dependencies, and infrastructure as they move through the development lifecycle.
Security Of the Pipeline (SOP): Securing the CI/CD tooling, environments, and processes to prevent supply chain compromises.
Security Around the Pipeline (SAP): Addressing external threats, insider risks, and adversarial attacks targeting the entire ecosystem.
Drawing from real-world adversarial security research, I’ll highlight the biggest challenges in each domain and present practical mitigation techniques that security, DevOps, and engineering teams can apply immediately. Attendees will gain insights into common attack vectors, best practices for securing CI/CD workflows, and emerging trends shaping the future of AppSec.

By the end of this session, you’ll walk away with a holistic security framework that ensures your pipelines remain secure, resilient, and future-proof. Whether you’re an AppSec engineer, security beginner, or interested in DevSecOps practitioner, this talk will provide actionable strategies to help you navigate the ever-evolving AppSec landscape.

Don’t just secure your code—secure your entire pipeline!

For years, we tested forms. Then we tested APIs. Now we’re testing the brains inside your apps.

In this fast-paced, practical talk, we’ll walk through the emerging art of hacking AI chatbots from the perspective of a penetration tester. You’ll see how prompt injection works (and the many forms it can take), why indirect manipulation is especially dangerous, and what developers get wrong when embedding AI assistants into apps, especially when those assistants act as logic engines, personal coaches, or API middlemen.

We’ll break down the anatomy of a typical chatbot-powered feature, explore real-world examples, and walk step-by-step through how to bypass filters, extract sensitive data, and hijack intent. As automated tools and AI begin to catch traditional bugs, this emerging attack surface demands a new skillset. We’ll see how chatbot security isn’t just about filtering obvious words, it’s about detecting intent, even when that intent is buried or disguised.

If you’re testing modern apps and ignoring the chatbot, you’re leaving the brain unguarded.