• United States




Security BSides San Francisco, 2015 conference review

Apr 28, 20155 mins
PrivacyTechnology Industry

The three top presentations from the annual security conference

Have you ever wanted to get in a time machine and go back to when security industry visionaries were just starting out? Imagine meeting Martin Roesch when he was writing the first version of Snort or Bruce Schneier as he was just putting his ideas down for Applied Cryptography. I don’t have a DeLorean, but I can do the next best thing. I can take you to a place where tomorrow’s thinkers are forming their ideas and honing presentation skills, today.

That place is Security BSides San Francisco. BSides is a community-driven phenomenon that occurs across the globe. In fact, there is probably a BSides event occurring each week, somewhere. The BSides events range from small, one-day events to very large, multi-day, multi-track events such as San Francisco and Las Vegas.

BSides San Francisco was held this year on April 19 and 20 and it brought the industry together for an exciting two days filled with discussions on latest threats and solutions to industry-wide issues. There were 33 top-notch talks spread across two tracks, ranging from in-depth analysis of technical topics to professional development and skill enhancement presentations. Most talks were recorded and posted online so I was able to see everything that was interesting to me even though I could only be in one place at a time. There were, of course, a few misses (there always are) and I do feel that having a speaker mentorship program like BSides Las Vegas has would improve speech quality and presentation skills.

[ How to survive security conferences: 4 tips for the socially anxious ]

If you have three hours to spare, here are the best talks from BSides SF.

(Disclaimer: I was a speaker at BSides SF, but I’m not going to review my own talk)

Medical Device Security – From Detection to Compromise

By Adam Brand and Scott Erven

One quote that was very memorable from the speech is “Privacy is important, but I want to be alive to enjoy it.” These two ideas, privacy and saving lives, sum up the seemingly contradictory forces in the medical device industry, but the speakers made the case that the two are not necessarily mutually exclusive. Medical instruments save lives every day and as technology improves, they evolve into very intelligent, networked devices. For example, think of a dialysis machine that sends information real-time back to doctors regardless of where the patient is.

The presentation included comprehensive research that was eye-opening and frightening at the same time. Malicious actors could cause lethal results and the ease with which someone could do this is scary. Much of my tin-foil hat paranoia was confirmed by this speech. The speakers ended the talk with a call to action, asking each and every audience member to get involved and become advocates for medical device security.

HIPAA 2015: Wrath of the Audits

By W. Hudson Harris

“HIPAA 2015: Wrath of Audits” was a great presentation by Hudson Harris on HIPAA compliance, introduction to risk assessment methodology and approaches to achieving compliance. Gauging audience reaction and talking to some folks afterwards, those not actively employed by organizations governed by HIPAA probably got the most out of the presentation because it introduced new concepts. HIPAA, the Health Insurance Portability and Accountability Act of 1996, covers many areas, but the presentation focused on the provisions of the law that address privacy, security and confidentiality of patient health records.

Harris spent a good amount of time walking the audience through risk assessment methodology, based on the NIST Risk Management Framework. Risk management is a complex discipline and is the cornerstone of any good information security program. Hudson was able to take a complicated process and present it in terms that were very easy to understand. The audience left the session with the understanding of why taking a risk-based approach to compliance is the most efficient and effective way to achieve security goals. 

Hacker or criminal? Repairing the reputation of the infosec community

By Melanie Ensign 

I’ve always thought that the Information Security community needs to bring in people from outside the traditional intake fields (software development, system administration) to solve our problems. Melanie Ensign, a media relations and communications adviser, is the perfect example of this.

Her talk had all of the components of a lively and engaging presentation: funny, insightful, engaging and provided actionable advice to attendees. Her message is that the information security community does a poor job of managing our story and reputation, so we let management and vendors do it for us. As a result, we have the reputation of being curmudgeons and obstructionists who can’t really achieve effective security without outside intervention. She spent very little time setting up the problem and dedicated most of her time providing actionable advice on how each individual can implement reputation management techniques today.

Melanie is truly elevating our profession. If you want to be inspired and energized, watch this talk. 

Next year, expect more of the same – high quality, engaging talks from up-and-coming security leaders. You should put BSides San Francisco on your must-see list of security conferences.

See all BSides San Francisco videos here

Other reviews of the conference:

By Fernando MontenegroDay 1 and Day 2 Tripwire’s State of Security blogDay 1 and Day 2


Tony Martin-Vegue is a 20-year technology industry veteran who started out as a Windows 3.1 phone support technician and worked his way up by running network cabling through ceilings, winning (and losing) in the late-1990s – early 2000s dot-com bubble and leading network operations teams. In the more recent past, Tony has worked in the financial services sector helping firms establish frameworks for enterprise risk assessments, developed advanced threat modeling tools, educated on risk analysis techniques and consulted on security for large-scale IT projects. Tony currently works at a large global retailer leading their cyber-crime program by researching emerging threats, assessing risk and fighting fraud.

Tony holds a Bachelor of Science in Business Economics from the University of San Francisco and holds many certifications including CISSP, CISM and CEH.

Tony lives in the San Francisco Bay Area, is a father of two and enjoys swimming and biking in his free time.

The opinions expressed in this blog are those of Tony Martin-Vegue and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.