Now in its 27th year, the Black Hat USA conference has grown into one of the biggest and most prestigious cybersecurity shows in the world — a showcase for top security experts and companies.
Experts will journey from across the world to reveal their discoveries and inventions at the Black Hat Briefings, which run August 9-10 — with more than 100 sessions to choose from. With so much to choose from, figuring out which talks to attend is a monumental task.
If you’re attending Black Hat but are at a loss about what talks to see at this year’s show, here's our short list of must-see sessions.
[ See what's in store from ReversingLabs on our event page: ReversingLabs @ Hacker Summer Camp 2023 ]
Keynotes to start your day
Guardians of the AI Era: Navigating the Cybersecurity Landscape of Tomorrow
Wednesday, August 9, 9–10 am | Shoreline Ballroom, Level 2
There’s no greater question in the information security space (or in high tech in general) than what impact fast-evolving artificial intelligence (AI) technology will have on the industry. In this keynote talk, taking place on the first official day of Black Hat USA, Maria Markstedter, founder of Azeria Labs, will be tackling AI’s impact on cybersecurity. At a time when AI technology is being used for everything from sorting through security alerts to forging phishing emails, Markstedter will recount AI’s history and where it is today. She will also discuss considerations that cybersecurity professionals may want to make when weighing the deployment of AI applications, such as what challenges AI tooling may bring.
Acting National Cyber Director Kemba Walden Discusses the National Cybersecurity Strategy and Workforce Efforts
Thursday, August 10, 9–10 am | Shoreline Ballroom, Level 2
Anyone looking to get the 411 on how the U.S. federal government is approaching cybersecurity right now will want to catch this session. The White House’s acting national cyber director, Kemba Walden, will be taking to the Black Hat stage to give an overview of where her office stands almost six months after releasing the National Cybersecurity Strategy. She’ll likely speak about other initiatives connected to this one, such as CISA’s 2024-2026 Cybersecurity Strategic Plan, released last week, as well as the White House’s May 2021 Executive Order on Improving the Nation’s Cybersecurity and the recent publication of the National Cyber Workforce and Education Strategy.
Wednesday’s sessions
Reflections on Trust in the Software Supply Chain
Wednesday, August 9, 10:20–11 am | Islander FG, Level 0
Software supply chain threats and attacks have been one of the most significant trends in cybersecurity over the past five years. And while there have been many proposals for how to address the risk posed by vulnerable supply chains of open-source and proprietary software, the picture can be a confusing one for enterprises and practitioners.
In this Black Hat talk, Jeremy Long, a principal engineer at the firm ServiceNow, will seek to sort out that complicated picture, updating attendees on the current state of software supply chain security as well as the challenges organizations face in securing supply chains for software and hardware. Long will delve into proposed tools and strategies to level-up supply chain security such as supply chain levels for software artifacts (SLSAs), software bills of materials (SBOMs), and code signing, aiming to separate effective means of securing the supply chain from security theater. And he will explore binary-source validation as a promising solution to enhancing the security of the software supply chain.
Fast, Ever-Evolving Defenders: The Resilience Revolution
Wednesday, August 9, 11:20 am–12 pm | Oceanside A, Level 2
There's a pervasive sense that attackers continually outmaneuver us. They are fast. They are ever evolving. How could we possibly outmaneuver them? It’s a truism of cybersecurity that the job of defenders is harder than that of attackers. To compromise an organization, after all, attackers only need to find a single weakness in the cybersecurity armor. Defenders, in contrast, need to be perfect: anticipating and thwarting every effort to undermine their security. History has also shown malicious actors to be far more willing to embrace new technologies and approaches to achieve their end, whereas defenders tend to merely accrue, adopting new tools and techniques without jettisoning the old.
But what if defenders started acting more like attackers: nimble, empirical, and curious. That’s the idea behind this talk, by Kelly Shortridge, a senior principal at the firm Fastly. Shortridge will talk about a new paradigm for systems defense that will transform organizations from plodding, reactive triage teams into fast, ever-evolving defenders who can outmaneuver attackers with ease.
Thursday’s sessions
Entrepreneur's Dilemma: Managing Growth and Dedication to Product Quality
Thursday, August 10, 10:20–11 am | Oceanside D, Level 2
Mention in casual conversation that you work in cybersecurity and you’re likely to get congratulated for being in a hot industry. But that hardly makes cybersecurity startups a sure thing. In fact, it may be the opposite — the cybersecurity industry’s rapidly shifting terrain is perpetually creating new opportunities and spawning runaway successes while at the same time leaving countless other promising firms by the wayside. So what is a would-be cyber entrepreneur to do? Few people are better positioned to answer that question than ReversingLabs CEO and co-founder Mario Vuksan. And at this year’s Black Hat, he will talk about his experience growing a successful firm in an industry characterized by rapid expansion on the one hand and constant change driven by criminal and state-sponsored actors on the other.
In this talk, part of Black Hat’s Entrepreneur Micro Summit, Vuksan will talk about the challenges of balancing product quality and continuity with strong customer engagement. Speaking as a founder and CEO, he’ll explore the various stages of growth that cybersecurity startups such as his must navigate, the pros and cons of bootstrapping vs. fundraising, the importance of building nontechnical teams for product management, and when (and how) to change direction.
Unsafe At Any Speed: CISA's Plan to Foster Tech Ecosystem Security
Thursday, August 10, 10:20–11 am | Islander HI, Level 0
After years — decades, really — of vague language about “public-private partnerships” and the need for organizations to “do better” when it comes to securing IT environments, the highest levels of government have shifted their focus in recent months. Leaders such as Jen Easterly, the director of CISA, increasingly speak about the need to shift the burden of security from the consumers of software to the companies that make it. Analogies between software security and other critical sectors — food, water, medicine — abound.
The implication: The days of officials and regulators looking the other way at jaw-dropping remote code executions (RCEs) and other app sec failings are drawing to a close. If you want to get a sense of where the government’s thinking is on this, you should check out “Unsafe at Any Speed,” where two of CISA’s senior cyber executives, senior technical advisors Bob Lord and Jack Cable, will dig into CISA's strategy to foster a safer technology ecosystem. The two will discuss topics ranging from memory safety to open-source security to cyber insurance. They will also talk about erasing the security poverty line by enacting programs and policies that ensure that smaller organizations can demand better security from their vendors.
Lemons and Liability: Cyber Warranties as an Experiment in Software Regulation
Thursday, August 10, 11:20 am–12:00 pm | Islander FG, Level 0
Expanding on the idea of software safety, the U.S. National Cybersecurity Strategy seeks to shift responsibility for securing systems to the "most capable actors": software vendors themselves. But what will that mean for the software industry as a whole and the tens of thousands of companies that develop and release software? Well, we might look to adjacent industries and marketplaces for a clue. Take automobiles, where so-called lemon laws have long protected consumers from being burdened with faulty, problem-plagued vehicles.
In the software space, software “warranties” that promise to pay out to customers if the vendor's product fails to prevent a security incident have been around for nearly a decade, as software vendors attempt to shape the market by drawing a line between high- and low-quality wares.
How has that worked? In this talk, Daniel Woods, a lecturer in cybersecurity at the University of Edinburgh and a senior security researcher at Coalition, discusses the findings of research he has conducted on the economics of security and privacy. Woods and his colleagues studied 14 software warranties, and he will discuss the findings of that work and how it can inform policymakers as they craft a software liability regime that incentivizes vendors to write secure software.
mTLS: When Certificate Authentication Is Done Wrong
Thursday, August 10, 2:30–3 pm | Oceanside A, Level 2
Overseeing one of the largest open-source development platforms gives you an unprecedented view into both software supply chains and development practices. These days it also gives you a bird’s-eye view of efforts by malicious actors to exploit supply chain weaknesses and loose development practices. That may be why security experts from GitHub dot the Black Hat schedule this year.
One session that looks particularly promising is GitHub researcher Michael Stepankin’s: "mTLS: When Certificate Authentication Is Done Wrong." Stepankin will talk about the growing use of x509 certificates for client authentication in zero-trust environments, which offer advantages over passwords or hardware tokens but which also open doors to malicious actors when they are not implemented correctly.
Stepankin will look at some novel attacks on mTLS authentication and how flaws in mTLS implementations make the systems vulnerable to user impersonation, privilege escalation, and information leaks. Stepankin’s talk will include new CVEs discovered in popular open-source identity servers and a discussion of how they could be exploited by threat actors. He will also talk about how development organizations can identify those flaws in source code and how to properly implement mTLS to avoid attacks.
[ See what's in store from ReversingLabs on our event page: ReversingLabs @ Hacker Summer Camp 2023 ]
