Written by As you might have been aware if you read my blog, I spoke at B-Sides San Francisco and RSA Conference 2023, and it was GREAT! Below is a report about my trip, and all the wonderful people, places, and activities I saw and participated in from April 21-28, 2023.
B-Sides SF:
April 22: I flew into San Francisco late on Friday the 21st, to wake up on Saturday to have breakfast with my two friends Ashish Rajan and Shilpi Bhattacharjee, the hosts of the Cloud Security Podcast (which obviously you need to subscribe to if you work in that field. Right now. Don’t worry, I’ll wait.)
During breakfast we filmed a ridiculous little video for our panel event with Snyk on Tuesday of this week, you can see it below. I then went to B-Sides San Francisco and saw a LOT of amazing talks.
We also recorded an episode of their podcast together!!!!
Amazing talks that I saw at B-sides:
- Leif Dreizler: Tracking Meaningful Product Security Metrics
- Breanne Boland: New Apps, Good Snacks: Effective Threat Modeling for New Territory
- Detection as Code: The Engineering-Focused Future of Detection and ResponseJackie Bow • Julie Agnes Sparks • Jessica Rozhin • Louis Barrett
- There were several more good ones, but I couldn’t see them all!
I realize that if you’re a regular viewer of The Cloud Security podcast you might not recognize Shilpi, that’s because she’s generally behind the camera, as the producer of the show, but she is an equal partner in all the content the show creates. Plus, she’s wonderful!
I also got to see a lot of great people at B-sides SF, including Jason Haddix and Lock Pick Extreme!
Then I attended even more talks at B-Sides SF that were really good, and then finally came the time to give my talk. Being the very last talk, but not a keynote, at a 2-day-long event, is a hard time slot, but some people still came to it anyway. Here’s a link to a video of my talk, ‘Secret Hunting’ and a link to the corresponding blog post.
I also was interviewed by Buu Lam of F5 in the lobby of the AMC where B-Sides was held, video below. You all know how much I adore Buu!!!! It’s a fun interview.
RSAC 2023
Monday April 24
This morning I had a private meeting for work. Although I can’t tell you about it, being able to shake hands with someone, in person, with whom you are going to do some serious work, is a pretty amazing feeling in this ‘post-covid’ world.
At lunch time on Monday, I went to the Microsoft Hub to be on a panel at an event called Women’s Executive Lunch. I usually say no when conferences invite me to be on this sort of panel, because if everyone else is on all the other stages talking about AppSec, and the whole conference is about AppSec, I don’t want to be the side show. I want to be on the main stage, talking about the main topic. I also don’t want to be known as “a woman in tech”, I want to be known as an expert in application security, which is what I am. Being female should be secondary (or not important at all), or at least that’s what I would prefer when it comes to my career and professional reputation. When everyone else is talking about a technical topic, I don’t want to be off topic. I also don’t want to talk about something that no one came there to learn about; most people don’t buy a ticket to a technical conference in hopes to learn about ‘women in tech’. I also think that most the people at a conference who would come to such a talk are already on board with the whole “turns out women deserve the same rights as men” thing, and thus we are preaching to the choir. The people who need to hear it aren’t going to choose to go to that room. They are going to skip it.
But when Microsoft asked me to address a group of women and allies, at an event aimed only to help, support, and promote women in tech, I jumped at the chance. To me, this is completely different to what I described above; we were there to try to provide answers, assistance, and encouragement, at an event dedicated only to this topic and cause. And that, my friends, is very much in line with my beliefs and what is important to me.
Also: I suspected that if I attended that I might get another hug from Ann Johnson (#careeraccomplishment). AND I DID!!!!! Note: last time I got a hug from Ann was when I won “Hacker of the Year” 2019, in Vegas as part of hacker summer camp. You need to be particularly amazing in order to earn this privilege. #worthit
Not only was Ann Johnson on the panel, but also Lynn Dohm (Founder of WiCYS), Vasu Jakkal, and Aarti Borkar (moderator)!
After the panel was over, I had to run over to #DevOpsConnect stage, run by TechStrong, a track at RSA dedicated only to DevOps, DevSecOps and other AppSec nerding, topics that are right up my alley. I was on right after DJ Schleen, and other amazing humans who presented on that track the same day, including Caroline Wong and Shannon Lietz.
My talk was about what software developers should do when there is a security incident, when to call the Incident Response (IR team) and how to not ruin evidence, plus please-don’t-think-you-are-saving-the-day-when-really-you’re-creating-a-big-mess. It went pretty well, despite me being a sweaty mess from running across SF to get there on time! Although there’s no live recording of it, WHP has a course about it in the academy.
After that I had another work meeting, but then I got to have some fun: I had the chance to meet with my friend Isabelle Muany from 42Crunch. She’s the founder of her company, but also, in my opinion, someone who really wants to help developers create more secure APIs. She’s very dedicated to this topic, and if you’re interested in securing your APIs, following her is a great idea. You can see a past presentation she did for WHP here. She’s also going to be on the We Hack Purple podcast soon, don’t miss it!
After that, I went to the RSA Speaker’s dinner in hopes of meeting up with my dear friend Vandana Verma. Although I ended up missing her (I showed up late, my bad) I DID have the chance to run into Jessica Robinson, Chris Romeo (of Security Journey and AppSec podcast fame) and Kim Wuyts, who you may remember I met for the first time in Dublin, Ireland earlier this year at OWASP Global AppSec 2023. She gave an amazing keynote about threat modelling privacy, and made me think of ‘building privacy in’, in a whole new way.
Tuesday April 25
Tuesday started off with a ladies’ breakfast for the Forte Group. Forte is a non-profit made up of women CISO, CEOs, and startup founders. Chenxi Wang and a few of us started it just after covid began, because we wanted to hang out other amazing women. Chenxi changed it from “Friday afternoon happy hour” into a vibrant community of incredibly powerful women from our industry, who share knowledge and support each other. Forte group has helped my business and my career immensely, and it’s also been quite a bit of fun. Hats off to Chenxi and the rest of the board members for working very hard to help lift other women up. ALSO, breakfast was a blast!
After the first breakfast I went to my second breakfast event of the day, which was sponsored by SemGrep and Tromzo, where I got to see lots of familiar and wonderful faces such as Jim Manico and Robert Wood of The Soft Side of Cyber. The restaurant served us food that was very pretty and fancy, but it contained almost no calories… Glad the ladies’ breakfast actually fed me… Being a small company owner, I am always on the hunt for free food, lol.
After that I did a quick sound check for an event, then went to the Mend Booth to do a book signing… Except my books were nowhere to be found! I was so embarrassed, there was some sort of shipping error. Instead, I interviewed their CEO Rami Sass live, and then we recorded another one and released it on social media . Despite the mix up, we ended up having a really good time, plus they gave me a few blog post ideas, we made fun of SBOMS (why didn’t the USA executive order demand that people verify if their dependencies were vulnerable? Or document transitive dependencies too? It felt so underwhelming…), and I now have several MEND water bottles!
From there I went on to my panel for #Snyk with Caroline Wong and Ashish Rajan! You can watch the video of us here: You can see how stylish we are and our amazing chemistry in the image above! Shilpi was behind the camera, ensuring we looked and sounded our best.
If you think this day didn’t have enough action… Then I went to the IANS Faculty Party! I’m a member of IANs Research faculty, where I work with such amazing humans as; Nicole Dove, Olivia Rose, Mick Douglas, Shannon Lietz, Wolfgang Goerlich, Jake Williams, and… Well, you get the picture. Lots, and lots and lots of amazing humans are part of the faculty, plus the staff are wonderful. We got to have a few drinks and chat in person, which is a change from our usual Slack channel conversations that scroll off the screen. It’s always a pleasure when I have a chance to see them. No photos from this event.
After this I was supposed to attend another party where I was finally going to get to see my friend Vandana, but instead I ordered tasty Asian food from some app on my phone (I was in San Francisco, after all) and stayed in. I had a big day to get ready for. Plus, my legs hurt from climbing one of those famous San Francisco hills…
Wednesday April 26
This morning started with another women-in-tech breakfast, but smaller and only Forte ladies. I then went to film an interview with TechStrong that you can watch here.
From there I went to yet another sound check, then did my “Adding SAST to CI/CD, Without Losing Any Friends” workshop for RSAC with my friend Clint Gibler. We joked around, talked about Static Analysis, and made SemGrep find a lot of bugs in OWASP Juice Shop. It was a total blast! And…. We’re accepted to give it again this summer at B-Sides Las Vegas! If you missed us at RSA, don’t worry, you can still see it at #HackerSummerCamp.
From there I did a book signing at the RSA Bookstore, had more private meetings, then had the absolute pleasure of spending dinner and the rest of my evening with my friend Laura Bell of Safe Stack. Below is a picture of us being silly.
Thursday April 27
Today was the big day, THE DAY I KEYNOTED #RSAC. I remember when they sent the invite for me to be the keynote. I thought “Is this a mistake? Did they mean someone else?” But no, it was me!!!!! I was supposed to do all sorts of things that morning (sorry if missed you!), but instead I practiced my talk over and over again. Before I went on, the backstage crew asked me multiple times: “Are you nervous?” They asked so many times that I started to become nervous. Before I went on, I thought to myself “Just be yourself. Talk passionately about this because this is very important to you. Tell stories. Be real. It will be fine.” And it was fine! Moreover, it was better than fine. People laughed when they were supposed to laugh, and didn’t when they weren’t supposed to. The recording is below (plus give me a thumbs up if you watch it on YouTube). In addition, here’s an article someone wrote about it, with a summary of all the points I made.
From there, I floated on a cloud to the AppSec Village, of which We Hack Purple is a proud sponsor, to sign copies of my books and give away more stickers. Video below of Liora and I! AppSec Village was founded by Erez Yalon and Liora Herman, and if you’re going to be at Def Con this summer you should definitely go check it out! I plan to be there.
After the AppSec Village hangout, I did something called a “Birds of a Feather” event with RSA. Many of us met to discuss how to create a more positive DevSecOps culture, getting buy in for fixing bugs, and “please don’t turn off my tools!!!!”. It might sound unusual, but I love situations where I get to learn from the audience. When people ask questions, or tell me “At our office, we do this, and here’s why”, I love it. If you have a chance to attend one of these, you should. I know that *I* learned a lot.
Then I went to see Taylor Armourding of Synopsys, and he interviewed me about my keynote. Taylor and I have been in touch for years, but I hadn’t seen him in person since before covid, so it was nice to catch up! You can see it below.
After that I got to have dinner with my friend Anshu Bansal of CloudDefensel.ai, who was recently on the We Hack Purple Podcast, see his episode here. I’ve been an advisor at Cloud Defense since it was a drawing on the back of a napkin, and I cannot tell you how proud I am of Abhi Aroura and Anshu, the two founders, who I am proud to my friends!
To finish off my trip, I had a We Hack Purple in-person meetup! We drank bubble tea, traded stickers, and stories! Below is a pic! I also FINALLY had a chance to spend some time with my wonderful friend Vandana Verma, who had flown in all the way from Bangalore, India!
Throughout all the events I listed, I also had several private business meetings. Some were great, some okay, and some did not go very well at all. I didn’t bother documenting them all here, but there were 28 meetings and events in total, plus a few surprise things that got added last minute. All in all, I would call this a very successful trip!
Friday April 28
This was supposed to be the easiest day of my trip, I was just supposed to get up and fly home, but it ended up being quite stressful. I had a mishap with my ride-share (which took 30 minutes to show up), and then another mishap waiting for security (watch out for the sign in SFO airport that says both “Clear” and “TFS-Precheck” on it with an arrow indicating to wait for those two security options there. Except that it turns out that the line is only for Clear, and people from Canada/TSA-Precheck need to somehow read the minds of the airport staff and understand that is not where TFS-precheck are supposed to wait….????? And it’s actually over 100 meters away so you cannot possibly see the real line??!?!?!). While I was doing this, I was also attempting to negotiating a business deal on the phone, with someone who wouldn’t take no for an answer. I ended up running (literally) through the airport, having a lovely woman recognize me from my keynote and let me jump in front of her in line (thank you wonderful mystery lady!), and then somehow I just barely managed to get onto my plane to Vancouver before it took off.
After that ‘excitement’ was a 4-hour layover in Vancouver, with more phone calls and emails and negotiations, before I gave up on trying to get work done and called my bestie for advice on “how to say no more forcefully” (she suggested I record a video of me laughing rudely and emailing it to the person, but I decided that was likely not the most mature response… Instead, I politely replied “no thank you”, again). Then I decided to relax and call my mom to say hi, before taking my plane ride back to Vancouver Island, then one more hour to drive home from the airport. I was POOPED!
I kept this last bit in about Friday because I don’t think people understand how un-glamourous the life of a CEO-of-a-small-company and/or person who does public speaking for a living can be. Answering emails into the evenings, taking several calls in-between flights, literally running from event to event, posting the #cybermentoringmonday thread to Mastadon (because it cannot be automated, but I still really want to engage with that community) while in line at a café in the airport, hoping I can get both a latte AND catch my flight… And I’m not telling you the half of it.
When people thank me after I give a talk. When people carry my book onto a plane with them, to bring it a conference to ask me to sign it. When people tell me how my mentoring program, blog, talks, or any other work I have done has helped them. THAT is what makes every single minute of hard work worth it. When I find out I helped someone find a new job, when they really needed it. When I hear a woman had the courage to ask for a raise, and she got it. When I hear that a company has changed the way they secure their apps, for the better. All of this makes my cup overflow. Thank you for reading about my trip. <3