# Curated Conference Talks 2021–2025 > **Intro:** This page is a curated watchlist for engineers and Product Security leads who want high-signal conference content instead of endless playlists. It emphasizes talks that help you reason about **program design, cloud attack paths, software supply chain risk, modern AppSec, and detection/response**. > > **Selection rule for this page** > > * prioritize talks with a stable official event page or official archive page; > * prefer talks with directly reusable ideas for the KB: design patterns, lessons learned, attack paths, control models, or detection thinking; > * if the event exposes only a schedule/archive page reliably, pair it with the best available official archive reference. ## How to use this page Read this page in one of three ways: 1. **manager / lead track** — start with talks about Product Security, AppSec program design, and DevSecOps operating model; 2. **platform / cloud track** — start with cloud attack paths, logging, detection, and supply chain talks; 3. **developer enablement track** — start with AppSec foundations, API security, threat modeling, and secure coding dojo material. ## Curated top talks and sessions | # | Talk | Speaker(s) | Year | Venue | Why it is valuable | Official page | | -- | --------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---- | -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | The Convergence of AppSec, Cloud Security and DevSecOps | Abhay Bhargav | 2023 | RSA Conference USA | One of the clearest talks for understanding why many AppSec teams evolve into Product Security teams. Useful for role design and cross-domain skill planning. | | | 2 | The Application Security State of the Union | Chris Romeo | 2023 | RSA Conference USA | Strong overview of AppSec program direction, tooling saturation, and what a “future-proof” AppSec strategy should emphasize. | | | 3 | Running in the Shadow: Perspectives on Securing the Software Supply Chain | Jessica Lyons, James Higgins, Dan Lorenc, Camille Stewart Gloster | 2023 | RSA Conference USA | Useful for leadership and engineering alignment because it covers supply chain security from developer, executive, and policy angles. | | | 4 | Exploiting Vulnerabilities and Flaws to Attack Supply Chain | Ilay Goldman, Yakir Kadkoda | 2023 | RSA Conference USA | Practical look at supply-chain attack paths across IDE, SCM, package managers, and CI/CD. Valuable for attack-chain mapping. | | | 5 | Implement ZeroTrust with Dedicated DevSecOps Pipeline | Kayra Otaner | 2023 | RSA Conference USA | Useful because it challenges the “everything in one pipeline” assumption and explains why separate security-control paths sometimes reduce friction. | | | 6 | DevOps is Now DevSecOps | Mike Rothman | 2023 | RSA Conference USA | Good trend-oriented session for understanding why DevSecOps became mainstream and which organizational shifts matter most. | | | 7 | A Journey in Building an Open Source Security-as-Code Framework | Aakash Shah | 2023 | RSA Conference USA | Valuable for infrastructure security teams moving from static checks to reusable security-as-code. | | | 8 | Securing the Modern Application: From Code to Infrastructure | Boaz Gelbord | 2024 | RSA Conference USA | Good high-level framing for modern application attack surface: APIs, bots, DDoS, and code-to-cloud thinking. | | | 9 | The End of DevSecOps? | DJ Schleen | 2024 | RSA Conference USA | Useful because it argues security should be treated as an engineering quality attribute, not a parallel bureaucracy. | | | 10 | Protect that Money Maker: Product Security Patterns and Practices | Stirling Goetz, Geoffrey Hill | 2025 | RSA Conference USA | One of the strongest talks in this list for Product Security managers building a product-focused operating model. | | | 11 | From Good to Great, the Foundations of Application Security | Shannon Lietz | 2025 | RSA Conference USA | Strong foundations talk for helping developers and security teams connect threat modeling, secure coding, and secure release criteria. | | | 12 | The AppSec Playbook: Building World-Class Security from Scratch | David Kosorok | 2025 | RSA Conference USA | High-value for anyone building or rebuilding an AppSec program with business alignment in mind. | | | 13 | Purple Teaming & Adversary Emulation in the Cloud with Stratus Red Team | Christophe Tafani-Dereeper | 2022 | DEF CON 30 — Cloud Village | Excellent practical session for cloud detection engineering and continuous validation of alerts using adversary emulation. | | | 14 | Security Logging in the Cloud, Trade-Offs to Consider and Patterns to Maximise the Effectiveness of Security Data Pipelines | Marco Mancini | 2023 | DEF CON 31 — Cloud Village | Highly relevant for detection, logging architecture, and data-pipeline cost/visibility trade-offs in public cloud. | | | 15 | Catch Them All! Detection Engineering and Purple Teaming in the Cloud | Christophe Tafani-Dereeper | 2024 | DEF CON 32 — Cloud Village | Great next-step talk after Stratus Red Team basics: threat-informed cloud detections, validation loops, and realistic telemetry. | | | 16 | Exploit K8S via Misconfiguration .YAML in CSP Environments | Wooseok Kim, Changhyun Park | 2024 | DEF CON 32 — Cloud Village | Useful for translating YAML and cluster misconfiguration into attacker paths and review checklists. | | | 17 | GCPwn: A Pentester's GCP Tool | Scott Weston | 2024 | DEF CON 32 — Cloud Village | Valuable for understanding attacker workflows in GCP and for turning those workflows into cloud review questions and detections. | | | 18 | Security by Design | Maximiliano Alonzo | 2024 | OWASP AppSec Rio de la Plata / OWASP Uruguay | A practical AppSec culture-and-design session useful for developer education and “secure-by-design” messaging. | | | 19 | Deep Dive on API Security de cero a experto en 30 minutos | Matías Ferreira | 2024 | OWASP AppSec Rio de la Plata / OWASP Uruguay | High-value API security talk for newcomers and reviewers who need a concise API-focused mental model. | | | 20 | Modelado de Amenazas Aplicando STRIDE con Threat Dragon de OWASP | Pablo Alzuri | 2024 | OWASP Uruguay Meetup | Useful because it links STRIDE to a practical Threat Dragon workflow instead of leaving it abstract. | | | 21 | Secure Coding Dojo: El primer paso en el desarrollo seguro | Gerardo Canedo | 2024 | OWASP Uruguay Meetup | Especially relevant to the KB learning track because it turns secure coding into guided practice rather than passive awareness. | | | 22 | Introducción a la seguridad de aplicaciones — edición julio/agosto | OWASP Uruguay community facilitators | 2023 | OWASP Uruguay Meetup Series | Valuable as a pattern for community-led beginner onboarding using OWASP Top 10 and Juice Shop style practice. | | | 23 | Keynote: r00+ 0f 3/@ (Root of Evil) | Sergey Golovanov | 2024 | OFFZONE 2024, Moscow | Good case-study style keynote on the evolution of incidents and attacker motives. Useful as an executive and trend-setting opener for the conference pack. | | | 24 | Security.Track / Trust in Tech archive set | multiple speakers | 2023 | Positive Hack Days 12, Moscow | The official PHDays 12 archive is useful as a source of cloud/AppSec/DevSecOps material and shows how strongly DevSecOps themes were represented that year. | | | 25 | OFFZONE 2024 technical agenda archive | multiple speakers | 2024 | OFFZONE 2024, Moscow | The official agenda is a good discovery source for practical offensive/defensive content, especially around incident investigation, modern detection, runtime, and technical security tracks. | | ## v4.3 add-on talks from InfoconDB and Russian technical conference passes These entries intentionally expand the page with talks that are especially useful for: * Kubernetes attack-and-defense thinking; * software supply chain and dependency trust; * API and mobile DevSecOps practice; * Russian-language technical material that still maps well to the KB. | # | Talk | Speaker(s) | Year | Venue | Why it is valuable | Reference | | -- | ------------------------------------------------------------------------------------------------ | ------------------------------------ | ---- | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 26 | Hands-on Kubernetes Attack & Defense Masterclass | multiple speakers | 2025 | DEF CON 33 | Strong hands-on workshop built around realistic misconfiguration-driven attack and defense paths, including privilege escalation, container escapes, lateral movement, and persistence. | | | 27 | K8sploitation: Hacking Kubernetes the Fun Way | multiple speakers | 2025 | DEF CON 33 | Useful offensive-to-defensive bridge for reviewers who want practical K8s exploitation tradecraft instead of only benchmarks and diagrams. | | | 28 | Spotter - Universal Kubernetes Security Scanner and Policy Enforcer | multiple speakers | 2025 | DEF CON 33 | Valuable because it frames unified policy scanning across CLI, CI/CD, admission, deployment, runtime, and monitoring using native Kubernetes concepts. | | | 29 | Attacking Kubernetes | multiple speakers | 2024 | CanSecWest | Good practical survey of attacker workflows, including Leaky Vessels and Peirates, useful for threat-model refresh and review checklists. | | | 30 | A Practical Approach to Breaking & Pwning Kubernetes Clusters | multiple speakers | 2022 | DEF CON 30 | High-value cluster attack-path training because it spans supply chain, infrastructure, runtime, and cloud pivoting. | | | 31 | Supply chain security; addressing risk and dependencies issues the right way (with open source!) | multiple speakers | 2022 | MCH2022 | Good supply-chain talk for teams that need to distinguish raw vulnerability counts from broader dependency and trust risk. | | | 32 | How to Secure the Software Supply Chain | multiple speakers | 2022 | MCH2022 | Strong for dependency-introduction hygiene, npm ecosystem examples, and concrete steps to reduce supply-chain risk in day-to-day engineering. | | | 33 | Emerging Best Practices in Software Supply Chain Security | multiple speakers | 2022 | BSidesSF | Useful synthesis talk because it distills supply-chain best practices from guidance published by Google, OWASP, the White House, and Gartner. | | | 34 | Floating the goat: How to use DevSecOps to secure OWASP WebGoat | Chloe Potsklan | 2023 | Diana Initiative | A rare learning-oriented DevSecOps talk that walks from requirements and threat modeling into AWS setup, pipeline automation, testing, monitoring, and continuous improvement. | | | 35 | Container escapes: Kubernetes 2024 edition | Dmitry Evdokimov, Nickolai Panchenko | 2024 | OFFZONE 2024 | Good Russian-language talk for current container-escape thinking in Kubernetes, especially for reviewers who need current attack vectors in mind. | | | 36 | Filtering eBPF in Kubernetes, or Paddling down the treacherous river of network data | Alexey Rybalko | 2024 | OFFZONE 2024 | Valuable for teams interested in lower-overhead container and cluster traffic filtering with eBPF instead of only sidecars and agents. | | | 37 | Storm clouds: incident investigations in cloud infrastructures | Anton Stepanov | 2024 | OFFZONE 2024 | Useful DFIR-oriented cloud talk focused on trusted-relationship attacks, provider compromise scenarios, and investigator bottlenecks. | | | 38 | All-in-one REST API: security, tools, and tips | Valentin Mamontov | 2024 | OFFZONE 2024 | Good Russian-language API security session with an OpenAPI and toolchain angle that matches the KB API review track. | | | 39 | Kubernetes security: Deception phase | Dmitriy Evdokimov | 2022 | OFFZONE 2022 | Useful because it adds a less common cloud-native defense-in-depth angle: deception techniques layered on top of normal K8s controls. | | | 40 | 5 Lifehacks for Mobile DevSecOps | Yury Shabalin | 2023 | OFFZONE 2023 | High-signal mobile DevSecOps talk that maps SAST, SCA, bytecode analysis, IAST, DAST, API testing, distribution systems, and release checks into one pipeline. | | ## Notes about source quality and archive stability Conference sources are inconsistent. * **RSAC** currently offers the most stable individual session pages and is the easiest source for reliable metadata. * **DEF CON** often exposes highly relevant material through official villages or media archives rather than neat per-talk pages. * **OWASP** local chapter pages can be surprisingly strong because they often preserve talk titles, presenters, and slides. * **Black Hat, PHDays, and OFFZONE** sometimes expose slides and schedules more reliably than fully stable per-session landing pages. When that happens, use the official archive/schedule page plus slide repositories such as InfoCon as a secondary discovery layer. ## How to turn this watchlist into a self-study plan ### Track A — Product Security leadership Start with: * Protect that Money Maker * The AppSec Playbook * The Convergence of AppSec, Cloud Security and DevSecOps * The End of DevSecOps? ### Track B — Cloud detection and attack paths Start with: * Purple Teaming & Adversary Emulation in the Cloud with Stratus Red Team * Security Logging in the Cloud * Catch Them All! Detection Engineering and Purple Teaming in the Cloud * GCPwn ### Track C — Developer and AppSec enablement Start with: * From Good to Great, the Foundations of Application Security * Security by Design * Deep Dive on API Security * Secure Coding Dojo ## Cross-links * [Product Security Ramp-Up Tracks](/learning-labs-interview-and-templates/index-2/product-security-ramp-up-tracks.md) * [Secure Coding Training Platforms for Developers](/learning-labs-interview-and-templates/index-2/secure-coding-training-platforms-for-developers.md) * [Awesome GitHub Repositories for DevSecOps, AppSec, and Cloud Security](/learning-labs-interview-and-templates/index-2/awesome-github-repositories-for-devsecops-appsec-and-cloud-security.md) * [Threat Modeling Methods and Workflows](/application-security-and-secure-sdlc/index/threat-modeling-methods-and-workflows.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/learning-labs-interview-and-templates/index-2/curated-conference-talks-2021-2025-appsec-devsecops-cloud-product-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.