I haven't been to many security events in the past few years (none, now that I think about it) so when my friend sent me the registration link for Detectify's event here in Stockholm, It was a no-brainer that I had to cancel my Salsa dancing class and attend the second Go Hack Yourself Stockholm event instead. I am pleased to say that It was a good decision.
The event's first talk was How to hack at scale while you sleep by Stök (Fredrik Alexandersson) who took us through an exciting journey on how to automate recon, crawling, and validation of new bug bounty/security research targets, and how to chain many wonderful tools to filter down 10s of thousands of results into a much smaller, higher-quality, and more manageable scope. His one-liner that chains all the tools together is definitely one of the best things I saw during the event.
The next talk was Busting browser fails: What attackers see when they hack your browser to exploit your data by David Jacoby who gave us a quick intro in browser-based attack vectors and some really cool demonstrations of what an attacker can do when they gain access to someone's browser, including a short video from the Swedish TV show HACKAD where him and his colleagues opened someone's garage door once they clicked on a link (super cool, you should definitely watch the show).
Stuart McMurray from Klarna took the stage next and talked about internal security programs and how that to prevent the bad guys from causing serious damage, we need to make everyone in the company comfortable with the idea of hacking (aka finding issues and working on fixing them). He talked about the need for destigmatizing the concept of hacking, and building relationships with people in the office to reduce the communication barriers and keep security at the front of people's minds. It was an excellent talk that spoke directly to a topic I feel strongly about.
Not as important as the content, but the font used in this presentation is a work of art.
Kursat Cetin, A security researcher at Detectify, talked about scanning at scale, and when I say scale, I mean country-level scale. His talk Mapping a country’s attack surface addressed some challenges companies tend to face when trying to map attack surfaces at such a large scale. He gave some excellent tips on how to approach such an endeavour, and told us some interesting stories about Turkish infrastructure (including a really puzzling and funny story about mathematically generated passwords).
That was it for individual talks. Next on the Agenda was a panel discussion on attack surface mapping, secure development, and vulnerability management. The panel speakers included Stuart McMurray (Klarna), Joona Hoikkala (Visma), Rickard Carlsson (Detectify) and it was moderated by Detectify's own VP of Product Johanna Ydergård.
There were some productive discussions and the speakers shared interesting insights into how things work where they work (albeit at a generic level). I would have loved to hear more specifics (numbers, examples, ...) but I also understand the complicated nature of such public discussions. Overall, it was a somewhat informative panel (I enjoyed watching the polling results).
The panel was the last part of the event itself and once it was over, people headed to a different room for dinner, drinks and a bit of socializing. For those of you who don't know Space Stockholm (the venue where the event took place), it's possibly one of the biggest gaming spaces in Sweden and the gaming section was open to attendees after dinner. I played Battlefield for like 15 minutes and died 10 times (can't imagine anyone could do worse than this), defeated and irritated, I went and spent the rest of my time chatting with my friends and some new faces.
It was a cool event, I definitely learned a couple of things, and met many remarkable people, and so I was pleased when I retuned home. I am genuinely thankful to Detectify for putting such an event, and to my friend Mattias Ahnberg for sending me the event link and telling me to register.