Our Speakers

Javan Rasokat

Senior Application Security Specialist, Sage

XSS is dead - Browser Security Features that Eliminate Bug Classes

This talk will explore why traditional application security is failing—and how modern browser security features offer a way out. Instead of endlessly patching the same vulnerabilities, it's now possible to eliminate entire classes of bugs through proactive, scalable defenses. The session will dive into powerful new browser-native standards like Content Security Policy v3, Trusted Types, and Sec-Fetch-Metadata, and how they can prevent common attacks like XSS, CSRF, clickjacking, and cross-origin exploits.

Using real-world case studies, the talk will show how leading organizations have successfully adopted these features to secure their applications by design.

Rishika Desai

Threat Researcher and Technical Writer at BforeAI

Cybersecurity Through a Creator's Lens: More Than Just a Tech Job

This talk will explore the human side of cybersecurity, breaking the misconception that it is only about tools, code, and technical jargon. Rishika Desai shares her journey as a cybersecurity professional turned content creator, showing how storytelling and communication can make security more relatable and impactful. Through her experience, she highlights the power of building a personal brand and using content to educate, inspire, and connect.

In today's evolving security landscape, there is a growing need for not just engineers but also educators, communicators, and creators who can turn complexity into clarity. This session is for anyone looking to amplify their voice and make cybersecurity more accessible and human.

Hassan Khan Yusufzai & Danish Tariq

Directors, Laburity

Secret scanning in open source at scale (in-depth)

This talk will explore the growing risks in software supply chain security, especially in the wake of high-profile incidents like Log4Shell. Based on large-scale in-house research, it investigates publicly available open-source assets—including over 2 million NPM packages, 60,000 WordPress plugins, and a wide range of Ruby Gems—to uncover exposed secrets such as AWS keys, Google credentials, and 30+ other sensitive types.

These exposures, whether accidental or intentional, pose a serious risk to any developer or organization using these components as dependencies. The session will present the scale and impact of the findings, along with practical ways to detect and prevent such leaks. Attendees will also learn how to integrate automated checks into their CI/CD pipelines to secure their supply chains and avoid becoming the next link in a compromised system.

Anjali Shukla & Divyanshu Shukla

Senior Security Engineer at Flipkart & Senior Security Engineer at Confluent

How Attackers Exploit Misconfigured AWS EKS through Lessons from OWASP EKS Goat

Are you running Kubernetes on AWS? There's a high chance your EKS cluster on AWS cloud might be misconfigured and you're not even aware of it. This session dives into the common pitfalls that attackers exploit in AWS EKS environments, from supply chain compromises and IMDSv2 exploitation (leading to credential exfiltration) to pod breakouts.

Using the OWASP EKS Goat project, let's understand how these weaknesses translate into real-world cloud attack vectors and share immediate steps you can take to harden your clusters. Whether you are a CISO, CTO or a security engineer, this practical session is designed for anyone looking to strengthen their AWS security posture and get started with EKS security.

Melvin Lee & Nicholas Lim

Senior Security Consultant & Principal Security Consultant, PastelOps

iOS Reversing on a Budget: Frida, Ghidra, and a Jailbroken Device

iOS reversing often feels more painful than it should be. Compared to Android, challenges like Mach-O binaries, stricter environments, and runtime protections often discourage testers or make them avoid it altogether. The speaker has faced these same roadblocks—where persistence alone wasn’t enough to make progress.

This talk will cover a practical workflow for iOS reversing, developed from real-world mobile assessments and leveraging open-source tools such as Frida, Ghidra, and a jailbroken iPad. It will walk through how to decompile and navigate Mach-O binaries, hook functions in running apps, and work around common issues like obfuscation and anti-debugging protections.

The goal is to make iOS reversing more approachable. Attendees will walk away with ready-to-use Frida snippets, a clear and repeatable workflow, and practical tips to overcome frustrating roadblocks—without spending extra money or wasting hours going in circles.

August Joseph

Chief Technology Officer, KAZIMI

The Birthplace of Lies: Hacking Analytics SDKs

Modern apps often rely heavily on advertising for revenue. To enable this, ad networks and analytics providers require their SDKs to be embedded within the app itself. However, these SDKs frequently contain exploits, vulnerabilities, invasive tracking mechanisms, and a range of questionable behaviors. This talk will uncover the techniques used by these SDKs and expose how much of the industry consistently prioritizes profits over the privacy and security of actual users.

Omkar Joshi & Rahul Bhor

Lead Security Engineer & Sr. Security Engineer, Coupa Software

Model Mayhem: Pwn, Poison & Prompt-Hack Your AI

This talk will explore the hidden risks of deploying AI systems in critical functions like fraud detection, credit scoring, and customer support. As these models continuously learn from massive and ever-changing datasets—often pulled from public sources—they become vulnerable to subtle yet dangerous manipulations. The session will dive into how attackers can poison as little as 0.1% of training data, upload "trusted" but malicious models, or craft prompts that bend the model's behavior without triggering alarms.

Through live demos, the audience will witness a credit-risk model being flipped from "deny" to "approve" and a customer service LLM being transformed into a malware tutor. The session will conclude with a hands-on safety toolkit covering signed model manifests, secure download practices, prompt guardrails, and real-time anomaly monitoring—practical steps to help organizations ensure their AI continues to serve them, not sabotage them.

Niclas Kjellin

Security Researcher

Breaking the Next Factor - Live MFA Hacking

This talk will explore the uncomfortable truth behind multi-factor authentication (MFA)—often hailed as the ultimate fix for authentication-related security issues. While MFA adds a layer of protection beyond passwords, attackers have evolved just as quickly. With over a million MFA bypass attacks occurring every month, it's clear that this trusted safeguard isn't foolproof. Through live demonstrations, this session will showcase how modern threat actors seamlessly bypass MFA and take over accounts in real time. Attendees will gain insight into advanced attack techniques and learn why relying solely on MFA may not be enough to sleep soundly at night.

Keren Katz

Leader of Security Detection, Apex Security

When the Enemy Is Already Inside: Securing Enterprise AI Agents Against Insider Threats

Enterprise AI agents sit at the center of modern corporate workflows, wired into RAG pipelines and privileged data stores. While headlines focus on external attackers, insider misuse has quietly multiplied. This talk unveils a new OWASP taxonomy for enterprise agents, dissects a real‑world Fortune 500 breach in which leaked earnings data rocked the C‑suite, and closes with concrete controls security teams can deploy today to keep their agents, and their organizations safe.

Dakshitaa B

SquareX Security Researcher

Identity Attacks: The Achilles' Heel Every Adversary Exploits

Identity has become the attacker’s fastest path to sensitive data and systems. This session will analyze adversary-in-the-middle techniques in the browser, including token theft, session hijacking, and credential replay. We will demonstrate how these attacks evade MFA and other controls that enterprises rely on. The talk will conclude with detection and mitigation strategies for defending identity at the browser layer.

Ilia Mogilin

Security Engineer at Yandex Cloud

Securing your Lambda 101

This talk will explore key security risks in AWS Lambda functions and how attackers can exploit them if not properly secured. It will begin with a quick overview of Lambda's structure and benefits—such as scalability and reduced operational overhead—before diving into a NIST 830-based security assessment approach. The session will highlight critical risks including RCE backdoors, environment variable leaks, SSRF, and fork bombs, along with their real-world impact, such as excessive billing.

Live demos will showcase command injection and SSRF attacks in action. Attendees will leave with practical mitigation strategies like input validation, IAM role separation, and setting up effective logging and alarms to strengthen their serverless security posture.

Marudhamaran Gunasekaran

Principal Security Consultant at DevSecOps

Securing the AI Pipeline: Implementing DevSecOps for Machine Learning Projects

This talk will explore how AI development pipelines are emerging as a critical attack surface that traditional DevSecOps was never designed to secure. As organizations race to build and deploy machine learning models, attackers are exploiting weaknesses in training data, model dependencies, and inference endpoints—bypassing conventional application security controls.

Through live demonstrations, the session will show how poisoned training data, dependency confusion, and model tampering can quietly compromise AI systems. It will then present practical, AI-specific defenses that integrate seamlessly into existing CI/CD workflows, ensuring security without slowing development.