BSides San Francisco wrapup

March 18, 2019


Reading time

BSides San Francisco 2019 was my first security conference, so I wasn’t sure what to expect. It far exceeded what I imagined though with excellent talks, informative villages, and interesting people. I had spent the week leading up to the event preparing logistics for our booth, so I was exhausted before Bsides even started. All my hard work paid off though, as the Semmle booth looked amazing with its brand new 58 inch monitor. I ending up spending most of my time at our booth, but when I was able to get away and explore the event, I was very impressed with what I experienced. I attended some great talks, learned a lot in the villages, and had some interesting conversations with other participants.

The talks

Being a conference, the talks were what drew me in more than anything else. The topics of these talks were wide ranging and touched on a number of subjects I have an interest in. Since I am relatively new to the security space, I decided to attend talks that would broaden my knowledge in that field such as “Concrete Steps to Create a Security Culture” and “Implementing a Kick-Butt Training Program: Blue Team Go”. I also attended “Bye-Bye False Positives: Using AI to Improve Detection”, which was the perfect intersection between my interest in AI and my variant analysis work at Semmle. My personal favorite talk was “DevSecOps State of the Union” by Clint Gibler. This talk was a wonderful overview of the many companies and technologies that are working to improve the field of DevSecOps. Clint managed to reference 40 relevant talks, that I now need to track down and listen to myself. He had a fantastic presentation style and his talk was both highly informative and very easy to digest.

security culture

The villages

BSides had a number of villages this year that were a great way to spend time between talks and sessions manning the Semmle booth. The Lockpick Village was my favorite of these. My favorite characters from fantasy are the clever rogues who are able to crack any lock with ease, so when I saw the Lockpick Village, I knew I wanted to learn this skill for myself. The Lockpick Extreme team was more than willing to help me get started on my new hobby. By the end of the weekend I’d probably spent a few hours there honing my skills.

There were some villages that I didn’t spend too much time at such as Capture the Flag or Living Security Escape Room. The people running these villages were very helpful and informative, but I didn’t feel quite prepared to test my skills out against others. Maybe next year I will feel ready to choose Red or Blue team and compete.

The people

As with most conferences, it is the people that turn the event from a bunch of talks into a remarkable experience, and BSides was no different. I enjoyed networking with other participants and discussing a wide range of security related topics. I talked about issues related to online voting, variant analysis, and the code security of naval vessels. I even learned about an AI that can play Starcraft which is capable of defeating pro players.

semmle booth

At the time of the conference, I had only been at Semmle for two months, and I had never been to a security conference before, so I was somewhat nervous about representing Semmle at our booth. Luckily, everyone I interacted with was friendly and genuinely interested in our products. After a few conversations, I began to find my stride and I was able to craft a great story around how our product could be leveraged to help improve the security of a codebase. The participants seemed eager to learn, and were often awed by the capabilities of QL and LGTM. Our team was able to show that LGTM’s automatic code review could drastically lower the number of bugs that make it into a codebase. Also, it’s not every day that you get to tell people that the company you work for helped safely land the Mars rover.

We had a number of people express interest in using LGTM for their own security needs. This “one-person security team”, in charge of code security for 50 developers, was enthusiastic about LGTM’s ability to automatically analyze code in pull requests without requiring the developers to learn a new security tool. This other participant was excited to use LGTM as a means of teaching developers to secure their code, using practical examples from their own codebase. Overall, I had some really wonderful interactions with the community.


I look forward to coming back next year and catching up with the wonderful people I met. I will hopefully be much better at lockpicking and security analysis by then. As someone who is pretty new to the cybersecurity industry it was really great to meet so many helpful people and see so much willingness to work and learn together. My big takeaway from the weekend; everyone at the conference had a passion for securing software, together.

Note: Post originally published on on March 18, 2019