Bsides Seattle 2025 — Information Security Conference
On Saturday, I volunteered at BSides Seattle, a community-based conference for individuals in or interested in Information Security. Founded in 2012, BSides Seattle continues to provide space for the open sharing of ideas, concepts, and debates. What drew me to volunteer was the opportunity to immerse myself in a community where security enthusiasts of all experience levels bring their authentic selves to learn and grow together. As someone committed to continuous learning in cybersecurity, I wanted to both contribute to and benefit from this collaborative environment.
Sessions That Expanded My Security Mindset
1. Hardening GitHub Actions: Protecting Your Pipeline from Attackers by Magno Logan
Key Takeaways:
Cloud-based cryptocurrency miners frequently abuse GitHub Actions and Azure Virtual Machines for monetary gain
Running SAST (Static Application Security Testing) on actions is critical
Tools like KICS.io by Checkmarx can help implement security rules for GitHub Actions workflow files
StepSecurity offers hardened runner detection for compromised actions
Why This Matters To Me: Understanding the vulnerabilities in CI/CD pipelines has opened my eyes to a security domain I hadn’t deeply explored before. As organizations increasingly rely on automated workflows, securing these pipelines becomes crucial for protecting not just code but entire infrastructures. I plan to implement some of these hardening techniques in my own projects to experience firsthand how they impact development workflows.
2. Securing Frontends at Scale: Paving Our Way to the Post-XSS World by Aaron Shim and Youssef Attia
Key Takeaways:
DOM XSS remains prevalent because many JavaScript APIs aren’t secure by default
Google’s approach to scaling security includes framework hardening, conformance, safe coding, and observability
Tools like strict-CSP (available on GitHub and npm) offer standardized protection
The Security Web Applications Guidelines Community Group (SWAG) is advancing web security standards
Why This Matters To Me: Frontend security often takes a backseat to backend protections, but this session highlighted the critical importance of a holistic approach. I’m particularly interested in exploring context-aware templating and how “shifting left” through conformance testing can catch vulnerabilities before they reach production. The idea that “if it’s not secure, it should not compile” resonates strongly with my belief in building security into the development process rather than treating it as an afterthought.
3. AI Security is Not New by Emily Choi-Greene
Key Takeaways:
AI security encompasses both training architecture and inference architecture
Many traditional security principles apply to AI systems, despite the new technology
Why This Matters To Me: As someone trying to stay current with emerging technologies, this session was a helpful reminder that while AI brings new challenges, many fundamental security principles remain relevant. I’m curious to explore more about how inference-time attacks differ from traditional application vulnerabilities and what unique protections AI systems require.
4. Unpacking Session ID Security: Entropy, Encoding and Math by Jake Karnes
Key Takeaways:
Session ID security relies heavily on proper entropy and secure encoding
Mathematical principles underpin effective session management
Why This Matters To Me: This session reinforced for me how seemingly small details like session ID generation can have massive security implications. I’m planning to review my current projects to ensure they implement best practices for session management, as this often-overlooked area can be an easy target for attackers.
5. How to Sell Your Security Program by Jenn Gile
Key Takeaways:
Effective metrics are crucial for communicating security value to leadership
AI prompting can help identify commonalities in security metrics across organizations
Why This Matters To Me: Technical skills alone aren’t enough in security — the ability to communicate value and gain buy-in is equally important. This session gave me practical ideas for how to frame security initiatives in terms of business value, something I’ve struggled with in the past. I’m excited to apply some of these communication strategies in my current role.
6. Is Anonymity a Myth? Operational Security for Secure Web Access
Key Takeaways:
True anonymity online requires layered protection strategies
Even with precautions, complete anonymity may be increasingly difficult to achieve
Why This Matters To Me: Privacy and anonymity are foundational to secure operations, and this session challenged some of my assumptions about what’s possible in today’s surveillance-heavy internet. I’m planning to research more about operational security measures that balance practicality with effective protection.
Connections and Community
Beyond the technical content, what made volunteering at BSides Seattle truly valuable was the chance to connect with like-minded security professionals. From students just starting their journey to seasoned experts, the conversations during breaks and after sessions provided insights that no slide deck could capture. Volunteering also gave me a behind-the-scenes look at what makes security conferences successful, experience that will be valuable as I become more involved in the community.
Looking Forward
BSides Seattle reinforced my commitment to continuous learning in security. Each session not only provided technical knowledge but also sparked ideas for how I can contribute to the security community moving forward. I’m already looking forward to next year’s event and am considering submitting a talk proposal to share my own experiences and insights.
Looking to stay in the know? Join the BSides Seattle mailing list here: http://eepurl.com/di57FP
Their CFP and volunteer engagement will be open soon in the upcoming months, so keep a look out if you’re interested as well! Whether you’re a seasoned security professional or just starting your journey, community-driven conferences like BSides offer invaluable opportunities to learn, connect, and grow.