Session 10A: Confidential Computing 2

Authors, Creators & Presenters: Qihang Zhou (Institute of Information Engineering, Chinese Academy of Sciences), Wenzhuo Cao (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyberspace Security, University of Chinese Academy of Sciences), Xiaoqi Jia (Institute of Information Engineering, Chinese Academy of Sciences), Peng Liu (The Pennsylvania State University, USA), Shengzhi Zhang (Department of Computer Science, Metropolitan College, Boston University, USA), Jiayun Chen (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyberspace Security, University of Chinese Academy of Sciences), Shaowen Xu (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyberspace Security, University of Chinese Academy of Sciences), Zhenyu Song (Institute of Information Engineering, Chinese Academy of Science)

PAPER
RContainer: A Secure Container Architecture through Extending ARM CCA Hardware Primitives

Containers have become widely adopted in cloud platforms due to their efficient deployment and high resource utilization. However, their weak isolation has always posed a significant security concern. In this paper, we propose RContainer, a novel secure container architecture that protects containers from untrusted operating systems and enforces strong isolation among containers by extending ARM Confidential Computing Architecture (CCA) hardware primitives. RContainer introduces a small, trusted mini-OS that runs alongside the deprivileged OS, responsible for monitoring the control flow between the operating system and containers. Additionally, RContainer uses shim-style isolation, creating an isolated physical address space called con-shim for each container at the kernel layer through the Granule Protection Check mechanism. We have implemented RContainer on ARMv9-A Fixed Virtual Platform and ARMv8 hardware SoC for security analysis and performance evaluation. Experimental results demonstrate that RContainer can significantly enhance container security with a modest performance overhead and a minimal Trusted Computing Base (TCB).

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – RContainer appeared first on Security Boulevard.

Session 10A: Confidential Computing 2

Authors, Creators & Presenters: Byeongwook Kim (Seoul National University), Jaewon Hur (Seoul National University), Adil Ahmad (Arizona State University), Byoungyoung Lee (Seoul National University)

PAPER
Secure Data Analytics in Apache Spark with Fine-grained Policy Enforcement and Isolated Execution

Cloud based Spark platform is a tempting approach for sharing data, as it allows data users to easily analyze the data while the owners to efficiently share the large volume of data. However, the absence of a robust policy enforcement mechanism on Spark hinders the data owners from sharing their data due to the risk of private data breach. In this respect, we found that malicious data users and cloud managers can easily leak the data by constructing a policy violating physical plan, compromising the Spark libraries, or even compromising the Spark cluster itself. Nonetheless, current approaches fail to securely and generally enforce the policies on Spark, as they do not check the policies on physical plan level, and they do not protect the integrity of data analysis pipeline. This paper presents Laputa, a secure policy enforcement framework on Spark. Specifically, Laputa designs a pattern matching based policy checking on the physical plans, which is generally applicable to Spark applications with more fine-grained policies. Then, Laputa compartmentalizes Spark applications based on confidential computing, by which the entire data analysis pipeline is protected from the malicious data users and cloud managers. Meanwhile, Laputa preserves the usability as the data users can run their Spark applications on Laputa with minimal modification. We implemented Laputa, and evaluated its security and performance aspects on TPC-H, Big Data benchmarks, and real world applications using ML models. The evaluation results demonstrated that Laputa correctly blocks malicious Spark applications while imposing moderate performance overheads.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Secure Data Analytics appeared first on Security Boulevard.

Session 10A: Confidential Computing 2

Authors, Creators & Presenters: Weili Wang (Southern University of Science and Technology), Honghan Ji (ByteDance Inc.), Peixuan He (ByteDance Inc.), Yao Zhang (ByteDance Inc.), Ye Wu (ByteDance Inc.), Yinqian Zhang (Southern University of Science and Technology)

PAPER
WAVEN: WebAssembly Memory Virtualization for Enclaves

The advancement of trusted execution environments (TEEs) has enabled the confidential computing paradigm and created new application scenarios for WebAssembly (Wasm). "Wasm+TEE" designs achieve in-enclave multi-tenancy with strong isolation, facilitating concurrent execution of untrusted code instances from multiple users. However, the linear memory model of Wasm lacks efficient cross-module data sharing and fine-grained memory access control, significantly restricting its applications in certain confidential computing scenarios where secure data sharing is essential (e.g., confidential stateful FaaS and data marketplaces). In this paper, we propose WAVEN (WebAssembly Memory Virtualization for ENclaves), a novel WebAssembly memory virtualization scheme, to enable memory sharing among Wasm modules and page-level access control. We implement WAVEN atop WAMR, a popular Wasm runtime for TEEs, and empirically demonstrate its efficiency and effectiveness. To the best of our knowledge, our work represents the first approach that enables cross-module memory sharing with fine-grained memory access control in Wasm.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – WAVEN: WebAssembly Memory Virtualization For Enclaves appeared first on Security Boulevard.

Session 9D: Github + OSN Security

Authors, Creators & Presenters: Jan-Ulrich Holtgrave (CISPA Helmholtz Center for Information Security), Kay Friedrich (CISPA Helmholtz Center for Information Security), Fabian Fischer (CISPA Helmholtz Center for Information Security), Nicolas Huaman (Leibniz University Hannover), Niklas Busch (CISPA Helmholtz Center for Information Security), Jan H. Klemmer (CISPA Helmholtz Center for Information Security), Marcel Fourné (Paderborn University), Oliver Wiese (CISPA Helmholtz Center for Information Security), Dominik Wermke (North Carolina State University), Sascha Fahl (CISPA Helmholtz Center for Information Security)

PAPER
Attributing Open-Source Contributions is Critical but Difficult: A Systematic Analysis of GitHub Practices and Their Impact on Software Supply Chain Security

Critical open-source projects form the basis of many large software systems. They provide trusted and extensible implementations of important functionality for cryptography, compatibility, and security. Verifying commit authorship authenticity in open-source projects is essential and challenging. Git users can freely configure author details such as names and email addresses. Platforms like GitHub use such information to generate profile links to user accounts. We demonstrate three attack scenarios malicious actors can use to manipulate projects and profiles on GitHub to appear trustworthy. We designed a mixed-research study to assess the effect on critical open-source software projects and evaluated countermeasures. First, we conducted a large-scale measurement among 50,328 critical open-source projects on GitHub and demonstrated that contribution workflows can be abused in 85.9% of the projects. We identified 573,043 email addresses that a malicious actor can claim to hijack historic contributions and improve the trustworthiness of their accounts. When looking at commit signing as a countermeasure, we found that the majority of users (95.4%) never signed a commit, and for the majority of projects (72.1%), no commit was ever signed. In contrast, only 2.0% of the users signed all their commits, and for 0.2% of the projects all commits were signed. Commit signing is not associated with projects' programming languages, topics, or other security measures. Second, we analyzed online security advice to explore the awareness of contributor spoofing and identify recommended countermeasures. Most documents exhibit awareness of the simple spoofing technique via Git commits but no awareness of problems with GitHub's handling of email addresses.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Attributing Open-Source Contributions Is Critical But Difficult appeared first on Security Boulevard.

Session 9D: Github + OSN Security

Authors, Creators & Presenters: Aditya Sirish A Yelgundhalli (New York University), Patrick Zielinski (New York University), Reza Curtmola (New Jersey Institute of Technology), Justin Cappos (New York University)

PAPER
Rethinking Trust In Forge-Based Git Security

Git is the most popular version control system today, with Git forges such as GitHub, GitLab, and Bitbucket used to add functionality. Significantly, these forges are used to enforce security controls. However, due to the lack of an open protocol for ensuring a repository's integrity, forges cannot prove themselves to be trustworthy, and have to carry the responsibility of being non-verifiable trusted third parties in modern software supply chains. In this paper, we present gittuf, a system that decentralizes Git security and enables every user to contribute to collectively enforcing the repository's security. First, gittuf enables distributing of policy declaration and management responsibilities among more parties such that no single user is trusted entirely or unilaterally. Second, gittuf decentralizes the tracking of repository activity, ensuring that a single entity cannot manipulate repository events. Third, gittuf decentralizes policy enforcement by enabling all developers to independently verify the policy, eliminating the single point of trust placed in the forge as the only arbiter for whether a change in the repository is authorized. Thus, gittuf can provide strong security guarantees in the event of a compromise of the centralized forge, the underlying infrastructure, or a subset of privileged developers trusted to set policy. gittuf also implements policy features that can protect against unauthorized changes to branches and tags i.e., pushes as well as files/folders i.e., commits. Our analysis of gittuf shows that its properties and policy features provide protections against previously seen version control system attacks. In addition, our evaluation of gittuf shows it is viable even for large repositories with a high volume of activity such as those of Git and Kubernetes (less than 4% storage overhead and under 0.59s of time to verify each push).

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Rethinking Trust In Forge-Based Git Security appeared first on Security Boulevard.

Session 9D: Github + OSN Security

Authors, Creators & Presenters: Aditya Sirish A Yelgundhalli (New York University), Patrick Zielinski (New York University), Reza Curtmola (New Jersey Institute of Technology), Justin Cappos (New York University)

PAPER
Rethinking Trust In Forge-Based Git Security

Git is the most popular version control system today, with Git forges such as GitHub, GitLab, and Bitbucket used to add functionality. Significantly, these forges are used to enforce security controls. However, due to the lack of an open protocol for ensuring a repository's integrity, forges cannot prove themselves to be trustworthy, and have to carry the responsibility of being non-verifiable trusted third parties in modern software supply chains. In this paper, we present gittuf, a system that decentralizes Git security and enables every user to contribute to collectively enforcing the repository's security. First, gittuf enables distributing of policy declaration and management responsibilities among more parties such that no single user is trusted entirely or unilaterally. Second, gittuf decentralizes the tracking of repository activity, ensuring that a single entity cannot manipulate repository events. Third, gittuf decentralizes policy enforcement by enabling all developers to independently verify the policy, eliminating the single point of trust placed in the forge as the only arbiter for whether a change in the repository is authorized. Thus, gittuf can provide strong security guarantees in the event of a compromise of the centralized forge, the underlying infrastructure, or a subset of privileged developers trusted to set policy. gittuf also implements policy features that can protect against unauthorized changes to branches and tags i.e., pushes as well as files/folders i.e., commits. Our analysis of gittuf shows that its properties and policy features provide protections against previously seen version control system attacks. In addition, our evaluation of gittuf shows it is viable even for large repositories with a high volume of activity such as those of Git and Kubernetes (less than 4% storage overhead and under 0.59s of time to verify each push).

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Rethinking Trust In Forge-Based Git Security appeared first on Security Boulevard.

Session 9D: Github + OSN Security

Authors, Creators & Presenters: Jian Cui (Indiana University), Hanna Kim (KAIST), Eugene Jang (S2W Inc.), Dayeon Yim (S2W Inc.), Kicheol Kim (S2W Inc.), Yongjae Lee (S2W Inc.), Jin-Woo Chung (S2W Inc.), Seungwon Shin (KAIST), Xiaojing Liao (Indiana University)

PAPER
Tweezers: A Framework For Security Event Detection Via Event Attribution-Centric Tweet Embedding

Twitter is recognized as a crucial platform for the dissemination and gathering of Cyber Threat Intelligence (CTI). Its capability to provide real-time, actionable intelligence makes it a indispensable tool for detecting security events, helping security professionals cope with ever-growing threats. However, the large volume of tweets and inherent noises of human-crafted tweets pose significant challenges in accurately identifying security events. While many studies tried to filter out event-related tweets based on keywords, they are not effective due to their limitation in understanding the semantics of tweets. Another challenge in security event detection from Twitter is the comprehensive coverage of security events. Previous studies emphasized the importance of early detection of security events, but they overlooked the importance of event coverage. To cope with these challenges, in our study, we introduce a novel event attribution-centric tweet embedding method to enable the high precision and coverage of events. Our experiment result shows that the proposed method outperforms existing text and graph-based tweet embedding methods in identifying security events. Leveraging this novel embedding approach, we have developed and implemented a framework, Tweezers, that is applicable to security event detection from Twitter for CTI gathering. This framework has demonstrated its effectiveness, detecting twice as many events compared to established baselines. Additionally, we have showcased two applications, built on Tweezers for the integration and inspection of security events, i.e., security event trend analysis and informative security user identification.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Tweezers appeared first on Security Boulevard.

Authors, Creators & Presenters: Zhuo Chen (Zhejiang University), Yufeng Hu (Zhejiang University), Bowen He (Zhejiang University), Dong Luo (Zhejiang University), Lei Wu (Zhejiang University), Yajin Zhou (Zhejiang University)

PAPER
Dissecting Payload-Based Transaction Phishing On Ethereum

In recent years, a more advanced form of phishing has arisen on Ethereum, surpassing early-stage, simple transaction phishing. This new form, which we refer to as payload-based transaction phishing (PTXPHISH), manipulates smart contract interactions through the execution of malicious payloads to deceive users. PTXPHISH has rapidly emerged as a significant threat, leading to incidents that caused losses exceeding $70 million in 2023 reports. Despite its substantial impact, no previous studies have systematically explored PTXPHISH. In this paper, we present the first comprehensive study of the PTXPHISH on Ethereum. Firstly, we conduct a long-term data collection and put considerable effort into establishing the first ground-truth PTXPHISH dataset, consisting of 5,000 phishing transactions. Based on the dataset, we dissect PTXPHISH, categorizing phishing tactics into four primary categories and eleven sub-categories. Secondly, we propose a rule-based multi-dimensional detection approach to identify PTXPHISH, achieving an F1-score of over 99% and processing each block in an average of 390 ms. Finally, we conduct a large-scale detection spanning 300 days and discover a total of 130,637 phishing transactions on Ethereum, resulting in losses exceeding $341.9 million. Our in-depth analysis of these phishing transactions yielded valuable and insightful findings. Scammers consume approximately 13.4 ETH daily, which accounts for 12.5% of the total Ethereum gas, to propagate address poisoning scams. Additionally, our analysis reveals patterns in the cash-out process employed by phishing scammers, and we find that the top five phishing organizations are responsible for 40.7% of all losses. Furthermore, our work has made significant contributions to mitigating real-world threats. We have reported 1,726 phishing addresses to the community, accounting for 42.7% of total community contributions during the same period. Additionally, we have sent 2,539 on-chain alert messages, assisting 1,980 victims. This research serves as a valuable reference in combating the emerging PTXPHISH and safeguarding users' assets.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Dissecting Payload-Based Transaction Phishing On Ethereum appeared first on Security Boulevard.

Session 9C: Phishing & Fraud 2

Authors, Creators & Presenters: Boladji Vinny Adjibi (Georgia Tech), Athanasios Avgetidis (Georgia Tech), Manos Antonakakis (Georgia Tech), Michael Bailey (Georgia Tech), Fabian Monrose (Georgia Tech)

PAPER
The Guardians of Name Street: Studying the Defensive Registration Practices of the Fortune 500

Using orthographic, phonetic, and semantic models, we study the prevalence of defensive registrations related to a wide spectrum of transformations of the base domain names of Fortune 500 companies. As part of a large-scale evaluation, we explore several questions aimed at (a) understanding whether there are explainable factors (e.g., the size of the company's security team or its domain name's popularity rank) that correlate with a company's level of engagement regarding defensive registrations; (b) identifying the main actors in the defensive registration ecosystem that Fortune 500 companies rely upon; (c) uncovering the strategies used by these actors, and d) assessing the efficacy of those strategies from the perspective of queries emanating from a large Internet Service Provider (ISP). Overall, we identified 19,523 domain names defensively registered by 447 Fortune 500 companies. These companies engage in defensive registrations sparingly, with almost 200 companies having fewer than ten defensive registrations. By analyzing the registrations, we found many similarities between the types of domain names the companies registered. For instance, they all registered many TLD-squatting domain names. As it turns out, those similarities are due to the companies' reliance on online brand protection (OBP) service providers to protect their brands. Our analysis of the efficacy of the strategies of those OBPs showed that they register domain names that receive most of the potential squatting traffic. Using regression models, we learned from those strategies to provide recommendations for future defensive registrants. Our measurement also revealed many domain names that received high proportions of traffic over long periods of time and could be registered for only 15 USD. To prevent the abusive use of such domain names, we recommend that OBP providers proactively leverage passive DNS data to identify and preemptively register highly queried available domain names.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Studying the Defensive Registration Practices of the Fortune 500 appeared first on Security Boulevard.

Session 9B: DNN Attack Surfaces

Authors, Creators & Presenters: Myungsuk Moon (Yonsei University), Minhee Kim (Yonsei University), Joonkyo Jung (Yonsei University), Dokyung Song (Yonsei University)

PAPER
ASGARD: Protecting On-Device Deep Neural Networks with Virtualization-Based Trusted Execution Environments

On-device deep learning, increasingly popular for enhancing user privacy, now poses a serious risk to the privacy of deep neural network (DNN) models. Researchers have proposed to leverage Arm TrustZone's trusted execution environment (TEE) to protect models from attacks originating in the rich execution environment (REE). Existing solutions, however, fall short: (i) those that fully contain DNN inference within a TEE either support inference on CPUs only, or require substantial modifications to closed-source proprietary software for incorporating accelerators; (ii) those that offload part of DNN inference to the REE either leave a portion of DNNs unprotected, or incur large run-time overheads due to frequent model (de)obfuscation and TEE-to-REE exits. We present ASGARD, the first virtualization-based TEE solution designed to protect on-device DNNs on legacy Armv8-A SoCs. Unlike prior work that uses TrustZone-based TEEs for model protection, ASGARD's TEEs remain compatible with existing proprietary software, maintain the trusted computing base (TCB) minimal, and incur near-zero run-time overhead. To this end, ASGARD (i) securely extends the boundaries of an existing TEE to incorporate an SoC-integrated accelerator via secure I/O passthrough, (ii) tightly controls the size of the TCB via our aggressive yet security-preserving platform- and application-level TCB debloating techniques, and (iii) mitigates the number of costly TEE-to-REE exits via our exit-coalescing DNN execution planning. We implemented ASGARD on RK3588S, an Armv8.2-A-based commodity Android platform equipped with a Rockchip NPU, without modifying Rockchip- nor Arm-proprietary software. Our evaluation demonstrates that ASGARD effectively protects on-device DNNs in legacy SoCs with a minimal TCB size and negligible inference latency overhead.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – ASGARD appeared first on Security Boulevard.

Session 9B: DNN Attack Surfaces

Authors, Creators & Presenters: Yanzuo Chen (The Hong Kong University of Science and Technology), Yuanyuan Yuan (The Hong Kong University of Science and Technology), Zhibo Liu (The Hong Kong University of Science and Technology), Sihang Hu (Huawei Technologies), Tianxiang Li (Huawei Technologies), Shuai Wang (The Hong Kong University of Science and Technology)

PAPER
BitShield: Defending Against Bit-Flip Attacks on DNN Executables

Recent research has demonstrated the severity and prevalence of bit-flip attacks (BFAs; e.g., with Rowhammer techniques) on deep neural networks (DNNs). BFAs can manipulate DNN prediction and completely deplete DNN intelligence, and can be launched against both DNNs running on deep learning (DL) frameworks like PyTorch, as well as those compiled into standalone executables by DL compilers. While BFA defenses have been proposed for models on DL frameworks, we find them incapable of protecting DNN executables due to the new attack vectors on these executables. This paper proposes the first defense against BFA for DNN executables. We first present a motivating study to demonstrate the fragility and unique attack surfaces of DNN executables. Specifically, attackers can flip bits in the section to alter the computation logic of DNN executables and consequently manipulate DNN predictions; previous defenses guarding model weights can also be easily evaded when implemented in DNN executables. Subsequently, we propose BitShield, a full-fledged defense that detects BFAs targeting both data and sections in DNN executables. We novelly model BFA on DNN executables as a process to corrupt their semantics, and base BitShield on semantic integrity checks. Moreover, by deliberately fusing code checksum routines into a DNN's semantics, we make BitShield highly resilient against BFAs targeting itself. BitShield is integrated in a popular DL compiler (Amazon TVM) and is compatible with all existing compilation and optimization passes. Unlike prior defenses, BitShield is designed to protect more vulnerable full-precision DNNs and does not assume specific attack methods, exhibiting high generality. BitShield also proactively detects ongoing BFA attempts instead of passively hardening DNNs. Evaluations show that BitShield provides strong protection against BFAs (average mitigation rate 97.51%) with low performance overhead (2.47% on average) even when faced with fully white-box, powerful attackers.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – BitShield: Defending Against Bit-Flip Attacks On DNN Executables appeared first on Security Boulevard.

Session 9B: DNN Attack Surfaces

Authors, Creators & Presenters: Yanzuo Chen (The Hong Kong University of Science and Technology), Zhibo Liu (The Hong Kong University of Science and Technology), Yuanyuan Yuan (The Hong Kong University of Science and Technology), Sihang Hu (Huawei Technologies), Tianxiang Li (Huawei Technologies), Shuai Wang (The Hong Kong University of Science and Technology)

PAPER
Compiled Models, Built-In Exploits: Uncovering Pervasive Bit-Flip Attack Surfaces in DNN Executables

Recent research has shown that bit-flip attacks (BFAs) can manipulate deep neural networks (DNNs) via DRAM Rowhammer exploitations. For high-level DNN models running on deep learning (DL) frameworks like PyTorch, extensive BFAs have been conducted to flip bits in model weights and shown effective. Defenses have also been proposed to guard model weights. Nevertheless, DNNs are increasingly compiled into DNN executables by DL compilers to leverage hardware primitives. These executables manifest new and distinct computation paradigms; we find existing research failing to accurately capture and expose the attack surface of BFAs on DNN executables. To this end, we launch the first systematic study of BFAs on DNN executables and reveal new attack surfaces neglected or underestimated in previous work. Specifically, prior BFAs in DL frameworks are limited to attacking model weights and assume a strong whitebox attacker with full knowledge of victim model weights, which is unrealistic as weights are often confidential. In contrast, we find that BFAs on DNN executables can achieve high effectiveness by exploiting the model structure (usually stored in the executable code), which only requires knowing the (often public) model structure. Importantly, such structure-based BFAs are pervasive, transferable, and more severe (e.g., single-bit flips lead to successful attacks) in DNN executables; they also slip past existing defenses. To realistically demonstrate the new attack surfaces, we assume a weak and more realistic attacker with no knowledge of victim model weights. We design an automated tool to identify vulnerable bits in victim executables with high confidence (70% compared to the baseline 2%). Launching this tool on DDR4 DRAM, we show that only 1.4 flips on average are needed to fully downgrade the accuracy of victim executables, including quantized models which could require 23× more flips previously, to random guesses. We comprehensively evaluate 16 DNN executables, covering three large-scale DNN models trained on three commonly-used datasets compiled by the two most popular DL compilers. Our finding calls for incorporating security mechanisms in future DNN compilation toolchains.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Compiled Models, Built-In Exploits appeared first on Security Boulevard.

Session 9A: Android Security 2

Authors, Creators & Presenters: Zeyu Lei (Purdue University), Güliz Seray Tuncay (Google), Beatrice Carissa Williem (Purdue University), Z. Berkay Celik (Purdue University), Antonio Bianchi (Purdue University)

PAPER
ScopeVerif: Analyzing the Security of Android's Scoped Storage via Differential Analysi

Storage on Android has evolved significantly over the years, with each new Android version introducing changes aimed at enhancing usability, security, and privacy. While these updates typically help with restricting app access to storage through various mechanisms, they may occasionally introduce new complexities and vulnerabilities. A prime example is the introduction of scoped storage in Android 10, which fundamentally changed how apps interact with files. While intended to enhance user privacy by limiting broad access to shared storage, scoped storage has also presented developers with new challenges and potential vulnerabilities to address. However, despite its significance for user privacy and app functionality, no systematic studies have been performed to study Android's scoped storage at depth from a security perspective. In this paper, we present the first systematic security analysis of the scoped storage mechanism. To this end, we design and implement a testing tool, named ScopeVerif, that relies on differential analysis to uncover security issues and implementation inconsistencies in Android's storage. Specifically, ScopeVerif takes a list of security properties and checks if there are any file operations that violate any security properties defined in the official Android documentation. Additionally, we conduct a comprehensive analysis across different Android versions as well as a cross-OEM analysis to identify discrepancies in different implementations and their security implications. Our study identifies both known and unknown issues of scoped storage. Our cross-version analysis highlights undocumented changes as well as partially fixed security loopholes across versions. Additionally, we discovered several vulnerabilities in scoped storage implementations by different OEMs. These vulnerabilities stem from deviations from the documented and correct behavior, which potentially poses security risks. The affected OEMs and Google have acknowledged our findings and offered us bug bounties in response.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – ScopeVerif: Analyzing The Security Of Android’s Scoped Storage Via Differential Analysis appeared first on Security Boulevard.

Session 9A: Android Security 2

Authors, Creators & Presenters: Daniel Klischies (Ruhr University Bochum), Philipp Mackensen (Ruhr University Bochum), Veelasha Moonsamy (Ruhr University Bochum)

PAPER
Vulnerability, Where Art Thou? An Investigation of Vulnerability Management in Android Smartphone Chipsets

Vulnerabilities in Android smartphone chipsets have severe consequences, as recent real-world attacks have demonstrated that adversaries can leverage vulnerabilities to execute arbitrary code or exfiltrate confidential information. Despite the far-reaching impact of such attacks, the lifecycle of chipset vulnerabilities has yet to be investigated, with existing papers primarily investigating vulnerabilities in the Android operating system. This paper provides a comprehensive and empirical study of the current state of smartphone chipset vulnerability management within the Android ecosystem. For the first time, we create a unified knowledge base of 3,676 chipset vulnerabilities affecting 437 chipset models from all four major chipset manufacturers, combined with 6,866 smartphone models. Our analysis revealed that the same vulnerabilities are often included in multiple generations of chipsets, providing novel empirical evidence that vulnerabilities are inherited through multiple chipset generations. Furthermore, we demonstrate that the commonly accepted 90-day responsible vulnerability disclosure period is seldom adhered to. We find that a single vulnerability often affects hundreds to thousands of different smartphone models, for which update availability is, as we show, often unclear or heavily delayed. Leveraging the new insights gained from our empirical analysis, we recommend several changes that chipset manufacturers can implement to improve the security posture of their products. At the same time, our knowledge base enables academic researchers to conduct more representative evaluations of smartphone chipsets, accurately assess the impact of vulnerabilities they discover, and identify avenues for future research.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Vulnerability, Where Art Thou? Vulnerability Management In Android Smartphone Chipsets appeared first on Security Boulevard.

Session 8D: Usability Meets Privacy

Authors, Creators & Presenters: Tongxin Wei (Nankai University), Ding Wang (Nankai University), Yutong Li (Nankai University), Yuehuan Wang (Nankai University)

PAPER
"Who Is Trying To Access My Account?"

Risk-based authentication (RBA) is gaining popularity and RBA notifications promptly alert users to protect their accounts from unauthorized access. Recent research indicates that users can identify legitimate login notifications triggered by themselves. However, little attention has been paid to whether RBA notifications triggered by non-account holders can effectively raise users' awareness of crises and prevent potential attacks. In this paper, we invite 258 online participants and 15 offline participants to explore users' perceptions, reactions, and expectations for three types of RBA notifications (i.e., RBA notifications triggered by correct passwords, incorrect passwords, and password resets). The results show that over 90% of participants consider RBA notifications important. Users do not show significant differences in their feelings and behaviors towards the three types of RBA notifications, but they have distinct expectations for each type. Most participants feel suspicious, nervous, and anxious upon receiving the three types of RBA notifications not triggered by themselves. Consequently, users immediately review the full content of the notification. 46% of users suspect that RBA notifications might be phishing attempts, while categorizing them as potential phishing attacks or spam may lead to ineffective account protection. Despite these suspicions, 65% of users still log into their accounts to check for suspicious activities and take no further action if no abnormalities are found. Additionally, the current format of RBA notifications fails to gain users' trust and meet their expectations. Our findings indicate that RBA notifications need to provide more detailed information about suspicious access, offer additional security measures, and clearly explain the risks involved. Finally, we offer five design recommendations for RBA notifications to better mitigate potential risks and enhance account security.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – “Who Is Trying To Access My Account?” appeared first on Security Boulevard.

Session 8D: Usability Meets Privacy

Authors, Creators & Presenters: Jingwen Yan (Clemson University), Song Liao (Texas Tech University), Mohammed Aldeen (Clemson University), Luyi Xing (Indiana University Bloomington), Danfeng (Daphne) Yao (Virginia Tech), Long Cheng (Clemson University)

PAPER
SKILLPoV: Towards Accessible And Effective Privacv Notice For Amazon Alexa Skills

Despite the popularity and many convenient features of Amazon Alexa, concerns about privacy risks to users are rising since many Alexa voice-apps (called skills) may collect user data during the interaction with Alexa devices. Informing users about data collection in skills is essential for addressing their privacy concerns. However, the constrained interfaces of Alexa pose a challenge to effective privacy notices, where currently Alexa users can only access privacy policies of skills over the Web or smartphone apps. This in particular creates a challenge for visually impaired users to make informed privacy decisions. In this work, we propose the concept of Privacy Notice over Voice, an accessible and inclusive mechanism to make users aware of the data practices of Alexa skills through the conversational interface: for each skill, we will generate a short and easily understandable privacy notice and play it to users at the beginning of the skill in voice. We first conduct a user study involving 52 smart speaker users and 21 Alexa skill developers to understand their attitudes toward data collection and the Privacy Notice over Voice mechanism. 92.3% of participants liked the design of Privacy Notice over Voice and 70.2% of participants agreed that such mechanism provides better accessibility and readability than traditional privacy policies for Alexa users. Informed by our user study results, we design and develop a tool named SKILLPoV (Skill's Privacy Notice over Voice) to automatically generate a reference implementation of Privacy Notice over Voice through static code analysis and instrumentation. With comprehensive evaluation, we demonstrate the effectiveness of SKILLPoV in capturing data collection (91.3% accuracy and 96.4% completeness) from skill code, generating concise and accurate privacy notice content using ChatGPT, and instrumenting skill code with the new privacy notice mechanism without altering the original functionality. In particular, SKILLPoV receives positive and encouraging feedback after real-world testing conducted by skill developers.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – SKILLPoV: Towards Accessible And Effective Privacv Notice For Amazon Alexa Skills appeared first on Security Boulevard.

Cybersecurity officers tasked with finding and mitigating vulnerabilities in government organizations are already operating at capacity—and it’s not getting any easier.

First, the constant push for fast paced, develop-test-deploy cycles continuously introduces risk of new vulnerabilities. Then there are changes in mission at the agency level, plus competing priorities to develop while simultaneously trying to secure everything (heard of DevSecOps?). Without additional capacity, it’s difficult to find exploitable critical vulnerabilities, remediate at scale and execute human-led offensive testing of the entire attack surface. 

The traditional remedy for increased security demands has been to increase penetration testing in the tried and true fashion: hire a consulting firm or a single (and usually junior) FTE to pentest the assets that are glaring red. That method worked for most agencies, through 2007 anyway. In 2022, however, traditional methodology isn’t realistic. It doesn’t address the ongoing deficiencies in security testing capacity or capability. It’s also too slow and doesn’t scale for government agencies.

So in the face of an acute cybersecurity talent shortage, what’s a mission leader’s best option if they want to improve and expand their cybersecurity testing program, discover and mitigate vulnerabilities rapidly, and incorporate findings into their overall intelligence collection management framework? 

Security leaders should ask themselves the following questions as they look to scale their offensive and vulnerability intelligence programs:

• Do we have continuous oversight into which assets are being tested, where and how much? 
• Are we assessing vulnerabilities based on the Cybersecurity Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog, or are we assessing vulnerabilities using the Common Vulnerability Scoring System (CVSS) calculator? 
• Are we operationalizing penetration test results by integrating them into our SIEM/SOAR and security ops workflow, so we can visualize the big picture of vulnerabilities across our various assets? 
• Are we prioritizing and mitigating the most critical vulnerabilities to our mission expediently? 

There is a way to kick-start a better security testing experience—in a FedRAMP Moderate environment with a diverse community of security researchers that provide scale to support the largest of directorates with global footprints. The Synack Platform pairs the talents of the Synack Red Team, a group of elite bug hunters, with continuous scanning and reporting capabilities.

Together, this pairing empowers cybersecurity officers to know what’s being tested, where it’s happening, and how much testing is being done with vulnerability intelligence. Correlated with publicly available information (PAI) and threat intelligence feeds, the blend of insights can further enhance an agency’s offensive cybersecurity stance and improve risk reduction efforts.

Synack helps government agencies mitigate cybersecurity hiring hurdles and the talent gap by delivering the offensive workforce needed quickly and at scale to ensure compliance and reduce risk. And we’re trusted by dozens of government agencies. By adding Synack Red Team mission findings into workflows for vulnerability assessment, security operations teams are given the vulnerability data needed to make faster and more informed decisions.

Intrigued? Let’s set up an intelligent demo. If you’re attending the Intelligence & National Security Summit at the Gaylord in National Harbor, Md., next week, we’ll be there attending sessions and chatting with officers at Kiosk 124. We hope to see you there! 

Luke Luckett is Senior Product Marketing Manager at Synack.

The post Accelerated Decision-making in Cybersecurity Requires Actionable Vulnerability Intelligence appeared first on Synack.

The Black Hat cybersecurity conference celebrated its 25th birthday in Las Vegas this week – and Synack was there to mark the occasion in style.

We staged a safari adventure in the Black Hat Business Hall, replete with hanging vines, lush foliage, cheetah swag and the sounds of the jungle. We showed attendees how our security testing platform can be their trusted guide by offering access to our highly skilled, vetted and diverse crew of Synack Red Team security researchers.

When it comes to cybersecurity, it’s a jungle out there. Black Hat speakers drove home just how tangled and daunting the threat landscape has become.

“Things are going to get worse before they get better,” said Chris Krebs, inaugural director of the Cybersecurity and Infrastructure Security Agency, who delivered Black Hat’s keynote Wednesday. “The bad actors are getting their wins, and until we make meaningful consequences and impose costs on them, they will continue.”

Krebs, a founding partner of the Krebs Stamos Group cyber consultancy, also spoke to the urgency of the talent gap in cybersecurity that stands at an estimated 700,000 infosec pros in the U.S. alone and at least four times that number globally.

“It’s been confounding to me how we continue to face workforce shortages,” Krebs said. “We hear about the 3 million open cybersecurity jobs in the community, and I’m just trying to figure out why are we not solving the gap.”

Here are some other themes to emerge from this year’s talks:

• Ransomware remains a top-tier threat. To coincide with Black Hat, the U.S. State Department announced it’s offering a $10 million reward for information on several members of the Conti ransomware gang, which has wreaked havoc in U.S. healthcare and emergency services networks.
• The COVID-era digital transformation is here to stay. Underscoring that point, organizers held Black Hat in a hybrid format, with some infosec pros visiting Las Vegas in person and others tuning in online. (We followed suit, offering a Synack virtual booth experience – though remote attendees missed out on smoothies and Jungle Juice at our tiki bar.) COVID has spurred a rush to the cloud, introducing new challenges and vulnerabilities as employees log in from home.
• API security is a leading concern for CISOs. No one said securing application programming interfaces would be easy. From misconfigurations to vulnerabilities, APIs present a deluge of cyber risks despite being the beating heart of many modern applications. The Business Hall was abuzz over API security, but no one seems to have cracked the code as new breaches crop up seemingly every day.
• The pace of DevOps calls for constant security testing. The continuous integration and continuous deployment (CI/CD) pipeline empowers developers to make fast and efficient changes to their code, removing bottlenecks by automating the process as much as possible. But CI/CD pipelines now “control so much” that they’re upending the cyber risk environment for many organizations by introducing supply chain vulnerabilities, Chris Eng, chief research officer at Veracode, said in a closing panel yesterday. “It’s a different threat model than 10 years ago, when all you had to worry about was being attacked directly, or individually,” he said.
• Log4j is simple to exploit but still hard to find. The bombshell Log4j vulnerability sent security teams scrambling when it came to light in December 2021. But we’ve hardly seen the last of the critical flaw in the popular open source logging tool. “Easy stuff to exploit got cleaned up, but I think you will continue to see malicious threat actors innovate the way they find and exploit this,” said Heather Adkins, vice president of security engineering at Google, at a Black Hat talk on Log4j. “It will be around for a long, long time.”

Our Black Hat Experience

Synack solutions architect Hudney Piquant spoke to how seemingly secure attack surfaces can be vulnerable tomorrow to long-lasting threats like Log4j. Piquant shared his cyber survival knowledge in “the Cave” at Synack’s Black Hat booth, where members of the Synack Red Team also offered hard-won insights into remediating vulnerabilities that matter.

“To survive, companies need to start discovering their assets, analyzing their assets with a hacker’s perspective and continuously scanning their external attack surface,” Piquant said. “The reason all three of these things are important is because hackers are doing all three things as well.”

We’d like to thank everyone who stopped by our booth, scheduled one-on-one meetings with us in our executive suite at the Delano Hotel or joined us at the many events we organized or attended throughout Black Hat.

We enjoyed some friendly competition in a 9-hole golf tournament to kick off the week, co-hosted an exclusive whiskey tasting with Microsoft, sponsored a reception at the Cosmopolitan with the Retail and Hospitality Information Sharing and Analysis Center and raised a glass with security peers and investors at a happy hour held by GGV Capital and its portfolio partners.

And that’s not to mention our Rainbow-level sponsorship of the Diana Initiative conference that coincided with Black Hat, our many customer and employee dinners, the one-on-one meetings in our suite and the memorable product demos with security practitioners. We also boosted global reforestation by supporting One Tree Planted at our jungle-themed booth. 

If you missed us at Black Hat, don’t worry: Many Synackers and SRT members are sticking around in Vegas for DEF CON, which runs through Sunday! Look out for the security pros wearing swanky tuxedo shirts, in line with DEF CON’s “Hacker Homecoming” theme. And you can always click here to schedule a demo to learn how Synack’s platform can help deliver a better security testing experience.

In the meantime, we wish you luck as you continue your journey through the cyber wilderness!  

The post Synack at Black Hat: Leading You Through the Security Jungle appeared first on Synack.

Emily is the Artemis Red Team lead and community engagement manager at Synack. 

It’s past time for the cybersecurity industry to confront our diversity crisis as we work to close a talent gap that stands at 700,000 unfilled positions in the U.S. alone.

The Diana Initiative is dedicated to solving this national security challenge, and we at Synack are proud to support the nonprofit’s marquee event in Las Vegas next month as a Rainbow Sponsor. 

At the conference, I’ll also be sharing hard-won lessons from my own experience fostering a community for women, trans and nonbinary people to champion a more inclusive cyber workforce. I hope you’ll join me and Synack’s senior director of community Ryan Rutan, either in-person or virtual (for free), on Aug. 10 at 4 p.m. PST for our talk on Red-Teaming Cyber’s Diversity Problem at the Westin Las Vegas.

We’ll be discussing the origins of our Artemis Red Team, in which we combined mentorship opportunities, education resources and even a bit of game theory to elevate underrepresented voices in cybersecurity. The program launched late last year as a sub-community of our Synack Red Team, a group of 1,500+ top-notch security researchers who hail from an array of diverse cultures and backgrounds. 

Since then, the issue of diversity in cybersecurity has taken on renewed urgency as hacking threats continue to evolve and the global cyber skills shortage shows no sign of letting up. Camille Stewart Gloster, the White House’s newly appointed Deputy National Cyber Director for Technology and Ecosystem Security, put it well last week at a cyber workforce summit: 

“If we don’t invest in diversifying the workforce – in identifying voices that are not heard in the work – it impacts not only our workforce shortage and our ability to meet the demands on cybersecurity careers; it affects the efficacy of the work we are doing,” she said, calling it an “imperative to invest in diversity.”

In the world of offensive security and penetration testing, we have our work cut out for us. Red teams have traditionally lagged behind other cybersecurity arenas in terms of accessibility, diversity and equity. 

It’s high time to change that, and it will take all our collective ideas to do so. At The Diana Initiative, we hope we can inspire you to pursue your own programs for removing barriers to create a more inclusive community of cybersecurity professionals. And for those who may want to join the Artemis Red Team to see firsthand what we’re all about, we’ll be eager to meet you. 

See you in Vegas! Follow us on Twitter @ArtemisRedTeam and our hashtag #womenofthehunt.

The post Diversity as a Cybersecurity Imperative – Synack at the Diana Initiative appeared first on Synack.

Two highly anticipated cybersecurity events last week drew us to the Bay Area and the Capital Beltway: The RSA Conference in San Francisco and the Gartner Security and Risk Management Summit in National Harbor, Md.

Synack had both coasts covered, and we were delighted to reconnect with so many of our customers, partners and colleagues. We showcased how our unique pentesting experience can find the vulnerabilities that matter, keeping urgent threats at bay while bridging the cybersecurity talent gap.

We also brought the party! From rocking out to a Journey cover band in San Francisco to sipping margaritas while soaking in the lights of National Harbor’s famous Ferris wheel, here are some highlights from the two in-person events:

Journey by the Bay 

San Francisco, we missed you! 

The last time Synack hosted RSA attendees at Moscone Center neighbor, Fogo de Chão, was in February 2020, the COVID pandemic had yet to upend life in the U.S. “Zero trust” was just beginning to be a buzzword, and many federal agencies were facing deadlines to develop their first-ever vulnerability disclosure policies. 

What a journey it’s been. After a two-year hiatus and a COVID-related shuffle from its original dates in February 2022, RSA finally came back to the city by the bay bearing the theme, “Transform.”

We were ready to make our own triumphant return to Fogo de Chão, just 98 steps from the conference in Moscone Center. Our “Journey by the Bay” experience kicked off early on Tuesday, June 7, with a breakfast panel celebrating women in cybersecurity. (Read more about the inspiring event here.) 

The discussion highlighted Synack’s Inclusive company value: “Diversity is at the core of what we do at Synack, and it’s made its way into our culture as well,” Synack Chief Marketing Officer Claire Trimble said at the breakfast. 

During the day, RSA attendees stopped by to see Synack in action, discovering how we are bridging the talent gap with on-demand security talent from our elite Synack Red Team. We showed off our On-Demand Security Testing Platform, which gives organizations a central view of all pentest assessments and offers easy-to-digest reports and metrics to track progress over time (and meet compliance requirements). And we highlighted Synack’s wide-ranging contributions to the cybersecurity media landscape through the README news site, the weekly Changelog newsletter and the We’re In! podcast.

As RSA let out and the lights went down in the city, we hosted Journey tribute band Forejour, who played hits like Don’t Stop Believin’ and Any Way You Want It. Our guests enjoyed more than a few rounds of caipirinhas – not to mention Fogo de Chão’s legendary barbecued meats. 

On Wednesday morning, Synack CTO and co-founder Mark Kuhr led a breakfast discussion on “A Better Way to Pentest,” demonstrating how Synack combines the best of human intelligence and machine intelligence to offer a peerless pentesting experience.

As the conference started to wind down, we gathered for one last happy hour to toast to a successful event. We also streamed Game 3 of the NBA Finals to (mostly) cheer on the Warriors.

Throughout the week, guests had the chance to get to know many of Synack’s sponsors, including Accenture Federal Services, Arkose Labs, AttackIQ, Bolster, Netography, Netskope and SynSaber. We’re grateful for their support and can’t wait to see them at future events! 

Embracing change at Gartner 

Meanwhile in National Harbor, the Gartner summit returned to an in-person format for the first time since 2019, highlighting the latest actionable research and advice for security leaders.

Wednesday saw Synack CEO and co-founder Jay Kaplan present on “Staying Secure in the Midst of a Talent Crisis.” Kaplan shared how he and Kuhr launched the company to help organizations struggling to find the right talent to fend off constantly evolving cyberthreats.

“We do things differently by leveraging a global crowdsourced network of highly vetted security researchers in over 90 countries to perform on-demand and continuous testing to discover every vulnerability that matters,” Kaplan said. 

As trends in digitization and automation drastically expand the attack surface visible to cyber adversaries, security systems and testing must change to keep up, he pointed out.

Organizations facing increasingly sophisticated threats “are being scanned every day—they just don’t get the report,” Kaplan said.  

That evening, Synack hosted a Fresh Air Fiesta at Rosa Mexicano, steps from the Gartner show floor at the Gaylord National Resort & Convention Center. Over margaritas and massive bowls of guacamole, we met with customers and made many new connections. 

Between the two major infosec events, it was an epic week for all of us at Synack. We’d like to thank everyone who joined us or followed along on social media! 

The post A Tale of Two Conferences: Synack Stood Out at RSA and Gartner appeared first on Synack.