Virtual edition, September 30th and October 1st 2021


BSides is a community-driven framework for building events for and by information security community members. It's not the usual conference.


It is an intense day with discussions, demos, and interaction from participants. It is where ideas for the next-big-thing are born. It's where you can build lasting connections.


The goal is to create opportunities for individuals to participate in an atmosphere that encourages collaboration and spontaneous conversations.

Meet our Sponsors

Leading Supporters

Contributing Supporters

Community Supporters

Digital Swag Supporters


All shown times are on the CET timezone

Thursday, September 30th


Welcome Day 1
BSides Barcelona Team
Track Sagrada Familia


Keynote: Implementing privacy and democratic digitalisation strategies for education and other institutions
Simona Levi
Track Sagrada Familia


Swaroop Yermalkar
Track Sagrada Familia
Artëm Tsvetkov
Track Arc de Triomf


Imdadullah Mohammed, Shiv Sahni
Track Sagrada Familia
Len Noe
Track Park Güell
Johan Loos
Track Arc de Triomf




Daniel Monzón
Track Sagrada Familia
Rahul Raghavan
Track Arc de Triomf


Closing Day 1
BSides Barcelona Team
Track Sagrada Familia

Friday, October 1st


Kim Kip Trujillo
Track Montjuic


Welcome Day 2
BSides Barcelona Team
Track Sagrada Familia


Round Table: Cyber security skills for high tech companies: talent acquisition, diversity and retention
Moderator: Rajvir Sandhu, Panelists: Maria Dillon, Lola Oguntokun, Marcin Hoppe, Martin Vigo
Track Sagrada Familia


Debangshu Kundu
Track Sagrada Familia
Sergey Chubarov
Track Park Güell
Jonah Bellemans
Track Arc de Triomf


Ali Abdollahi
Track Sagrada Familia
Mathieu Gaucheler, Liv Rowley
Track Park Güell
Josh Armitage
Track Arc de Triomf




Nil Ortiz Rabella, Albert Calvo
Track Sagrada Familia
Tal Melamed
Track Park Güell
Arnau Estebanell Castellví
Track Arc de Triomf


Closing Day 2
BSides Barcelona Team
Track Sagrada Familia

Rooting out security risks lurking in your kubernetes ecosystem

The goal of this workshop is to broaden the awareness of the how and why kubernetes attacks and escapes work and measures to secure the clusters. - Starting from a brief tour of the Kubernetes ecosystem - covering in-depth defense mechanisms for multiple critical resources - Then looking at cloud Native threat modelling scenarios using the tool(demo) - Demo on a vulnerable and secured infrastructure with the tool - Demo on continuous monitoring and alerting techniques - Sharing the slides, playground setup and the tool with the audience - Question and Answers


  • Take home advanced actionable techniques to threat model and secure your kubernetes clusters.
  • A commercial grade open source tool for scanning and alerting for kubernetes security issues
  • A self hosted production grade kubernetes playground with pure kubernetes misconfigurations
  • A digital guide of the content presented

Vasant Chinnipilli

Vasant is a security enthusiast and speaker, currently working as a Security Architect and DevSecOps Practitioner.

His technical abilities span a wide range of technologies across various domains of information security including cloud and container security and penetration testing. He is keen about cloud and cloud native security, devsecops and security automation.

He is passionate about bridging the gap between the security and DevOps teams through finding effective ways to integrate security in the devops processes and allow security tools to flow freely through DevOps pipelines.

He is also the developer of Kubestriker, an open source, platform agnostic security auditing tool, specially designed to secure the cloudnative and tackle Kuberenetes cluster security issues. This tool has been showcased in various conferences including Blackhat, Devseccon and DefCon.

The Spy in Your Mobile

Do you think it’s too difficult to spy on mobile phones considering OS security? Or are you already being watched by someone? Or do you suspect someone is trying to spy on you? Or do you know what happens when your mobile device gets lost? If you’re interested to get these answers, this talk is for you!

In this talk, I will be presenting my research made on various spyware functioning at the application level, OS level to analyze what it takes to spy on someone’s mobile. I will be also presenting an analysis of famous mobile hacks. This talk will discuss what are the prerequisites, attack vectors, various techniques used by attackers to spy on someone’s smartphone. I will be also presenting several researched spyware from the internet, the dark web, and social engineering techniques used by attackers for successful spying and data exfiltration.

Swaroop Yermalkar

Swaroop Yermalkar works as a Head of Cyber Security for HackerU (India) where he is responsible for training and managing the Red Teaming Program . Swaroop is the author of the book “Learning iOS Pentesting” and leads an open-source project - OWASP iGoat which is developed for mobile security.

He has given talks and workshops at many security conferences including AppSec USA, AppSec Israel, DEFCON (AppSec Village), Kazhackstan, BruCON, SEC-T, EuropeanSec, Hacks in Taiwan (HITCON), GroundZero, c0c0n, 0x90, GNUnify.

Swaroop holds OSCE, OSCP, OSWP, CREST CRT certifications. Swaroop is also one of the top bug bounty researchers worldwide, working with Cobalt.io (https://app.cobalt.io/swaroopsy), Synack. inc.

Check more about Swaroop at - https://swaroopsy.com/ or @swaroopsy.

Cybersecurity & The Board: Choosing success over the Sarlacc Pitk

I regularly have conversations with cybersecurity leaders and experts across a range of industries. Recently on my Cyber Security Effectiveness Podcast, I’ve spoken with board members from several market-leading companies, in the public and private sectors, to understand their perspectives on cybersecurity.

These conversations demonstrate that board members are paying close attention to their organizations’ security programs — their approach and effectiveness and the impact on risk posture. Additionally, board members’ influence on the direction of a company’s security program has grown. As a result, IT leaders must report regularly that security technology, people, and processes are optimized to protect and defend the organization so that when a breach or attack does take place, it will have minimal impact on the brand and bottom line.


  • Understanding what boards really care about
  • Measuring and trending security effectiveness
  • Rationalizing - exposing gaps, retiring ineffective solutions, and prioritizing investments
  • Interpreting risk predicated on an intelligence-led approach to security
  • Communicating effectively

Brian Contos, VP & CISO, Mandiant Advantage

Brian is a seasoned executive, board advisor, and serial entrepreneur with 25+ years in the cybersecurity industry. After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, he began the process of building security startups and taking multiple companies through successful IPOs and acquisitions, including Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, and Verodin. Brian has worked in over 50 countries across six continents. He has authored several books, his latest with the former Deputy Director of the NSA and speaks at events globally such as Black Hat, RSA, & Interop. Brian writes for Forbes Magazine and is often interviewed by the media. He was recently featured in a cyberwar documentary alongside General Michael Hayden, the former Director of the NSA and CIA.

Attacking Secrets in Cloud-based Applications

The talk will briefly review a typical cloud-based application deployment, and then talk about the different ways for provisioning cloud secrets, such as tokens and access keys, and finally discuss various attack vectors for extracting and abusing those secrets.

Artëm Tsvetkov

The art of Securing Webviews and a story behind CVE-2021–21136

Webview: An in-app Web Browser created to ensure seamless user experience without context switching between browser and mobile application. It allows developers to display web content directly into their mobile application and supports the concept of code reuse thus Webviews are extensively used in current mobile application development.

Through this presentation, we would talk about the common Webview related security issues and the techniques to prevent those security issues and make the mobile applications secure and robust. We would be talking about the following common security issues and their prevention:

  • Insecure Deeplink implementation
  • Insufficient URL validation
  • Insufficient Webview hardening
  • Lack of Webview isolation
  • Unintended data leakage via misconfigured Webview

In the later part of the presentation, we would talk about the story behind getting the Chromium CVE:2021-21136 (https://bugs.chromium.org/p/chromium/issues/detail?id=1038002). A security issue in Android Webviews leads to leakage of sensitive data such as user’s auth tokens and shared secrets to the third party.

Imdadullah Mohammed

Imdadullah Mohammed is currently working as a Security Engineer with Grab, Singapore. He has extensive experience in performing end-to-end security assessments of Web Applications, Web services, Thick Client, Mobile Application, IoT device & Network. Also as a security engineer, he has been responsible for secure code reviews, reverse engineering security training, implementation of security standards, and various other application security initiates.

Shiv Sahni

Shiv Sahni is currently working as a Senior Associate with JP Morgan Chase, Singapore. He’s one of the contributors in the OWASP MSTG project and is also the author of a whitepaper titled ‘The Grey Matter of Securing Android Applications’. Shiv has worked as a guest lecturer for the ‘Post-Graduation Diploma Cyber Security ‘(PGDCL) course at the University of Delhi. His credentials include OSCP, CREST-CRT, CREST-CPSA, AWS-CSA, ISO 27001-LA, and a Gold Medal from the University of Delhi for outstanding academic performance. His research has identified multiple vulnerabilities in organizations including Google, Microsoft, Intel, ING Bank, Sony, Stack Exchange, and AT&T. Apart from working on penetration testing projects, he has also worked on various assignments to left shift security in SDLC and has trained over 200 people in application security.

TLS Private Key Recovery

RSA is one of the most commonly used algorithm for providing confidentiality, integrity and authenticity of digital information. RSA is used to secure web traffic up to TLS 1.2. Today, web servers have a certificate which protects the traffic between the web server and the client browser. This certificate contains a public key of 1024 or 2048-bits. But what will happen when the key material of the certificate is not correctly generated? Are you still sure that traffic is protected and cannot be compromised?

Johan Loos

Does Serverless Means Harmless?

When adopting serverless technology, we eliminate the need to develop a server to manage our application and by doing so, we also pass some of the security threats to the infrastructure provider. However, serverless functions, even without provisioning or managing servers, still execute code. If this code is written in an insecure manner, it can still be vulnerable to traditional application-level attacks.

In this talk, we will examine the differences in attack vectors, security weaknesses, and the business impact of successful attacks on applications in the serverless world, and, most importantly, how to prevent them. As we will see, attack vectors and prevention techniques are completely different from the traditional application world.

Tal Melamed

With over 15 years’ experience in security research and engineering - Tal possesses an unprecedented understanding of the Application and Serverless Security landscape. Most recently Tal co-founded CloudEssence, a cloud-native security technology company that enables organisations to extend security observability to applications developed in cloud-native architectures. CloudEssence was acquired by Contrast Security in 2021. Previous to CloudEssence, Tal was head of security research at Protego Labs, a Serverless security start-up that was acquired by Check Point.

Tal currently leads Contrast Security’s new innovation centre in Israel and teaches at the cybersecurity master’s program at Quinnipiac University. He is also an AWS Community builder and an OWASP leader, where he evangelizes serverless security to the community, leads several Open-Source projects including OWASP Serverless Security Top 10 and DVSA (an insecure-by-design serverless app for training purposes) and trains hundreds of developers and security teams around the world.

How to beat application DDoS attacks with CrowdSec & Cloudflare

Distributed Denial-of-service (DDoS) attacks have been targeting all types of businesses over the past few years. They have been used by hackers for quite some time and are some of the most common attacks but remain extremely efficient and harmful. The concept is simple: hackers hammer a given target from many different locations to take it down (and usually ask for money afterward as a condition to stop the attack).

E-commerce sites are one of the usual victims: an e-commerce site down is a site that isn’t making money. There are many ways and tools to perform this kind of attack and many layers of defense, but today we will focus on application (layer 7) distributed denial of service, L7 DDoS in short.

In this talk we will discover how CrowdSec can be leveraged to provide an effective countermeasure against L7 DDoS attacks on websites protected by Cloudflare. This is done by combining the powers of CrowdSec with the Cloudflare API to filter away malicious connections in an effective (and free!) manner.

Klaus Agnoletti

Klaus has been working professionally in infosec since 2004. The later years of his infosec career he worked primarily as a security advisor in various shapes and forms. After many years of actively engaging with the local infosec community in Copenhagen, Denmark he decided to go all in on the infosec community and started in CrowdSec where one of his roles are to spread the word on CrowdSec and help draft more users. Speaking at BSides Barcelona is a great way to do just that!

Atomistic Internet of Things (IoT) Penetration Testing Methodology

Although there are more than 50 billion Internet of Things devices, there is not much information online on how to test them for security vulnerabilities. Companies are starting to add more and more intelligent devices to their internal networks, and that opens the room for a new era of security incidents we have not yet seen. During the talk, I will explain why there is not much information about IoT pentesting and define a pentest methodology based on my research and the research available online. I’ll combine the methodology with a checklist to be used by pentesters to make sure nothing is left behind when performing IoT pentests. This is meant to be the starter pack used by any company willing to get IoT security testing capabilities.

Arnau Estebanell Castellví

Chances and Challenges of Machine Learning in Cybersecurity

Artificial Intelligence, Machine Learning, Deep Learning - these terms are often used interchangeably and for marketing purposes. If we were to believe some of the colorful marketing claims, machine learning could solve many problems that cybersecurity has been struggling with such as detecting new and unknown attack attempts and automatically taking defensive measures before any harm is done. By understanding how machine learning actually works, we will be able to understand why it is no silver bullet for cybersecurity but only yet another tool with its own strength and weaknesses. The talk will explain the basic principles of machine learning and show scenarios and tools where it can be applied for cybersecurity. Also the challenges and dangers of machine learning will be considered: how attackers can target machine learning algorithms or use machine learning for their own malicious purposes.k

Claudia Ully

Using policy delay to gain RCE and to execute Ransomware to infection victim machine

The purpose of this presentation, it’s to execute several efficiency and detection tests in our endpoint solution, bringing the result of the defensive security analysis with an offensive mindset performed in the execution of some techniques, regarding the test performed, the first objective it was to simulate targeted attacks using invasive techniques such as Dll Injection using Payload created by msfvenom based on Metasploit platform, and using a PowerView, that is a PowerShell tool to gain network situational awareness on Windows domains.

It contains a set of pure-PowerShell replacements for various windows “net *” commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality, It also implements various useful metafunctions, including some custom-written user-hunting functions which will identify where on the network specific users are logged into. It can also check which machines on the domain the current user has local administrator access on. Several functions for the enumeration and abuse of domain trusts also exist. See function descriptions for appropriate usage and available options. For detailed output of underlying functionality, pass the -Verbose or -Debug flags.

As a Second test the idea it was to use Shell Injection using payloads created by via msfvenom based on PowerView as well using the same strategic to the firsts test, this cmdlet can be used to inject a custom shellcode or Metasploit payload into a new or existing process and execute it. And as a Third test we used a tool that can perform DLL injection using a tool known as Remote DLL Injector from SecurityXploded team which is using the CreateRemoteThread technique and it has the ability to inject DLL into ASLR enabled processes. The process ID and the path of the DLL are the two parameters that the tool needs using Payload created by msfvenom. And the fourth test was to download a Ransomware directly on the victim’s machine using powerschell scrito and execute itself exploring the policy delay and finally the last test consisted in running the stress test using a script python script with daily malwares, provide by MalwaresBazaar by request using API access, and the some moment perform the powershell to download a Ransomware directly on the victim’s machine

Filipi Pires

I’ve been working Principal Security Engineer at Talkdesk, Security Researcher at senhasegura…I’m Hacking is NOT a crime Advocate and Red Team Village Contributor. I’m part of the Staff team of DEFCON Group São Paulo-Brazil, International Speakers in Security and New technologies events in many countries such as US, Canada, Germany, Poland and others, I’ve been served as University Professor in Graduation and MBA courses at brazilian colleges, in addition, I’m Creator and Instructor of the Course Malware Attack Types with Kill Chain Methodology (PentestMagazine) and Malware Analysis - Fundamentals (HackerSec).

Biohacker: The Invisible Threat

Biohackers exist and walk among us. Most security professionals would not allow users into their environment with offensive security tools. How do you address individuals who have surgically implanted such devices into their bodies.

I have multiple sub-dermal implants that range from NFC, HID/Prox and RFiD devices. This allows me to become the attack vector. In this talk, I provide a brief overview of the types of bio-implants on the market and share various case studies on the potential damage malicious biohackers can inflict.

I also demonstrate how I am able to quickly compromise loosely connected devices and open a reverse TCP Shell to a CnC server through my attack [email protected] in under three minutes.

Finally, I show how I steal HID Proximity Card Data and write that back to the implant. This avoids any physical evidence of a breach. This also allows me to gain access to data as well as physical access to secured locations.

As security professionals, we must anticipate the unknown. These include any individuals that enter our facilities or are simply around us in public. These types of attacks are becoming more common. A majority of security community are not aware they exist. Discussions on what was once thought to be science-fiction are now science fact.

Through continuing education on phishing and social engineering attacks, tightening MDM restrictions, endpoint management, behavioral analytics, least privilege and privileged access, we can take preventive measures around the threats we can’t see.

Len Noe

Len Noe is a White Hat Hacker and Global Enablement Engineer for CyberArk Software. Together with the CyberArk Global Enablement Engineering team, they are responsible for enabling internal staff and the starting point for escalation for all SEs in the field. They are responsible for the global templates used by all SEs and partners, building new integrations, and use cases for all engineers. Len is an international security speaker has presented in over 20 countries and multiple major security conferences worldwide. Prior to 2001 Len was a Black/Grey Hat Hacker and learned most of his skills by practical application. Len is on the cutting edge of technology though multiple microchip implants allowing him to become the attack vector against mobile and loosely connected devices. Len has spent 20 years in the areas of web development, system engineering / administration, architecture, coding, and the past 6 years focusing on information security from an attackers perspective. He also actively participates in theactivities of the Information Security Communities in Texas, the Autism Society, and many others.

To the docs and beyond!

On the journey to explore some non-traditional attack vectors, I picked up developer documentation as a possible attack vector. Why Developer Docs? It provides a holistic reference of the platform/feature to the end-user, be it a developer, hobbyist, or a hacker like me! Also, almost every IT company out there has a documentation of some form or the other, making this a juicy and widespread attack surface. Well No! Just the presence of documentation itself doesn't guarantee any vulnerabilities, but instead, gaining a deep understanding of the feature or product through a thorough read of the docs followed by hand-picking possible issues is the art here. The main idea behind this talk is to leverage documentation to aid exploitation of security vulnerabilities. It goes through four individual security issues that I've discovered through the said approach.

The first issue deals with the improper usage of blacklists(i.e: a list of all non-permissible entities) to prevent Cross-Site-Scripting (XSS) and how I bypassed it with the help of developer documentation.

The next issue talks about two security misconfigurations, (i.e: incorrect system configurations) in the Slack instance of a company. Slack, which is already known for its granular security controls, leaves ample space for humane errors and hence generates security flaws.

The Third Part of my talk is about the AEM (Adobe Experience Manager) Querybuilder Framework and how to leverage data exfiltration just via Adobe's developer documentation of the same. Rather than relying upon automated tooling, learn how docs help us in building handcrafted payloads and even how to combine them to gain maximum leverage out of AEM Querybuilder and score a critical bug!

The Fourth issue brings about the possible risks of incorrectly exposing a staging API without authentication. The finding presents an exposed Swagger UI, which is an open-source GUI representation for documenting underlying REST APIs. Upon exploration of the same, three critical security issues were uncovered, The first being a Local File Read,The Second, a Local File Write, The Third, a Local File Delete, all without the need for any user authentication or credentials.

Last but not the least, a bonus finding briefing about missing CORS policies, possibly usable to steal user specific information via XML HTTP Requests (XHR).

Finally wrapping it up with some key takeaways, helpful to keep in mind while building and breaking web applications.

Debangshu Kundu

I am a bug-bounty hunter, boring documentation reader and 2x MVP on Bugcrowd. Love finding flaws and misconfigurations in CMSes, AEM being my favourite.

Offensive Azure Security

These days, working with a cloud platform is already commonplace. Companies choose Microsoft Azure for a number of benefits, including security. But there are some responsibility on the customer side and that’s may become weakest link in the chain.

A demo-based session shows attacks on the weakest link in 3 scenarios: Hybrid Active Directory, Legacy VM-based application and Modern Application.

The session includes: - Pentesting Azure AD Connect - Bypassing authentication & MFA - Getting control over Compute - Extracting secrets from Key Vault - Getting Access to App Service and Azure SQL Database - Exploring Azure Web App Firewall

Sergey Chubarov

Sergey Chubarov is a Security and Cloud Expert, Instructor with 15+ years’ experience on Microsoft technologies. His day-to-day job is to help companies securely embrace cloud technologies.

He has certifications and recognitions such as Microsoft MVP: Microsoft Azure, Offensive Security Certified Professional (OSCP), Microsoft Certified Trainer, MCT Regional Lead, EC Council Instructor (CEI) and more.

Frequent speaker on local and international conferences.

Smart Home Devices: Assets or Liabilities?

Over the past few years, the global market share of Smart Home devices has been growing strongly, and it is forecast to keep enjoying increasing growth for the foreseeable future. This explosion of devices on the market has caused many companies to push out their products for highly competitive prices at a rapid pace.

Even though these home automation devices often offer a wealth of interesting and exciting features, there is no easy way for consumers to assess their security at the time of their purchase. Just like the demand for smart home devices has spiked, so has the amount of media coverage on data breaches, privacy violations or security issues associated with these devices.

At the time of writing, the European Union Agency for Cybersecurity (ENISA) has published several guidelines for manufacturers to assist them in securing their Internet of Things (IoT) products, which these Smart Home devices are a part of, but binding regulations do not exist. Due to how close these devices are tied into our daily routines and living spaces, they are a tempting target for malicious actors, posing a serious security risk.

When buying an off-the-shelf solution in an (online) shop, the consumer generally expects devices to hold up against a baseline of security and privacy expectations, but has no way of verifying if this is indeed the case. This research assesses the current state of the market by taking a closer look at the security and privacy implementations of a range of devices currently available in popular stores and online shops. Furthermore, I’ll investigate a potential need for binding regulations and formulate some recommendations on how these IoT devices can be tested and regulations can be enforced.

Jonah Bellemans

I am a consultant for NVISO Security with a passion for cyber security and ICT & privacy law. Trying to bridge the gap between law and engineering, I am currently following an additional Master’s degree in ICT & IP Law at KULeuven. I am a licensed ham radio amateur with call sign ON5AD. I am aiming to one day obtain a private pilot’s license.

Privacy and Safety of NB-IoT Devices

With the widespread use of technology in daily life, as well as the need for society to use techniques to enhance work, the IoT definition and technology has developed. Today, the use of this technology is prevalent in various sectors, such as agriculture, IT, transport, etc.

Major privacy issues in IoT include authentication, identification, and device heterogeneity. After studying many threats and risks that have harmed this technology, experts have recognized the different factors such as sending plain text data, the potential to break into dashboards of management, authentication mechanism vulnerability, and so on.

In order to implement this technology in a safer and faster context, a new technology based on mobile cellular network called Narrowband Internet of Things was developed. This technology operates in the fourth mobile network generation and uses the relevant elements in these networks.

In this research, an effort has been made to investigate the vulnerabilities in these networks, especially in the radio filed, which is the most accessible subnet. To conduct this research, open-source tools such as OpenLTE and SDR, in an environment where the NB-IoT sensors were active in a LTE network were used. A listening device to receive exchange messages implemented. A Catcher to receive the transmitted values of IMSI based devices, which are considered active subscribers, has been setup. After this scenario, using rogue eNodeB, TAU messages are sent to NB-IoT sensors.

A finding from this experiment shows that the sensors have disabled due to lack of connection to the cellular network.

Ali Abdollahi

Ali Abdollahi an Information security consultant with over 8 years of experience working in a variety of security fields. Currently the cyber security division manager, Board of review at Hakin9, Pentest &eForensic magazine and instructor at eForensic magazine. Ali is a self-confessed bug hunter, publisher of many vulnerabilities and CVEs, author of two books and some articles in field of cyber security. Ali is a regular speaker at industry conferences.

Kicks & chips: an investigation into scalper bots!

Reseller bots are programs designed to automatically buy a large amount of an exclusive item. The aim of many of the users of these bots is to buy a large quantity of highly-south items — which often sell out within a matter of minutes — and resell them at a higher price for profit. This phenomenon has taken on several iterations over the years, from ticket bots to sneaker bots; following the recent shortage of GPUs used for video games and cryptocurrency mining, similar bots have been made to snatch up products from brands such as Nvidia and AMD in the past year. Such bots can be easily found for sale or for rent on the internet.

We will examine several aspects of this reseller bot world. First, we will dissect how these bots work as well as the individuals — both programmers and sellers — behind them. We will review the products targeted by these bots and detail trends in the different products the bots are designed towards obtaining over the past few years. We’ll take a look at the money behind these bots as well, profiling several different bots available to consumers and spotlighting their prices and plans. Lastly, we will focus on who are the typical users of these bots, exploring both the bulk resellers as well as individual enthusiasts looking to get their hands on exclusive products.

Mathieu Gaucheler

Mathieu Gaucheler is a subject matter expert at Maltego. His responsibilities include research-driven content development for blog posts, webinars, and talks.He started working in cybersecurity in Barcelona, focusing on malware analysis and sandbox development. He has previously presented his research at BotConf and RSA APJ.

Liv Rowley

Liv Rowley is a Subject Matter Expert at Maltego where she conducts research into various cybersecurity threats. Liv has several years of experience working at threat intelligence companies in both the US and Europe. Much of her research has focused on threat originating from the cybercriminal underground as well as the Latin American cybercriminal space.

Red Teaming AWS: Practice What You Preach

Building a culture of security is a journey that never ends, but this is a story of how one started. In a previous life working at a Cloud Native consultancy, we were experts on software delivery, but security was a skillset we rapidly needed to grow and cultivate.

To that end we conducted a surprise red team exercise targetting our AWS environment, by:

  • Planning a fake company day and making an unanounced assault on our infrastructure
  • Tapping communication lines so we could maintain a steady level of challenge
  • Driving all actions through our most junior members
  • And having a lot of fun

Learn how we built an enduring security culture that continues to grow and mature, and has become part of the company folklore. Culture is shaped through action not rhetoric, and if you want truly unlock DevSecOps there are few ways better than this.

Josh Armitage

Known for a booming voice and distinct lack of a sense of humour, Josh works as a consultant after spending time with everything from mainframes to machine learning and kubernetes. Having split his life half in the UK, half in Australia, he’s now back in London helping regulated enterprises embrace lean software development, cloud native architectures and team happiness as a true north metric.

AI+CTI=(Open)UEBA - An Equation That Works

The OpenUEBA framework implements a behaviour-based detection approach to analyse the behaviour of users and entities aligning them to know threats and latent variations determined from Threat Intelligence sources. The framework delivers a risk support tool allowing the technician to make the attack surface of users and entities preventing threats.

This project arose from the TDA Ciberseguretat challenge proposed within Smartcatalonia from the Generalitat of Catalunya with the Agency of Cybersecurity of Catalunya. The project will be implemented and validated within the environment of the public local administration and the University of Lleida.

Currently, all similar projects are black-box private solutions; OpenUEBA will break the current paradigm by providing an agnostinc open source solution, bridging the distance between the AI and cybersecurity realms.

On this talk, we will discuss the following points: - What’s the project and who’s behind it - Introduction of UEBA analysis - CTI (cyber threat intelligence) applied to behavior analysis - Contributing from the community - Next steps

Nil Ortiz Rabella

Nil Ortiz is a computer engineer with a master’s degree in cybersecurity and knowledge on AI and data science, with large experience working on incident response and leading threat intelligence teams across multiple countries in Europe, also involved on multiple Horizon 2020 R+D+i projects and registered as expert within the European Comission. With the role of solution architect and development lead within the openUEBA project.

Albert Calvo

Albert Calvo is a computer engineer with holds a master's degree and innovation and research in Informatics. Currently, he is AI research engineer contributing to several Horizon 2020 R+D+i projects and PhD Candidate at UPC University researching novel AI techniques for Cybersecurity.

Hacking Kubernetes 101

Kubernetes is the most popular container orchestrator today, with a huge increase in its use in enterprises in 2020. However, there is a great lack of knowledge about how to attack and how to secure a Kubernetes environment. Companies like CapitalOne and Tesla have recently suffered attacks for not having their Kubernetes environments secured. In this talk we will see from the basic concepts of this technology, to practical cases of attacks on clusters.

Daniel Monzón

I’ve been messing around, finding bugs, and learning about cybersecurity for a few years now. These days I’m learning and trying out curious attack techniques on cloud environments and containers. Some of the certifications I currently hold are: OSCP, OSWP, CRTP, eMAPT CREST CRT and CREST CPSA. I post from time to time on my blog https://stark0de.com and nowadays I am preparing the Offsec’s AWAE course.

The Clutter That's Choking AppSec

“With more Tools, come more Vulnerabilities” – every Security Engineer In the age of DevSecOps, Shift-Left security strategies and automated tooling, an application security program is only as efficient as the rate at which vulnerabilities are managed. But with increasing demands on faster product go-to-market, automation technologies, diverse technology stacks and the ever growing demand for skilled appsec engineers, product leaders are at cross roads of Scale and Efficiency.

Have we as the security community paused to take at the silently growing clutter that’s choking even the well thought of application security programs? In this talk, I delve at the lowest common denominator of application security – The Vulnerability and look at how vulnerabilities at scale cause a disproportionate throttle on appsec efficiency. What’s going wrong?

  • Results from SAST, DAST and SCA tools create large vulnerabilities data sets that are difficult to act upon
  • Automated scan results from security tools are replete with false positives and duplicate entries that make remediation troublesome.
  • Manual methods of triaging vulnerability data sets are inefficient and lower productivity.
  • Improper vulnerability management increases friction between security and engineering teams What the audience will take-away at the 46th minute
  • How methods of vulnerability correlation and de-duplication can significantly reduce appSec assessment and remediation time.
  • How to effectively integrate vulnerability remediation with the engineering workflow.
  • Understand the basic anatomy of a vulnerability to effectively prioritize and fix security bugs faster and better! Who would gain the most from the talk
  • Security professionals who face problems managing vulnerabilities whilst dealing with more than one high priority item at the same time
  • Engineering (Developer) teams who find the current vulnerability remediation workflow problematic
  • CISO’s who want to lay down a mature and efficient AppSec Program

Rahul Raghavan

The sheer pervasiveness of applications, their associated software engineering process and therefore the variance of application security quotient across software teams is what drives my primary role as an AppSec Advocate at we45.

Having worked on both the building and breaking sides of product engineering, I have learnt to appreciate both the constraints and the opportunities of imbibing security within the software lifecycle. This understanding created a natural segue for my work in custom security solution engineering and enhanced AppSec service delivery models for our global customers.

De-Google your Smartphone

It’s no secret that Google is an advertising company. The nature of the relationship between Google and it’s users is a privacy invasive one. Targeted advertising is growing more lucrative as our location, health information (smartwatch telemetry..), and browsing habits are all ingested by the Google engine for later monetization.

Step outside your comfort zone and try out a Smartpnone without Google apps. Bonus points if you can continue life with only the apps in the bundled app store, F-Droid.

Kim Kip Trujillo

Kim is a maker and hardware hacker. She lives life de-googled and is a visitor from the USA.

BSides Barcelona Gives Back

Every year we donate a % of what we received from leading sponsors. We have supported the following organizations so far


Your friendly autonomous tech collective since 1999!

Tor Project

Defend yourself against tracking and surveillance. Circumvent censorship.


CryptoRave is an 24h event inspired by the international movement of CryptoParties, a collective effort to spread the fundamental concepts of privacy and Internet freedom and the use of digital security tools that annually happens in Sao Paulo - Brazil at the beginning of May.


European Digital Rights (EDRi) is an association of civil and human rights organisations from across Europe.

The BSides Barcelona team