🎤 Curated Conference Talks, 2021–2025 — AppSec, DevSecOps, Cloud Security, and Product Security

Intro: This page is a curated watchlist for engineers and Product Security leads who want high-signal conference content instead of endless playlists. It emphasizes talks that help you reason about program design, cloud attack paths, software supply chain risk, modern AppSec, and detection/response.

Selection rule for this page

prioritize talks with a stable official event page or official archive page;

prefer talks with directly reusable ideas for the KB: design patterns, lessons learned, attack paths, control models, or detection thinking;

if the event exposes only a schedule/archive page reliably, pair it with the best available official archive reference.

How to use this page

Read this page in one of three ways:

manager / lead track — start with talks about Product Security, AppSec program design, and DevSecOps operating model;
platform / cloud track — start with cloud attack paths, logging, detection, and supply chain talks;
developer enablement track — start with AppSec foundations, API security, threat modeling, and secure coding dojo material.

Curated top talks and sessions

#	Talk	Speaker(s)	Year	Venue	Why it is valuable	Official page
1	The Convergence of AppSec, Cloud Security and DevSecOps	Abhay Bhargav	2023	RSA Conference USA	One of the clearest talks for understanding why many AppSec teams evolve into Product Security teams. Useful for role design and cross-domain skill planning.	https://www.rsaconference.com/Library/presentation/USA/2023/The%20Convergence%20of%20AppSec%20Cloud%20Security%20and%20DevSecOps
2	The Application Security State of the Union	Chris Romeo	2023	RSA Conference USA	Strong overview of AppSec program direction, tooling saturation, and what a “future-proof” AppSec strategy should emphasize.	https://www.rsaconference.com/library/presentation/usa/2023/the-application-security-state-of-the-union
3	Running in the Shadow: Perspectives on Securing the Software Supply Chain	Jessica Lyons, James Higgins, Dan Lorenc, Camille Stewart Gloster	2023	RSA Conference USA	Useful for leadership and engineering alignment because it covers supply chain security from developer, executive, and policy angles.	https://www.rsaconference.com/library/presentation/usa/2023/running-in-the-shadow-perspectives-on-securing-the-software-supply-chain
4	Exploiting Vulnerabilities and Flaws to Attack Supply Chain	Ilay Goldman, Yakir Kadkoda	2023	RSA Conference USA	Practical look at supply-chain attack paths across IDE, SCM, package managers, and CI/CD. Valuable for attack-chain mapping.	https://www.rsaconference.com/library/presentation/usa/2023/exploiting-vulnerabilities-and-flaws-to-attack-supply-chain
5	Implement ZeroTrust with Dedicated DevSecOps Pipeline	Kayra Otaner	2023	RSA Conference USA	Useful because it challenges the “everything in one pipeline” assumption and explains why separate security-control paths sometimes reduce friction.	https://www.rsaconference.com/library/presentation/usa/2023/decoupling-devsecops-from-cicd-pipelines
6	DevOps is Now DevSecOps	Mike Rothman	2023	RSA Conference USA	Good trend-oriented session for understanding why DevSecOps became mainstream and which organizational shifts matter most.	https://www.rsaconference.com/library/presentation/usa/2023/devops-is-now-devsecops
7	A Journey in Building an Open Source Security-as-Code Framework	Aakash Shah	2023	RSA Conference USA	Valuable for infrastructure security teams moving from static checks to reusable security-as-code.	https://www.rsaconference.com/library/presentation/usa/2023/a-journey-in-building-an-open-source-security-as-code-framework
8	Securing the Modern Application: From Code to Infrastructure	Boaz Gelbord	2024	RSA Conference USA	Good high-level framing for modern application attack surface: APIs, bots, DDoS, and code-to-cloud thinking.	https://www.rsaconference.com/library/presentation/usa/2024/securing-the-modern-application-from-code-to-infrastructure
9	The End of DevSecOps?	DJ Schleen	2024	RSA Conference USA	Useful because it argues security should be treated as an engineering quality attribute, not a parallel bureaucracy.	https://www.rsaconference.com/library/presentation/usa/2024/the-end-of-devsecops
10	Protect that Money Maker: Product Security Patterns and Practices	Stirling Goetz, Geoffrey Hill	2025	RSA Conference USA	One of the strongest talks in this list for Product Security managers building a product-focused operating model.	https://www.rsaconference.com/Library/presentation/USA/2025/Protect%20that%20Money%20Maker%20Product%20Security%20Patterns%20and%20Practices
11	From Good to Great, the Foundations of Application Security	Shannon Lietz	2025	RSA Conference USA	Strong foundations talk for helping developers and security teams connect threat modeling, secure coding, and secure release criteria.	https://www.rsaconference.com/library/presentation/usa/2025/from-good-to-great-the-foundations-of-application-security
12	The AppSec Playbook: Building World-Class Security from Scratch	David Kosorok	2025	RSA Conference USA	High-value for anyone building or rebuilding an AppSec program with business alignment in mind.	https://www.rsaconference.com/library/presentation/usa/2025/the-appsec-playbook-building-world-class-security-from-scratch
13	Purple Teaming & Adversary Emulation in the Cloud with Stratus Red Team	Christophe Tafani-Dereeper	2022	DEF CON 30 — Cloud Village	Excellent practical session for cloud detection engineering and continuous validation of alerts using adversary emulation.	https://www.cloud-village.org/dc30
14	Security Logging in the Cloud, Trade-Offs to Consider and Patterns to Maximise the Effectiveness of Security Data Pipelines	Marco Mancini	2023	DEF CON 31 — Cloud Village	Highly relevant for detection, logging architecture, and data-pipeline cost/visibility trade-offs in public cloud.	https://www.cloud-village.org/dc31
15	Catch Them All! Detection Engineering and Purple Teaming in the Cloud	Christophe Tafani-Dereeper	2024	DEF CON 32 — Cloud Village	Great next-step talk after Stratus Red Team basics: threat-informed cloud detections, validation loops, and realistic telemetry.	https://www.cloud-village.org/dc32
16	Exploit K8S via Misconfiguration .YAML in CSP Environments	Wooseok Kim, Changhyun Park	2024	DEF CON 32 — Cloud Village	Useful for translating YAML and cluster misconfiguration into attacker paths and review checklists.	https://www.cloud-village.org/dc32
17	GCPwn: A Pentester's GCP Tool	Scott Weston	2024	DEF CON 32 — Cloud Village	Valuable for understanding attacker workflows in GCP and for turning those workflows into cloud review questions and detections.	https://www.cloud-village.org/dc32
18	Security by Design	Maximiliano Alonzo	2024	OWASP AppSec Rio de la Plata / OWASP Uruguay	A practical AppSec culture-and-design session useful for developer education and “secure-by-design” messaging.	https://owasp.org/www-chapter-uruguay/
19	Deep Dive on API Security de cero a experto en 30 minutos	Matías Ferreira	2024	OWASP AppSec Rio de la Plata / OWASP Uruguay	High-value API security talk for newcomers and reviewers who need a concise API-focused mental model.	https://owasp.org/www-chapter-uruguay/
20	Modelado de Amenazas Aplicando STRIDE con Threat Dragon de OWASP	Pablo Alzuri	2024	OWASP Uruguay Meetup	Useful because it links STRIDE to a practical Threat Dragon workflow instead of leaving it abstract.	https://owasp.org/www-chapter-uruguay/
21	Secure Coding Dojo: El primer paso en el desarrollo seguro	Gerardo Canedo	2024	OWASP Uruguay Meetup	Especially relevant to the KB learning track because it turns secure coding into guided practice rather than passive awareness.	https://owasp.org/www-chapter-uruguay/
22	Introducción a la seguridad de aplicaciones — edición julio/agosto	OWASP Uruguay community facilitators	2023	OWASP Uruguay Meetup Series	Valuable as a pattern for community-led beginner onboarding using OWASP Top 10 and Juice Shop style practice.	https://owasp.org/www-chapter-uruguay/
23	Keynote: r00+ 0f 3/@ (Root of Evil)	Sergey Golovanov	2024	OFFZONE 2024, Moscow	Good case-study style keynote on the evolution of incidents and attacker motives. Useful as an executive and trend-setting opener for the conference pack.	https://offzone.moscow/eng/news/v-offzone-2024-prinyalo-uchastie-rekordnoe-kolichestvo-gostey/
24	Security.Track / Trust in Tech archive set	multiple speakers	2023	Positive Hack Days 12, Moscow	The official PHDays 12 archive is useful as a source of cloud/AppSec/DevSecOps material and shows how strongly DevSecOps themes were represented that year.	https://phdays.com/en/archive/2023/
25	OFFZONE 2024 technical agenda archive	multiple speakers	2024	OFFZONE 2024, Moscow	The official agenda is a good discovery source for practical offensive/defensive content, especially around incident investigation, modern detection, runtime, and technical security tracks.	https://2024.offzone.moscow/eng/program/

v4.3 add-on talks from InfoconDB and Russian technical conference passes

These entries intentionally expand the page with talks that are especially useful for:

Kubernetes attack-and-defense thinking;
software supply chain and dependency trust;
API and mobile DevSecOps practice;
Russian-language technical material that still maps well to the KB.

#	Talk	Speaker(s)	Year	Venue	Why it is valuable	Reference
26	Hands-on Kubernetes Attack & Defense Masterclass	multiple speakers	2025	DEF CON 33	Strong hands-on workshop built around realistic misconfiguration-driven attack and defense paths, including privilege escalation, container escapes, lateral movement, and persistence.	https://infocondb.org/con/def-con/def-con-33/hands-on-kubernetes-attack-defense-masterclass
27	K8sploitation: Hacking Kubernetes the Fun Way	multiple speakers	2025	DEF CON 33	Useful offensive-to-defensive bridge for reviewers who want practical K8s exploitation tradecraft instead of only benchmarks and diagrams.	https://infocondb.org/con/def-con/def-con-33/k8sploitation-hacking-kubernetes-the-fun-way
28	Spotter - Universal Kubernetes Security Scanner and Policy Enforcer	multiple speakers	2025	DEF CON 33	Valuable because it frames unified policy scanning across CLI, CI/CD, admission, deployment, runtime, and monitoring using native Kubernetes concepts.	https://infocondb.org/con/def-con/def-con-33/spotter-universal-kubernetes-security-scanner-and-policy-enforcer
29	Attacking Kubernetes	multiple speakers	2024	CanSecWest	Good practical survey of attacker workflows, including Leaky Vessels and Peirates, useful for threat-model refresh and review checklists.	https://infocondb.org/con/secwestnet/cansecwest-2024/attacking-kubernetes
30	A Practical Approach to Breaking & Pwning Kubernetes Clusters	multiple speakers	2022	DEF CON 30	High-value cluster attack-path training because it spans supply chain, infrastructure, runtime, and cloud pivoting.	https://infocondb.org/con/def-con/def-con-30/a-practical-approach-to-breaking-pwning-kubernetes-clusters-monday
31	Supply chain security; addressing risk and dependencies issues the right way (with open source!)	multiple speakers	2022	MCH2022	Good supply-chain talk for teams that need to distinguish raw vulnerability counts from broader dependency and trust risk.	https://infocondb.org/con/dutch-hacker-camps/may-contain-hackers-mch2022/supply-chain-security-addressing-risk-and-dependencies-issues-the-right-way-with-open-source
32	How to Secure the Software Supply Chain	multiple speakers	2022	MCH2022	Strong for dependency-introduction hygiene, npm ecosystem examples, and concrete steps to reduce supply-chain risk in day-to-day engineering.	https://infocondb.org/con/dutch-hacker-camps/may-contain-hackers-mch2022/how-to-secure-the-software-supply-chain
33	Emerging Best Practices in Software Supply Chain Security	multiple speakers	2022	BSidesSF	Useful synthesis talk because it distills supply-chain best practices from guidance published by Google, OWASP, the White House, and Gartner.	https://infocondb.org/con/security-bsides/bsidessf-2022/emerging-best-practices-in-software-supply-chain-security-what-we-can-learn-from-google-the-white-house-owasp-and-gartner
34	Floating the goat: How to use DevSecOps to secure OWASP WebGoat	Chloe Potsklan	2023	Diana Initiative	A rare learning-oriented DevSecOps talk that walks from requirements and threat modeling into AWS setup, pipeline automation, testing, monitoring, and continuous improvement.	https://infocondb.org/con/diana-initiative/diana-initiative-2023/floating-the-goat-how-to-use-devsecops-to-secure-owasp-webgoat
35	Container escapes: Kubernetes 2024 edition	Dmitry Evdokimov, Nickolai Panchenko	2024	OFFZONE 2024	Good Russian-language talk for current container-escape thinking in Kubernetes, especially for reviewers who need current attack vectors in mind.	https://offzone.moscow/upload/for-download/OFFZONE_2024_Program_ENG.pdf
36	Filtering eBPF in Kubernetes, or Paddling down the treacherous river of network data	Alexey Rybalko	2024	OFFZONE 2024	Valuable for teams interested in lower-overhead container and cluster traffic filtering with eBPF instead of only sidecars and agents.	https://offzone.moscow/upload/for-download/OFFZONE_2024_Program_ENG.pdf
37	Storm clouds: incident investigations in cloud infrastructures	Anton Stepanov	2024	OFFZONE 2024	Useful DFIR-oriented cloud talk focused on trusted-relationship attacks, provider compromise scenarios, and investigator bottlenecks.	https://offzone.moscow/upload/for-download/OFFZONE_2024_Program_ENG.pdf
38	All-in-one REST API: security, tools, and tips	Valentin Mamontov	2024	OFFZONE 2024	Good Russian-language API security session with an OpenAPI and toolchain angle that matches the KB API review track.	https://offzone.moscow/upload/for-download/OFFZONE_2024_Program_ENG.pdf
39	Kubernetes security: Deception phase	Dmitriy Evdokimov	2022	OFFZONE 2022	Useful because it adds a less common cloud-native defense-in-depth angle: deception techniques layered on top of normal K8s controls.	https://2022.offzone.moscow/getfile/D.Evdokimov_Kubernetes%20security_%20deception%20phase.pdf
40	5 Lifehacks for Mobile DevSecOps	Yury Shabalin	2023	OFFZONE 2023	High-signal mobile DevSecOps talk that maps SAST, SCA, bytecode analysis, IAST, DAST, API testing, distribution systems, and release checks into one pipeline.	https://2023.offzone.moscow/upload/iblock/presentations/qdjb2kay3o78wzrk7jqjutknfucwiuim.pdf

Notes about source quality and archive stability

Conference sources are inconsistent.

RSAC currently offers the most stable individual session pages and is the easiest source for reliable metadata.
DEF CON often exposes highly relevant material through official villages or media archives rather than neat per-talk pages.
OWASP local chapter pages can be surprisingly strong because they often preserve talk titles, presenters, and slides.
Black Hat, PHDays, and OFFZONE sometimes expose slides and schedules more reliably than fully stable per-session landing pages. When that happens, use the official archive/schedule page plus slide repositories such as InfoCon as a secondary discovery layer.

How to turn this watchlist into a self-study plan

Track A — Product Security leadership

Start with:

Protect that Money Maker
The AppSec Playbook
The Convergence of AppSec, Cloud Security and DevSecOps
The End of DevSecOps?

Track B — Cloud detection and attack paths

Start with:

Purple Teaming & Adversary Emulation in the Cloud with Stratus Red Team
Security Logging in the Cloud
Catch Them All! Detection Engineering and Purple Teaming in the Cloud
GCPwn

Track C — Developer and AppSec enablement

Start with:

From Good to Great, the Foundations of Application Security
Security by Design
Deep Dive on API Security
Secure Coding Dojo

Cross-links

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.