Talks and workshops

Opening words

Opening words by Sylvain Pasini (Professor at HEIG-VD), president of the Black Alps association and general chair of #BlackAlps18.
Welcome words by Juliana Pantet (Managing Director, Y-Parc S.A.) and Vincent Peiris (Dean of ICT department, HEIG-VD)


Let’s create a redteam mission

Redteaming is a method inspired by the military community practices according to which an independent group of skilled adversaries challenges systemic weaknesses within an organization to improve its defensive posture against external threat actors.
CERT Societe Generale has come up with an idea to find a better implementation for the method of Redteaming through the use of threat modeling inspired by the real-life adversaries’ tactics.
In today's keynote, we will try to custom-tailor a redteaming mission to the needs of your organization in a live mode and will look through the common do's and don't's relative to the implementation of such offensive security tools and methods for the benefit of large-scale financial groups.

Photo of

Alex Kouzmine

White / Purple team leader at CERT
Societe Generale

Alex Kouzmine is a Security Officer and a White / Purple team lead at CERT Societe Generale, the first ever French financial CERT and Incident Response team. As part of his mission within Societe Generale Financial Group, Alex is in charge of creating a dedicated Redteam whose role it is to improve security posture and cohesion between security departments through simulation of offensive scenarios inspired by real-life adversaries of Financial groups and banks. Throughout his career, Alex has been the founder and lead of different CERT/CSIRT teams in France, Canada, USA, and Russia.

Challenges and Opportunities in Cloud Security

Running businesses in cloud environments where everything has an API, everything is built at new abstraction layers, and everything is running on someone else's computers presents new ways of thinking of things and new capabilities. This can allow you to greatly improve your security, but at the cost of changing how you do that security. This talk will discuss the current best practices and state of analyzing and understanding your cloud environments, along with where there is more work to be done.

Photo of

Scott Piper

AWS Security Consultant

Scott Piper has a decade of experience in cyber security, having previously worked at the NSA, as a developer for commercial security products, and as the Director of Security for a startup. He now focuses on improving the security of AWS environments. He holds all AWS (Amazon Web Services) Associate and Professional level certificates along with the Security Specialty certificate. He developed, CloudMapper, and CloudTracker, and frequently posts his learning on cloud security at

Track "attacks"

Bypass Android Security Mechanisms using Custom Android

Most Android hackers are researching application vulnerabilities using the rooting tool (SuperSU, MagiskSU) and the hooking framework (FRIDA, Xposed Framework, etc.). However, the rooting tool and the hooking framework are detected and blocked by the security mechanisms of the Android OS and the Application. So hackers have to circumvent the security mechanism applied to the Android OS and Applications which can allow an attacker to spend a lot of time analyzing and bypassing. Security mechanisms are constantly being updated, so the attackers and defenders are continuing to play cat and mouse. So in this talk I will analyze the security mechanism applied to Android OS and Application in detail at code level, and by creating a new Android Kernel, it creates an undetected privilege escalation backdoor, dynamic intercept and manipulate execution environment, and bypasses security mechanisms.

Photo of


FSI (Financial Security Institute)

SungHyoun Song is a security researcher at FSI(Financial Security Institute), in charge of Mobile Security for Financial Industry in Korea. He has experienced mobile security, reverse engineering, penetration test and authentication mechanism for ten Years. Currently focusing on Linux kernel exploitation and Android runtime. Also he has participated in several international security conferences such as ITU-T, HITCON, beVX and SEC-T.

Build your own hardware implant

We've all seen the news about an implanted chip that allows to take remote control of your servers. That's a bold claim, and many people were arguing about whether that story is legit or not. But is such implant technically possible ?

In this talk, you'll discover the hidden gems you can get when you RTFM, and how to create your very own hardware implant.

Photo of

Nicolas Oberli

Cyber Security Expert
Kudelski Security

Nail in the JKS coffin

The Java Key Store (JKS) is the Java way of storing one or several cryptographic private and public keys for asymmetric cryptography in a file. While there are various key store formats, Java and Android still default to the JKS file format. JKS is one of the file formats for Java key stores, but JKS is confusingly used as the acronym for the general Java key store API as well. This presentations explains the security mechanisms of the JKS file format and how the password protection of the private key can be cracked. Due the unusual design of JKS the developed implementation can ignore the key store password and crack the private key password directly. Because it ignores the key store password, this implementation can attack every JKS configuration, which is not the case with most other tools. By exploiting a weakness of the Password Based Encryption scheme for the private key in JKS, passwords can be cracked very efficiently. Until now, no public tool was available exploiting this weakness. This technique was implemented in hashcat to amplify the efficiency of the algorithm with higher cracking speeds on GPUs.

Photo of

Tobias Ospelt

IT security analyst
modzero AG

Tobias is a penetration tester working for modzero AG and a researcher in various fields of the IT security world. In the past year he collected a bug bounty from Twitter by finding a race condition in their iOS application that might have been a race condition in the iOS TLS library, used a lot of electricity for his fuzzing farm and wrote several Burp extensions. When he's not developing memory corruption exploits on ARM, running evil wireless access points or developing tools for the AFL fuzzer, he tries to break Android related security mechanisms.

Reversing cryptographic primitives using quantum computing

In the last year there were several advances in practical quantum computing: now there are free quantum chips available on the cloud for everyone, and the largest quantum chips exceeds 50 qubits, a number called the quantum supremacy because theoretically a quantum chip exceeds the power of a classical computer. We'll explain how to program a quantum chips and give the results of our research regarding reversing some cryptographic building blocks like P-Box, S-Box, CRC-8 and XOR functions using quantum circuits. We'll see the implementations and run some circuits on real hardware to see how near we are from attacking real cryptography.

Photo of

Renaud Lifchitz

IT security expert

Renaud Lifchitz is a French senior IT security consultant. He has a solid penetration testing, training and research background. His main interests are protocol security (authentication, cryptography, protocol security, information leakage, zero-knowledge proof, RFID security) and number theory. He currently mostly works on security of protocols and was speaker for many international conferences. Renaud's significant security studies are about : contactless debit cards, GSM geolocation, blockchain, RSA signatures, ZigBee, Sigfox, LoRaWAN, Vigik access control system and quantum computation.

Unlocking secrets of the Proxmark3 RDV4.0

0xFFFF and Iceman will show you the latest revision of proxmark3 tool, rdv40, a successful kickstarter that brought NFC analysis to the next level. Identifying common issues in the Proxmark community. RRG formed to produce new hardware such as the long range HF reader and LF reader. What's so special about the PM3 rdv40? Onboard storage SIM interface Improved HF + LF antennna Improved HF antenna Improved 'capsule' LF antenna QC process Covert + discreet Current capabilities of offical firmware and popular forks. Analysis of uniquie + difficult tags and how to overcome them

Photo of

Christian Herrmann

Rfid Research Group RRG

Christian Herrmann (Iceman) is co-founder of RRG, administrator of proxmark3 forum, maintainer of github proxmark3 repo, iceman fork of chameleon mini and proxmark3, Certified MCPD enterprise architect, 12 years company
Photo of

Kevin Barker

Rfid Research Group RRG

Kevin Barker (0xFFFF) is co-founder of RRG, administrator on proxmark3 forum since the very beginning, working with security management and Access Control systems at Inner Range, Australia, the last ten years.

Track "lessons learned"

Group123: Korea In The Crosshairs

This talk will present the activities of Group123 during 2017 and 2018. I will present campaigns against South Korean targets (individual users and organizations) and campaigns against non-Korean financial institutions. The purpose of our presentation is to describe the different campaigns by starting with the infection vector (Hangul Word Processor or Office document), the malware installation and the final payload (such as ROKRAT). During the investigation period we discovered that this actor has different capabilities such as espionage and destruction. Finally, we will describe a rise of power concerning this group and the usage of a Flash 0-day (CVE-2018-4878) during months. Additionally I will mention an Android app that Korean malware linked to this group.

Photo of

Paul Rascagneres

Security researcher
Cisco Talos

Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for 7 years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response team within the private and public sectors.

Application Level DDoS, the Rise of CDNs and the End of the Free Internet

It's been mostly silent for two years on the DDoS front in Switzerland, but IoT devices and growing network capacities could bring the next wave of DDoS attacks anytime now. Technical reasons make it likely that the trend towards application level DDoS will continue. Defense against big DDoS attacks either force you to use a protection service or start to work with GeoIP defenses. The CDN protection services will ask for your certificate keys, though, which effectively means that an application level DDoS will force you to hand over your keys to a foreign company as no Swiss DDoS protection company exists. Alternatively, you will need to cut international IP traffic via GeoIP which is not always an option either. And even if you pursue this, traffic might still overwhelm your carrier implementing the GeoIP filter. But there is a path rarely travelled: It could allow you to survive an attack with the help of BGP: You stop advertising your route internationally, but concentrate on local peering partners: You hide from the global internet during the attack, but remain online locally.

Photo of

Christian Folini

Dr., Security Engineer

Christian Folini is a security engineer and open source enthusiast. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is not a big business anymore and so, he turned to defending web servers, which he finds equally challenging. He brings more than ten years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling. Christian Folini is the author of the second edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the "Swiss Cyber Storm" conference. Christian is the vice president of the Swiss federal public-private-partnership "Swiss Cyber Experts" and he helps to edit the Center for Internet Security "Apache Benchmark". He is a frequent speaker at conferences, where he tries to use his background in the humanities to explain hardcore technical topics to audiences of different backgrounds.

3 years later: a crossed look at Swisscom bounty

3 years after the launch of the bug bounty program at Swisscom it is time to take a step back. This talk starts from the point of view of a (somewhat frustrated) bug hunter and walks back from the launch of the program to the current state. Crossed looks from the company and the researcher outline the difficulties encountered on both sides, shows what improved over time and how. It is a story of collaboration and communication. A second part will disclose some interesting vulnerabilities that were found and fixed through the program. Those are not yet chosen but will probably include RCE, SQLi, prevented data leaks or other high-impact issues. ▼Authors

Photo of

Florian Badertscher

Security Analyst CSIRT

Before joining Swisscom Florian Badertscher worked as penetration tester, security analyst and teacher on various security topics. Working now in the Cyber Defense team of Swisscom he is responsible for Swisscom's Bug Bounty Program beside his duties in incident management and response.
Photo of

Nicolas Heiniger

IT Security Analyst
Compass Security AG

Nicolas Heiniger is a happy husband and proud father of 3 children. After some years in public health and at an IT service provider, he's now working at Compass Security where he is most interested in web applications and penetration testing. At night, he hacks for fun and bounty.

Cryptocurrency mobile malware

Many headlines talk of cryptocurrency malware as "the new ransomware" or 2018's new menace on computers. Whenever something big hits PCs, it usually gets ported to smartphones. In this talk, we'll investigate the status of cryptocurrency malware on mobile phones. The first ones were Android/CoinKrypt and Android/BadLepricon. We'll reverse engineer code of some newer ones such as Loapi, AdbMiner, HiddenMiner or some of the numerous instances of CoinHive riskware. Despite their increasing power, mining on smartphones has its limits. For example, mining Bitcoin on a smartphone does not make sense. We'll see which cryptocurrencies are mined on smartphones and discuss how profitable this is for cyber-criminals. We'll follow the earnings of the authors of HiddenMiner, based on live captures we were able to get.

Photo of

Axelle Apvrille

Security Researcher EMEA

Axelle is one of the lead security researchers with Fortinet. She specifically looks into mobile malware for Fortinet's anti-virus engine, but also investigates threats on uncommon platforms for IoT (smart toothbrush, smart glasses, smart watch etc).

Dilemmas Everywhere! Get It Right or Get Pwned

Creating cyber security software is much more challenging than developing any other type of software, and there are various dilemmas and considerations to be taken into account when choosing the right components. Today, as the trend is to shift security to the left, knowledge in this area becomes more crucial for developers, UX designers, software architects, and anyone involved in this field. In this presentation, I combine my 13 years of R&D security experience with examples of recent breaches and discoveries in order to show the importance of making the correct decisions in each of the development stages for securing software.

Photo of

Ethan Schorer

Security Leader
Check Point Software Technologies

Ethan Schorer has been involved in cyber security for the past 20 years as an IT administrator for many organizations and think tanks, a software developer and currently as the go-to-guy for secure development and vulnerability related issues at Check Point. Ethan is married, a father of 3, an OWASP member, a shift-left enthusiast, and likes his whisky peaty.

Switzerland has bunkers, we have Vault

Vault is an open-source tool by Hashicorp specifically designed for securing and managing all kind of secrets, from passwords to database credentials or encryption keys. In this talk, we start by laying out the foundations of Vault by discussing the concepts of untrusted storage backends, authentication methods, sealing/unsealing processes, response wrapping, and dynamically generated short-lived secrets. Building up on that, we present several real-world scenarios and demonstrate how Vault can be used in these situations to implement an architecture with a high separation of concern and low trust. For every scenario, we seek to put ourselves in an attacker's shoes, and analyze what would be the impact of the compromission of each component on the overall architecture.

Photo of

Christophe Tafani-Dereeper

Security Engineer

Christophe Tafani-Dereeper holds a Computer Science Master's degree from EPFL and works as a Security Engineer at Hacknowledge, a Managed Detection and Response company. His day to day activities include log analysis and investigation, system administration, devops, and development. He holds a blog where he writes about infosec, and a Twitter account where he mainly rants and retweets cynical content.

How to provide security fixes in a high constraint ecosystem? Practical examples with the Jenkins project.

Lessons learned from a security team member of a widely used open source project (Jenkins). How to solve security issues when you need to face multiple constraints like living in public/private plugins ecosystem, assuring backward binary compatibility, providing escape-hatch or even better progressive migration. I will present our approach to tackle those obstacles with practical examples.

Photo of

Wadeck Follonier

Security Software Engineer
CloudBees SA

Wadeck Follonier is a Security Software Engineer at CloudBees SA and active member of the Jenkins Security Team. He finished his Master's degree in Computer Science with a specialization in Internet Computing at EPFL in 2011. Prior to joining CloudBees, he started his career in various positions such as Software Engineer, Project Manager or even Application Manager. He always has the desire to find solutions that are also considering maintenance in account. In his current role, he has the pleasure to work with lots of different applications through all the Jenkins plugins. Outside of security, if you have some interests in genetic algorithms or video game development, feel free to approach him.

Building an Open Source Kubernetes Security Stack

Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important. In this talk we'll cover the basics of securing Cloud Native platforms using Kubernetes as our driving example. (Pod Security Policy, Network Policy, etc). We will also cover open source tools - such as Anchore, Falco and Sysdig Inspect - that can be used to maintain a secure computing environment. We will cover the entire process from image scanning, to runtime security and forensics in volatile containers. This is a practical tools of the trade talk: Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.

Photo of

Henri Dubois-Ferriere

Technical Director

Henri is a Technical Director at Sysdig, where he currently works on Prometheus monitoring. He created the original version of Sysdig Falco, the open source runtime security and forensics tool. Prior to that, he worked on a variety of software infrastructure products, including data analytics at Jut, packet scheduling at Riverbed, and founding Sessionbox, a web monitoring startup. He holds a PhD in computer science from EPFL and is a repatriate to Switzerland after many years working in San Francisco.

Cyber Defence Exercise Locked Shields & Cyber Exercises in the Financial Sector

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia is organizing the largest and the most advanced live-fire cyber defence exercise in the world on a yearly basis since 2010. The Locked Shields exercise grows each year and in 2018 it was the largest one conducted so far with about 1000 participants and 30 different nations, involving 22 defending blue teams and an attacking red team with about 70 members. First, I will begin with a short introduction and history of the CCDCOE, its mission and activities. Next, I will continue with an overview of the exercise from a participant’s perspective, its training goals, the most interesting aspects, different teams and their roles. Then, I will continue with intelligence-led red team testing conducted within the financial sector and the different accompanying frameworks. And finally, I will conclude with a discussion about the value of such exercises when compared to traditional methods of security assessments and testing. The talk will be rather non-technical, aimed at security practitioners as well as decision makers, and based on publicly-available information.

Photo of

Peter Hladky

Threat Intelligence & Red Teaming
Credit Suisse

Peter Hladký is a member of the Threat Defense Analysis team of Credit Suisse serving as an internal SME on Red Teaming specializing in intelligence-driven red team testing. Peter held different positions in the field of cyber security in the past. As a Senior Consultant, he worked on number of large-scale cyber security and client data confidentiality engagements in the financial sector. And later, as a Senior Cyber Security Specialist, he worked on building cyber security services, preparing and conducting cyber security training exercises in the defense sector. Peter holds a Master’s degree in Computer Science with specialization in Information Security from the Swiss Federal Institute of Technology (ETH Zurich), as well as OSCP and OSCE certifications from Offensive Security.

Special event on Medical devices

Opening words

Opening words by Sylvain Pasini (Professor at HEIG-VD), president of the Black Alps association and general chair of #BlackAlps18.
Welcome words by Yohann Perron (Alp ICT).

Challenges of our hospitals when working with connected devices

During his presentation, Pierre-François will present everyday challenges associated with a large Hospital information system. Such an institution has to manage a very large number of connected devices among which medical devices while cybersecurity is a constant and mandatory requirement in order to ensure patients safety and continuity of care.

Photo of

Pierre-François Regamey

Chief Information Officer

Graduated from EPFL, Pierre-François Regamey is Chief Information Officer and member of the board at CHUV, a Swiss university hospital of 1’500 beds and 11’000 employees, annually treating more than 50'000 patients. He’s heading a department of 180 professionals in charge of elaborating the hospital IT strategy and ensuring the daily operations of both clinical and administrative hospital information systems, as well as the internal telecommunication infrastructure.
Previously, Mr Regamey was a senior executive in the IT departments of a large insurance company as well as in various Swiss and international IT consulting companies operating in the health care, insurance, banking and defence sectors.

State of the art in Security applied to Medical Devices through a successful implementation of an insulin pump

During his presentation, Stephan will present the solutions which have been implemented in order to ensure a sufficient level of security so an insulin pump can be controlled by a Smartphone. This will be the occasion to have an overview of the current state of the art in cybersecurity in the file of medical devices manufacturer.

Photo of

Stephan Proennecke

Project Manager

After a PhD in Physics from the EPFL and several years in fundamental research, Stephan Proennecke spent 5 years working for developing internet payment solutions during which he was involved with bank cards and EMV standards definitions for these solutions. After this, Stephan worked more than 7 years for Logitech developing products for the consumers electronics market. Currently, but for almost 10 years now, Stephan works as a Project Manager for Debiotech where he is leading the JewelPUMP development, a program that will offer a complete solution for the therapy of diabetes. The project aims to deliver an insulin nanopump that is controlled via a smartphone.

Current status of regulations on cybersecurity for Medical Devices

During his presentation, Kim will present the status of the regulations that apply to Medical devices. A specific focus will be made on current requirements with regards to data protection and cybersecurity and possibly presenting applicable international standards that may be considered to fulfil these requirements.

Photo of

Kim Rochat

Senior Partner

Kim Rochat is active in the field of medical devices since 10+ years and is one of the three founders of Medidee Services SA. His areas of expertise are quality management, regulatory affairs, clinical evaluation on critical products such as active medical devices, active implants (AIMD), standalone software and borderline devices. Kim’s specialities include the regulatory compliance of software-based platform, mobile apps, and automated system; the design and follow-up of clinical investigations, the user interactions and usability as well as the compliance with requirements on data privacy.

Round table

Round Table - Pierre-François Regamey, Stephan Proennecke, Kim Rochat, and Julien Bachmann.


Reversing and Vulnerability research of Ethereum Smart Contracts

Ethereum is the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code of those smart contracts are not always available and can contains flaws (reentrancy, integer overflow/underflow, bad randomness, backdoor, ....). Some smart contract handle thousand of ETH and can't be modified once pushed into the blockchain. More than 90% of them doesn’t provide the associated Solidity source code and that's also why be able to reverse and analyze Ethereum smart contract (only with the EVM bytecode) make even more sense. This workshop is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After the workshop, they will be able to reverse, debug and find basic vulnerabilities into real-life smart contracts without having the Solidity source code.

Photo of

Patrick Ventuzelo

Security researcher
QuoScient GmbH

Patrick Ventuzelo is a French security researcher working for Quoscient GmbH. Previously, he worked for P1 Security, the French Department of Defense (DoD) and Airbus Defense & Space Cybersecurity. He is mainly focused on Reverse Engineering and Vulnerability Research on various platforms with a strong interest on new research areas such as WebAssembly, Smart Contracts and Blockchain. Patrick has been speaker/trainer multiple time at various international security conferences such as Toorcon, REcon Montreal, SSTIC, REcon Brussels. Recently, he presented his research on “Reverse Engineering of Blockchain Smart Contracts (ETH/NEO/EOS)” and release an open-source security analysis tool called Octopus (

Introduction to Bro Network Security Monitor

Bro is an open-source Network Security Monitor (NSM) and analytics platform. Even though it has been around since the mid 90's, its main user base was primarily universities, research labs and supercomputing centers. In the past few years, however, more and more security professionals in the industry turned their attention to this powerful tool, as it runs on commodity hardware, thus providing a low-cost alternative to commercial solutions. At its core, Bro inspects traffic and creates an extensive set of well-structured, tab-separated log files that record a network’s activity. Nonetheless, Bro is a lot more than just a traditional signature-based IDS. While it supports such standard functionality as well, Bro’s scripting language allows security analysts to perform arbitrary analysis tasks such as extracting files from sessions, detecting malware by interfacing with an external source, detecting brute-forcing, etc. It comes with a large set of pre-built standard libraries, just like Python. During this two-hour workshop, we will learn about Bro's capabilities and cover the following topics: - Introduction to Bro - Bro architecture - Bro events and logs - Bro signatures - Bro scripting - Bro and ELK Requirements for the workshop: - A laptop with at least 8 GB of RAM and more than 30 GB of free disk space - VMWare Workstation or VMWare Player installed

Photo of

Eva Szilagyi

Managing Partner, CEO
Alzette Information Security

Eva Szilagyi is managing partner and CEO of Alzette Information Security, a consulting company based in Luxembourg. She has more than 8 years of professional experience in penetration testing, security source code review, digital forensics, IT auditing, telecommunication networks and security research. Previously, she was working for companies like Vodafone Hungary, Ernst & Young Hungary and Deloitte Luxembourg. Eva has master's degrees in electrical engineering and in networks and telecommunication. She holds several IT security certifications such as GSEC, GICSP, GMON, GSSP-JAVA, GWAPT, GMOB, CCSK, eWPT, and eJPT. Eva speaks on a regular basis at international conferences like Nuit du Hack, BSidesBUD, BSides Munich, Security Session, Pass the SALT and she is a member of the organizer team of BSides Luxembourg.
Photo of

David Szili

Managing Partner, CTO
Alzette Information Security

David Szili is managing partner and CTO of Alzette Information Security, a consulting company based in Luxembourg. David is also an instructor at SANS Institute, teaching FOR572: Advanced Network Forensics and Analysis. He has more than 8 years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security architecture design, incident response, digital forensics and software development. Previously, he was working for companies like POST Telecom PSF Luxembourg, Dimension Data Luxembourg, Deloitte Hungary, and Balabit. David has master's degrees in computer engineering and in networks and telecommunication and a bachelor's degree in electrical engineering. He holds several IT security certifications such as GSEC, GCED, GCIA, GCIH, GMON, GNFA, GPYC, GMOB, CCSK, OSCP, OSWP, and CEH. David speaks on a regular basis at international conferences like, BruCON, Hacktivity, Nuit du Hack, x33fcon, BSidesBUD, BSidesLjubljana, BSides Munich, Security Session, Pass the SALT and he is a member of the organizer team of BSides Luxembourg. He occasionally blogs about information security at

Hands-On Security Lab with Hacking-Lab

This training is based on the Hacking-Lab platform (, providing an online lab with several hundreds of different security challenges. Participants of this training will be granted access to several challenges in Hacking-Lab, where they can exercise their skills or learn with step-by-step instructions on how to exploit vulnerable web applications. After a common introduction, participants can select the desired difficulty level and solve the proposed challenges at their own pace, with the support of the trainers. A LiveCD environment, including all required tools, is provided as working environment. Participants are required to bring their own laptop with the provided virtual machine image installed (available at This training is open to anyone interested in IT security (e.g. application developers, system administrators, CISOs, etc). The technical level is pretty much open, the trainers provide individual support to the participants during the training. To work with the lab environment, participants are expected to have basic experience working with the linux command line and also have basic knowledge of the HTTP protocol. Requirements for participants: Laptop Virtual Box or VMWare player Hacking-Lab LiveCD ( As a little add-on, we're playing a 30-minute "Min CTF", with 10 puzzles/challenges. They're not too hard, everyone should be able to solve a couple of them!

Photo of

Philipp Sieber

Photo of

Nicolas Heiniger

Photo of

Sylvain Heiniger

Recrutez efficacement vos experts en sécurité informatique... ou comment attirer et identifier vos prochains talents tout en limitant les erreurs de casting

Lors de ce workshop participatif, nous aborderons les challenges liés au recrutement de profils techniques ainsi que les manières concrètes d’y répondre. 1.De la définition du poste au marketing RH, vous repartirez avec des pistes concrètes pour recevoir des candidatures intéressantes. 2.De la sélection des CVs à la conduite des entretiens d’embauche, vous apprendrez à identifier efficacement les profils les plus adaptés au poste et à la culture d’entreprise. Destiné à toute personne, non-professionnelle du recrutement, amenée à recruter pour son équipe, et qui souhaite partager ses expériences et repartir avec quelques astuces en poche.

Photo of

Alexia Gonzalez

Human Capital Consultant
Securing Apps Sàrl

Consultante indépendante en recrutement et ressources humaines, Alexia Gonzalez a navigué tout au long de sa carrière entre l’humain et la technologie, ce qui lui donne une connaissance concrète des métiers de l’IT. Elle est convaincue que la clé du recrutement pour l’employeur est de savoir dresser le vrai portrait du profil dont il a besoin, en s’affranchissant des stéréotypes et des copiés-collés de descriptifs de poste. Elle opte pour une approche pragmatique et respectueuse du candidat, où l’offre et la demande communiquent sans rapport de force.


Call For Proposals: Talks and Workshops

Proposal submission

The submission process is now closed (it was open until 31 July 2018).

Program committee

The Program committee is composed of internationally renowned experts in the field responsible for building a program of quality. They will collect the proposals and select the most outstanding ones.

  • Julien Bachmann (chair), Hacknowledge
  • Jean-Baptiste Aviat, Sqreen
  • Fabrice Caralinda, SCRT
  • Benjamin Delpy, Kiwi Researcher
  • Antoine Neuschwander, SWITCH
  • Nicolas Ruff, Google