A recap of BSides San Francisco 2026, covering key themes from the conference including identity risk, token security, threat modeling in production, and malicious IDE extensions. Highlights include Netflix's Anna Westelius on security maturity cycles, Farshad Abasi on why static threat models fail in fast-moving production environments, Bhaumik Shah on OAuth/OIDC/JWT attack patterns, and Vinod Tiwari on the underappreciated risk of malicious VS Code and JetBrains extensions on developer workstations. The overarching theme: security programs need continuous reconciliation with reality rather than periodic reviews, and identity has become the central control plane for modern defense.
Table of contents
Time Travel Without NostalgiaThe Threat Model Meets ProductionTokens Are the New CurrencyHunting the Blind Spot on Developer WorkstationsStatic security assumptions are failing fasterWhat San Francisco Made Feel ObviousSort: