Press "Enter" to skip to content

Recap of Hacker Summer Camp 2025

Published 23. August 2025 by Javan Rasokat

Two weeks after DEFCON, I’m still buzzing from an unforgettable week in Vegas — one that kicked off at the Tuscany for my very first BSidesLV. And wow, what an experience.

In this recap, I’ll take you through:

  • How BSides and DEFCON compare in culture and experience
  • My journey through the Call for Papers process and what I learned
  • One last time running my workshop – in Frankfurt 24th September’25 at OWASP
  • A brand-new talk idea born out of conversations in Vegas
  • Why I’m building my first 2-day training course and what it will cover
  • The highlights that left a lasting impression
  • Security trends that kept coming up again and again
  • And finally, resources if you want to dive deeper into the topics I covered in my workshop

BSidesLV has roots going back to 2009, when a bunch of talks rejected from Black Hat and DEFCON needed a home. Instead of dying off, those ideas sparked something bigger: an “alternative” conference built on inclusivity, community, and the hacker spirit. Fast forward to today, and BSides events are happening all over the world — but Las Vegas remains the beating heart of that movement.

Starting the week there felt like stepping into hacker culture in its purest form, and it set the perfect tone for everything that followed.

BSides vs. DEFCON: Same City, Different Vibes

My first BSides was in Canberra in 2023, and it struck me as a true hacker conference: lockpicking villages, community-driven activities, and deep, technical talks. Importantly, you won’t find many commercially biased presentations there — instead, you get real-world insights from hackers. In many ways, it reminded me more of the CCC culture in Germany.

While DEFCON certainly attracts this crowd too, it feels more structured and commercialised. BSides, on the other hand, manages to retain a raw, grassroots vibe. Even BSides Canberra, which is huge in terms of audience, still feels authentic and community-driven. I think this concept — keeping it hacker-first rather than commercial — is what makes BSides so successful. That’s just my experience as both an attendee and speaker.

The CFP Rollercoaster: Submitting, Hoping, Surprised

At the beginning of the year, when I started working on submissions, I knew I wanted to be in Vegas. I submitted my session to both BSidesLV and DEFCON, never expecting to be accepted at both — and it didn’t hurt that every workshop ended up fully booked.

The topic I brought was brand new — several people told me afterwards that they had never seen those concepts before, despite years in AppSec. That’s not surprising, since adoption is still low and most secure coding classes stick to the OWASP Top 10 basics.

But things are changing. The OWASP Top 10 for Proactive Controls now includes Use Browser Security Features. Google has also been pushing hard for new standards, many of which I covered during my workshop: Integrity-Policy, CSP v3, Trust Types API, Reporting API. I often had to explain differences in adoption between Chromium and Firefox — but the good news is, it’s all moving quickly, and these features are making their way onto every browser roadmap.

From Vegas to Frankfurt

One of the things I’m most excited about after DEFCON is bringing my workshop straight back from Vegas to Germany. The same hands-on session I delivered at BSidesLV and DEFCON 33 will now be part of our OWASP Frankfurt meetup.

And this will also be the last time I run this type of workshop, before I move on to new material — so if you’ve been curious, this is your chance to join.

👉 OWASP Frankfurt Meetup

Lone Wolves, Growing Teams, and a New Talk

This year at DEFCON, one of the most exciting outcomes for me was turning a hallway conversation into something bigger: a brand-new talk idea with a friend I first met there.

Recently, my own role has shifted due to changes in how our teams are structured — team topologies have been reshaped, forcing me to think deeply about scaling security. Some of these thoughts I’ve already written about here. But not everyone in AppSec has the same setup. Many are lone wolves trying to cover everything, maybe using security champions to scale, but eventually hitting bottlenecks (see my earlier article here).

That’s where our new talk comes in. Together, we’re telling the story of Alex, a security engineer at a 50-person SaaS startup. As Alex’s company grows, he explores different security team topologies and strategies + Security Champions — the pros, the cons, and how they evolve in practice.

When I was starting out, I would have loved to hear a talk like this. Understanding how security team structures evolve can make a huge difference when joining a new company and discovering that everyone operates differently. That’s the kind of perspective we want to share.

From a 4-Hour Workshop to a 2-Day Deep Dive

The feedback from DEFCON left me incredibly motivated. My 4-hour workshop didn’t cover everything I wanted, so my collaborator and I are now building a brand-new 2-day training course.

In recent years, I’ve invested a lot of time in secure design patterns — even attending a fantastic custom training by Sébastien — and I also teach the OWASP Proactive Controls during hackathon-style classes at DHBW University. Pulling all of that together, I realised I could create something new: hands-on, proactive training focused on scale and eliminating entire bug classes, covering the most modern security concepts.

Working in a large-scale environment for the past six years has shaped this perspective. At one point I nearly hit a wall, which forced me to refocus on what truly matters: platform-based security engineering and impact at scale. I’ve helped write secure coding standards before, but standards alone don’t change behaviour — they don’t scale, and they aren’t proactive.

That’s why I believe 2025 is the year of scale (see my article here). Professionals with 5+ years of experience in product security are eager to level up — yet most training out there still caters to beginners. Where’s the training for those who already know the fundamentals, who’ve been coding, pentesting, or building security engineering practices, and want the next level?

That’s exactly what we’re building: a fully hands-on, lab-driven training, shaped by the same energy as my DEFCON workshop, but with the depth that experienced practitioners have been waiting for.

Top Moments That Stuck With Me

  1. Mastering Frontend Security: A Hands-On Workshop to Engineer XSS-Proof Web Applications by Aaron Shim & Mayra Robles. Aaron was such a cool guy! Our workshops had a huge overlap in concepts. His team even worked on the CSP Evaluator, which I referenced myself. Talking with him inspired me to write this LinkedIn post after my first BSidesLV workshop.
  2. Pwn My Ride: Jailbreaking Cars with CarPlay” at AppSec Village, by the team from Oligo. A fascinating look at IoT security and the long-term risk of unpatchable devices due to SDK issues.
  3. Airborne: Wormable Zero-Click RCE in AirPlay Protocol at Blackhat – This one grabbed a lot of attention because of the long term impact, given that IoT devices do not update that often, and also the huge attack surface (near field, Bluetooth, Wifi) of the attack.
  4. Agentic AI Security by my colleagues Andra Lezza and Jeremiah Edwards. Presented at OWASP and AppSec Village, it covered patterns and best practices for securing agentic AI systems.
  5. Orion – Fuzzing Workflow Automation on DEFCON Track 2, by Marius. Orion is an AI-driven system that automates fuzzing workflows by integrating LLM agents with existing tools. Feedback loops with non-LLM tools make it faster, more reliable, and scalable.
  6. One of the coolest moments of the week was bumping (again) into Fabian/ LiveOverflow. I told him that, before my workshop, I actually re-watched his old video on mXSS just to refresh my memory. Usually, browser security features are opt-in to avoid breaking the web. But this time, the spec has been updated closing the door on those sneaky mXSS cases. What a coincidence that Fabian made that video years ago, and now it’s suddenly front and centre again.
  7. We also caught up with Golo at the Malware Village and we had a fantastic time — great talks, great people, and the kind of community energy that makes Hacker Summer Camp so special.
  8. Another highlight was meeting Johany at the La Villa Village — I even got a fantastic badge that took me right back to Buenos Aires / Ekoparty, where we first met a couple of years ago.
Malware Village
BSidesLV
Workshop

The Buzzword This Year: Scale

As always, the conferences came with plenty of vendors. I don’t want to advertise anyone, but one thing stood out: almost all of them are now focusing on scale (or runtime).

  • ASPM → Big shift to all-in-one platforms. No longer just open-source wrappers, but with their own scan engines.
  • SCA → Reachability analysis is becoming essential — whether static, runtime, or both.
  • DAST → Moving towards centralised management rather than just CI-driven use.
  • SAST → Strong AI-assisted coding vibes.

Resources to Learn

Several people asked for my slides and additional resources. Since concepts like sec-fetch and Trust Types are new for many, here are a few starting points – but of course, feel free to use the GitHub repo, which covers those topics with hands-on challenges.

How to Stay in the Loop

I mostly post on LinkedIn rather than other platforms. If you’d like to follow my articles, please connect with me there: https://www.linkedin.com/in/javan-rasokat/

AppSecVillage @ DEF CON 33

Published in AppSec

Leave a Reply

Your email address will not be published. Required fields are marked *