Track 1

Philippa Carnelley (She/Her)

Track Host for track 1

UX Designer at Flybe

Philippa is part of the Digital Exeter organising team, and works closely with TechExeter in putting on tech + digital events across the region.


Philippa is a design thinker and creative problem solver. As UX designer at Flybe she focuses on creating visually stimulating user centric interactions through clever design solutions. Experienced at working within several software and digital environments, her keen eye for detail and interest in user behaviour makes UX design the perfect fit.

As host and organiser of Digital Exeter alongside Sarah Marks, Philippa expands her knowledge to build a digital community that is diverse, inclusive and exciting. Her goal for the next year is to create a stronger network, inside and outside of Digital Exeter, through collaboration workshops and skill sharing. Stay tuned!

Andi Hudson (He/Him)

Keynote Presentation, 30 minutes / Track 1 / 09.30

Cloud Security Architecture Lead at IBM Security

HEADCOUNT: ___ (M) ___ (F)

How do you secure a cloud?

What is the cloud, how do you secure it and what happens if it blows away?
As we’ve moved to the cloud, what has changed?
The misconception is that now people are moving to the cloud, security is no longer their responsibility - wrong!

This talk demonstrates the shared responsibility between clients and cloud providers, with some interesting facts and war stories along the way.

Session takeaways

  • Learn about cloud security
  • Help make security everyone's responsibility
  • Have fun!


20 years in industry with >30 years of tech experience, Andi leads a team of growing cloud security architects at IBM. Passionate about ethics, neural diversity and technology, Andi loves supporting the InfoSec community by helping to build a better brighter tomorrow!

Caroline Clark (She/Her)

Talk, 30 minutes / Track 1 / 10.00

Operations Director at KETS Quantum Security

HEADCOUNT: ___ (M) ___ (F)

Quantum Communications

Quantum Technologies are moving out of the lab and into the big wide world.

I’ll discuss the UK investment in quantum tech and how it is now moving from a laboratory environment in academia via a growing community of startups and spin outs - particularly in the South West. I’ll also touch on our own journey as a young quantum communications company and the challenges we currently face.

Session takeaways

  • A basic understanding of quantum comms
  • The threat posed by quantum computers
  • What's happening in the uk on this

Vicky Hunter (She/Her)

Talk, 30 minutes / Track 1 / 10.30

Entrepreneur Engagement Manager at Tech Nation

HEADCOUNT: ___ (M) ___ (F)

How to Hack the Tech Ecosystem

Starting your own company can be daunting however there is a lot of support out there.

This talk will highlight some great resources for founders and help them navigate the increasingly busy world of support for startups and scaling businesses.

Session takeaways

  • Awareness of what support is available locally, regionally and nationally
  • A better understanding of what support Tech Nation offers.


Vicky started her career at the heart of London's growing tech scene, running events and making connections from the Central Working Cafe in Google Campus. She joined 3beards to further support the tech startup ecosystem through a portfolio of different events, content and Unicorn Hunt, a transparent jobs board for roles within tech, which was sold in 2017.

After two years of freelancing and travelling, Vicky moved to Bristol and joined Tech Nation as their Entrepreneur Engagement Manager for the South West where she is now on a mission to know everything and everyone in tech.

11.00 Break

Alasdair Allan

Talk, 45 minutes / Track 1 / 11.30

Consultant at Babilim Light Industries

HEADCOUNT: ___ (M) ___ (F)

The Demise of Big Data — Making Intelligent Insights at the Edge

The current age where privacy is no longer “a social norm” may not long survive the coming of the Internet of Things. Big data is all very well when it is harvested quietly, silently, and stealthily behind the scenes. To a lot of people, the digital Internet still isn’t the as real as the outside world. But it’s going to be a different matter altogether when your things tattle on you behind your back.

The recent scandals and hearings around the misuse of data harvested from social networks has surfaced long standing problems around data privacy and misuse, while the GDPR in Europe has tightened restrictions around data sharing. However the new generation of embedded devices, and the arrival of the Internet of Things, may cause the demise of large scale data harvesting entirely.

In its place smart devices will allow us process data at the edge, making use of machine learning to interpret the most flexible sensor we have, the camera. Interpreting camera data in real-time, and abstracting it to signal rather than imagery, will allow us to extract insights from the data without storing potentially privacy and GDPR infringing data.

While social media data feeds provides ‘views’, lots of signal, it provides few insights. Processing imagery using machine learning models at the edge, on potentially non-networked enabled embedded devices, will allow us to feedback into the environment in real time closing the loop without the large scale data harvesting that has become so prevalent. In the end we never wanted the data anyway, we wanted the actions that the data could generate. Insights into our environment are more useful than write-only data collected and stored for a rainy day.

Session takeaways

  • How machine learning on device allows processing of data and decision making in real time without reference to the cloud
  • Implications for current business models built around large scale data harvesting
  • Some ideas around the legal, ethical, and privacy implications of the technology


Alasdair Allan is a scientist, author, hacker, maker, and journalist. An expert on the Internet of Things and sensor systems, he’s famous for hacking hotel radios, deploying a 500-node mesh sensor network at Google I/O, and for revealing, back in 2011, that Apple’s iPhone was tracking user location constantly. He has written eleven books, and writes regularly for and other outlets. A former astronomer, he also built a peer-to-peer autonomous telescope network that detected what was, at the time, the most distant object ever discovered.

Peter Jones

Talk, 45 minutes / Track 1 / 12.15

Senior Information Security Consultant at 3B Data Security

HEADCOUNT: ___ (M) ___ (F)

Practical Digital Forensics when everything is ablaze

When everything is going wrong, you want to get everything fixed as soon as possible. Think about investing time into full preventative messages by engaging in a digital forensic process. Get an understanding of what digital forensics involves and how it can improve how your organisation handles incidents.

Session takeaways

  • Understanding of digital forensics
  • How to efficiently respond to incidents
  • Highlights on criminal investigations


Cyber Security and Digital Forensics professional for over 10 years including auditing, forensic investigations and incident response. Co-Founder of the South West Cyber Security Cluster and the owner of a number of businesses. Qualified university lecturer and author of a number of accredited cyber security courses.

13.00 Lunch

Janet Bastiman (She/Her)

Talk, 45 minutes / Track 1 / 14.00

Chief Science Officer at Storystream, MMC Ventures

HEADCOUNT: ___ (M) ___ (F)

Reject the evidence of your eyes and ears

The pace of advancement in AI has never been higher. Recent steps forward in image and video generation have the power for both good and bad. Fakes used to be an incredible amount of effort, and required high levels of skill but are now easy enough for anyone with a computer to create.

It will soon become impossible to tell whether what you are seeing is real or fake. What are the implications for news agencies being fooled, or for law enforcement?

I’ll show you how these fakes can be created and what hope we have for distinguishing truth from fiction in our digital future.

Session takeaways

  • Understanding of generative adversarial networks- what they are, how they work and how to create one
  • Implications of fake evidence in a world where this technology is freely available
  • A healthy cynicisim of pictures, video and audio presented by any form media!


Janet heads up the Artificial Intelligence division at StoryStream and is an AI Venture Partner at investment firm MMC ventures. As an experienced C-level professional, she helps start-up companies build their AI strategy to saleable products. Janet regularly speaks and writes on technical subjects.

Dan Wiseman

Talk, 45 minutes / Track 1 / 14.45

Company Director at Web Wise Media

HEADCOUNT: ___ (M) ___ (F)

** Is WordPress a secure platform?

Due to sickness, this talk replaces Daniel G Cabrero’s “Personas & Anti-Personas for Hacking & Anti-Hacking” talk.

Being the most popular website platform on the planet, WordPress has got a lot going for it. That doesn’t mean that it isn’t prone to hacking and other malicious attacks. This talk looks at some of the simple mistakes to avoid to ensure you keep WordPress as safe as possible.

Session takeaways

  • An overview of the WordPress platform and why it is so popular.
  • How to minimise your chance of getting hacked.
  • General tips for making the most of your website


I am the founder of multiple businesses including Web Wise Media: a web design & marketing agency based in Exeter and London. I provide coaching for new businesses and entrepreneurs and support for digital strategy, professional development and SME growth. Outside of Web Wise Media, my experience includes: founder of an immersive experience company, founder of a video games blog, investor, web developer, video game designer and developer, entrepreneur, property developer, theatre technician, stage manager and lighting operator.

15.30 Break

Guy Buesnel

Talk, 30 minutes / Track 1 / 16.00

PNT Security Technologist at Spirent

HEADCOUNT: ___ (M) ___ (F)

Trust but Verify - When GPS can go wrong

This talk will be a somewhat expanded version of the 2018 lightning talk that was given at a Tech Exeter meet up evening - it will provide a short overview of GPS along with an introduction to its vulnerabilities.

Following this, a series of real-world incidents will be presented along with the known impacts on user systems. Incidents will include known GPS jamming and spoofing incidents as well as segment errors and the week number roll over issue that has already caused some disruption to systems in April 2019.

The presentation will also highlight the importance of putting into place an effective risk mitigation strategy and how to use it to provide cost effective risk mitigation against some of the threat vectors.

Session takeaways

  • An appreciation of how space based navigation systems like GPS work
  • Knowledge of the specific vulnerabilities associated with GPS
  • How to start conducting a risk assessment of GPS Dependent devices and systems


Guy has more than 19 years’ experience working protecting GNSS Receivers from emerging threats , having started his career as a Systems Engineer involved in the development of GPS Adaptive Antenna Systems for Military Users. Guy is Spirent’s specialist technologist on PNT threats and mitigation. Guy holds a BSc Honours degree in Physics with Atmospheric Physics and a Master’s Degree in Communications Engineering. Guy is a Chartered Physicist and a Fellow of the Royal Institute of Navigation.

17.00 Closing Ceremony / Prizegiving

17.30 Group Photo

Track 2

Tamsin Hodge (She/Her)

Track Host for track 2

Product Owner and STEM Ambassador team lead at UK Hydrographic Office

We’re proud to have Tamsin return to the conference, not as a speaker this time but a track host, looking after the HACK track.


My journey into a digital career has evolved from my love of science, nature, working with people and having an inquisitive mind keen to learn new things.

After leaving university with a degree in Biochemistry and an aspiration to move into scientific and technical writing I worked as a journalist, and then as a News Editor running a news desk of teams of reporters and photographers, on weekly and daily newspapers in the regional press in the South West of England for a little over 10 years. At the same time I ran a series of successful fundraising campaigns in collaboration with charities and our local community for much needed outreach cancer care nurses to support the terminally ill and mobile Life Education classrooms for children aged 5 – 10 to learn about sex education, drugs and alcohol in a responsible way to help them prepare for adult life.

I moved on from journalism into a marketing and product focussed role to gain more experience of running campaigns, managing customers and portfolios of products, organising conferences and creating digital services, and studied part-time to gain a post graduate degree in marketing with the Chartered Institute of Marketing.

From here I joined the UK Hydrographic Office in Taunton, initially working in the Corporate Communications department before taking on various roles in developing and delivering digital products and services to market. I’ve been at the UK Hydrographic Office for 11 years now and I’ve had the opportunity to grow my experience and evolve my career over that time, which is how I ended up in the Product Owner role I have today.

My role is part of a team working with digital tools and technologies to create services to gather, process, store and serve up marine data from all over the world so it can used to help people manage, live and work within the marine environment. The data we work with is geospatial, which means it’s three dimensional to capture the geographical location (north, south, east, west) and vertical depth and height of information about the world’s oceans, tides, marine life, coastlines and manmade structures such as offshore wind turbines and fish farms.

More details about my digital, technology and STEM journey are in this Blog here, which I was asked to write as part of a global campaign run by Geeky Girl Reality to profile inspirational female role models working in STEM careers:

Achim Brucker

Talk, 45 minutes / Track 2 / 10.00

Professor in Cybersecurity / Software Security Expert at University of Exeter

HEADCOUNT: ___ (M) ___ (F)

Hacking (Not So) Smart Things 101

More and more devices of our daily life are "smart" ranging from smart light bulbs to smart TVs to smart fridges -- everything can, and most likely will be, in the future connected to the Internet. More and more people are already used to remotely controlling their heating at home using their smart phone.

In this talk, we will, using smart home automation as an example, explain simple techniques for hacking (not so) smart devices.

(If the demo gods are friendly, the session will include some live hacking)

Session takeaways

  • understand the amount of systems that power a small smart device
  • understand basic hacking techniques for smart devices
  • understand several security flaws that occur in IoT devices


Achim D. Brucker ( is a Professor (Chair in Cybersecurity) at the University of Exeter, UK. Prior to that, he was a Senior Lecturer at the Computer Science Department of The University of Sheffield, UK.

He leads the research in software assurance and security ( Until December 2015, he was the global Security Testing Strategist at SAP SE, were, among others, he defined and implemented the security testing strategy for over 27000 developers world-wide. SAP's risk-based security testing strategy of SAP that combines static, dynamic, and interactive security testing methods and integrates them deeply into SAP's Secure Software Development Life Cycle. He also was involved in the security checks for SAP's outbound and inbound Open Source process.


11.00 Break

Sam Vine (He/Him)

Talk, 30 minutes / Track 2 / 11.30

Associate Professor Psychology at University of Exeter

HEADCOUNT: ___ (M) ___ (F)

Futures made of virtual reality - Hacking VR for learning

The talk will describe and discuss our research and work relating to the use of VR training for high risk and safety critical industries.

A particular focus will be the use of VR for hazard perception and threat detection in the Nuclear and Police industries. We will describe the entire process from developing the VR environment using psychological theory, to testing and validating it using human physiological measures.

Session takeaways

  • An understanding of how psychological science can be used to design and test VR training tool
  • An understanding of how these tools are used in threat detection training (police, nuclear, oil)


I am a Psychologist, with a broad range of interests in the area of skill learning, expertise and performance under pressure. I am particularly interested in how visual attention and other physiological processes mediate motor skill and decision making performance.

I apply my research to a range of different domains (e.g., sport, surgery, military, and aviation) and populations (e.g., children, elite performers and patient groups).

I am interested in eye tracking and virtual reality technology.

Gavin Buckingham (He/Him)

Talk, 30 minutes + hands on session / Track 2 / 12.00

Senior lecturer at University of Exeter

HEADCOUNT: ___ (M) ___ (F)

Hacking human perception - illusions and virtual reality

In this session, I will highlight how our brain scaffolds our perception of the world around us, with a particular focus on how our experience of objects' properties can be readily manipulated. I'll describe my research on weight illusions, including recent work I have undertaken using immersive virtual reality to make objects feel heavier or lighter than they actually are.

Finally, I'll lay out a roadmap for how it is a better understanding of human perception, rather than advances in computing hardware, which will be key to the next generation of immersive technologies.

Session takeaways

  • Experience perceptual illusions
  • Gain insight into how psychology can drive technology development
  • See how scientists use VR to conduct research

Bonus pic!


I received my PhD in psychology from the University of Aberdeen in 2008, after which time I moved to Canada to work as a postdoctoral fellow at the Brain and Mind Institute at Western University. During this time, I began to study human visual and haptic perception, with a particular focus on our experience of how heavy things feel when we interact with them.

I moved to the University of Exeter in 2016, and am currently a senior lecturer in the Department of Sport and Health Sciences.

13.00 Lunch

Pete Woodward

Talk, 30 minutes / Track 2 / 14.00

Co-founder & CTO at Securious

HEADCOUNT: ___ (M) ___ (F)

The anatomy of a payment card breach

Far too many businesses are unaware that it is mandatory to comply with the Payment Card Industry Data Security Standard (PCI DSS) if they accept credit card payments. This is a huge blind-spot and it is putting businesses in the South West at risk of attack. Many organisations are under the misguided belief that using PCI compliant payment providers such as Sagepay, Stripe or Worldpay confers PCI compliance on their business.

Businesses failing to comply with PCI DSS are at risk of large fines, and the very real prospect of an inability to trade, should payment providers terminate their service due to non-compliance, or more seriously, experience a card breach

In this discussion Pete will look at some examples of how some recent breaches have happened and what simple controls could have been put in place to prevent them.

Session takeaways

  • High level understanding of payment card data (PCI) data security standard.
  • Common attack vectors for Ecommerce sites
  • Advice on securing Ecommerce sites


Pete comes from a military background, and has worked on security projects in the public and private sectors. His experience is backed up with leading security and network accreditations, such as PCI QSA, CISSP, CEH, along with TOGAF v9 certification.

Pete cemented his passion for cyber security and co-founded the South West Cyber Security Cluster with the vision to establish a ‘Centre for Cyber Excellence’ in the South West.

Roz Woodward (She/Her)

Talk, 30 minutes / Track 2 / 14.30

Co-founder & CEO at Securious

HEADCOUNT: ___ (M) ___ (F)

Why we need diversity in cyber security - for everyone’s sake!

There is a real and present skills shortage in the cyber security industry. Currently, there are some amazing young people undertaking computer science and information security degrees, but when they enter the workforce they still lack the business insight that comes with experience. They also tend, very generally, towards a certain demographic (approximately only one in five, for example, are women), and most are very young.

Bringing these young people into the sector is great and should be encouraged, but it is also a problem in several ways: we already have a skills shortage and the failure to widen the net is giving us a reduced pool of potential candidates. We also end up with people whose experience of life and the world is very similar.

In this session, we will explore how threats are better mitigated when you have people from a range of ages and backgrounds looking out for them. We will also consider how we can encourage more people into the industry, especially those who currently might feel it is not for them. In particular, we will look at some of the most valuable transferable skills that we should be looking out for.

Session takeaways

  • Understanding of the recruitment challenge in cyber security
  • Insight into how we are missing a huge opportunity through lack of diversity
  • Ideas on how to encourage people with transferable skills into the sector


Roz Woodward is CEO and co-founder of Securious, the South West’s leading cyber security company. She is an experienced professional who is passionate about cyber security and is on a mission to raise awareness and help organisations mitigate their cyber security risks. She is especially keen on helping translate technical issues in a non-technical way.

Roz is a founding light in the South West Cyber Security Cluster and liaises regularly with the police and other authorities on the latest cyber security issues affecting businesses.

Roz is a qualified accountant and has considerable experience working within organisations at senior management and board level, and as an ISO 27001 Lead Implementer and GDPR practitioner, understands the value of sensitive data and the importance of securing systems and developing strong policies and procedures.

Roz is a keen runner, having completed several marathons and numerous half marathons, and enjoys muddy trail runs with their dogs.

Geoff Revill (He/Him)

Talk, 30 minutes / Track 2 / 15.00

Tech entrepreneur at Krowdthink Ltd

HEADCOUNT: ___ (M) ___ (F)

Building an unhackable social platform

Sounds implausible? not quite.

Sure, any system can be taken down, the key question is whether personal data is lost. Article 25 of the GDPR demands we build platforms while seeking to to minimize personal data use. If you decide to make data minimization your point of innovation, you can, amazingly, build a social platform with almost zero personal data (in our case study, 5 maximum!)

In this paper we will discuss how to build valuable functions without collating personal data. We will discuss what Mozilla calls ‘lean data’ systems and how to build them, thereby making your system cybersecure by design, and beneficially also being easy to slip through the quagmire of GDPR regulations.

Session takeaways

  • Guidance on reducing cyber security risk
  • Help making it easy to build GDPR ready apps and platforms
  • Ideas on how to innovate a safer internet


Geoff has 35+ years tech experience at every level, from programmer, system designer and architect thru to product management and marketing of high tech innovations. He also has a high degree of understanding of the tightening regulatory environment and how to work within it yet keep innovating cyber-securely.

15.30 Break

Nicola Whiting (She/Her)

Talk, 45 minutes / Track 2 / 16.00

Chief Strategy Officer at Titania Group

HEADCOUNT: ___ (M) ___ (F)

A.I. Diversity, Discrimination and Nation State Defence

With an increasing skills gap, a wave of autonomous attacks and increases in cyber crime - police, military, governments and global enterprises are asking industry to deliver “self-developing governance and defence systems”. Nicola Whiting discusses A.I.’s failures, whether we risk a ‘rise of the machines’ style “Judgement Day” and what is needed to transform the A.I. industry and the future of autonomous enterprise security. She will inspire delegates to champion ‘accuracy in automation’ in their own business/organisation, to finally.

Learning Outcomes:

  • Learn why artificial intelligence is the only viable way to address the cyber arms race that our industry is currently ill equipped to deal with.
  • Know what, as an industry, we must learn from past AI failings when choosing/developing the self-defending networks of the future.
  • Discover the technology ecosystem that enterprises/nations will need to develop resilient, dependable self-healing networks.
  • Understand why collaboration is key to evolving from current ‘go-to’ tools (and their accompanying alert fatigue) – to solutions that deliver reliable A.I. driven defence.
  • Be inspired to champion ‘accuracy in automation’ in your own business/organisation and pave the way for trusted autonomous mitigation solutions that will transform your enterprise security.

Session takeaways

  • Understand A.I. bias risks (data & human)
  • Understand need to increase A.I. Industry Diversity (wider views & more ideas)
  • See how to validate A.I. decision processes + data types/integrity


Nicola Whiting is Chief Strategy Officer and co-owner of Titania Group, she is also an Amazon best-selling author and is listed in SC Magazine’s Top 20 most influential women working in cyber security.

In 2019 she was honoured to receive the UK’s inaugural “National Cyber Citizen Award” for her “outstanding contribution to the world of cyber security and protection” and AFCEA Internationals’ prestigious “Sparky Baird Award” for her thought provoking pieces on A.I. and Autonomous Weapons.

Neurodiverse, she advocates for diversity in all forms, believing it will lead to broader and ultimately better solutions to our most pressing issues – in cyber security, business, and in life.

17.00 Closing Ceremony / Prizegiving

17.30 Group Photo

Track 3

Lucy Knight (She/Her)

Track Host for track 3

Lead Data Scientist at Food Standards Agency

We’re proud to have Lucy return to the conference, not as a speaker this time but a track host, looking after the DEVELOP track.


Lucy is Lead Data Scientist at the Food Standards Agency, and cofounder of the Open Data Institute node ODI Devon and tech start-up The Data Pace.

She worked first in fine arts and then in opto-electronics manufacturing, where she developed an interest in data analysis and information management, moving into public sector performance and policy management in 2001. She held various roles at Devon County Council, including Open Data Lead, before moving to the Civil Service in 2018 to take on her current post.

Building on her experience of working at the extreme ends of the technical/creative spectrum, she advocates for better communication between technical and non-technical groups and the importance of making technological advances both useful and accessible. Lucy is a regular facilitator and speaker at open data and transformation events, conferences and unconferences across the country.

Seb Coles (They/Them)

Talk, 45 minutes / Track 3 / 10.00

Expert Software Engineer at UK Hydrographic Office

HEADCOUNT: ___ (M) ___ (F)

Developer Threat Modelling

There isn’t a single vulnerability in the OWASP top ten that couldn’t have been avoided with a conversation. A simple conversation to discuss what could go wrong with the piece of work that a team was about to undertake, what to spot in the code review and what the tester could have done to validate the control. So, before we start talking about static analysis tools, automated fuzzing, scanning, penetration testing and various other tooling – can I ask, are you even having the conversation yet?

In this talk I will share my experiences at the UK Hydrographic Office, where I work with a variety of agile teams to promote secure development practices. I will share with you DTM (Developer Threat Modelling) which is a developer-centric and fast form of threat modelling. I believe through a process of setting expectations, developer focused threat modelling, driving out useful security criteria, code review guidance and abuse cases we can enable efficient collaborative security conversations.

Zero gimmicks, no Lego, and not only can we help teams reduce the number of security threats that get into master, but we can do it for free and for a fraction of the time.

Session takeaways

  • You will learn a light weight process for encouraging continuous security conversations within software teams
  • You will get to hear about my mistakes (so you can avoid them) and what went well (so you can try them)
  • Advice on how to lobby stakeholders to take security seriously


My name is Seb Coles, I’m an expert engineer at the hydrographic office where I specialise in application security. I care about anything that prevents vulnerabilities from getting into products such as threat modelling, secure coding, pen test skills, SAST/DAST tooling and conversations. I also work as part of a delivery team building geospatial products using .NET/JS & Python.

11.00 Break

Jon Stace (He/Him)

Talk, 30 minutes / Track 3 / 11.30

Director of Technology at Software Solved Ltd

HEADCOUNT: ___ (M) ___ (F)

Using the Web Cryptography API in PWAs/SPAs

With the advent of good support for implementing apps using web standards, we’re now in the position to deliver quality user experiences that work in the browser both on and offline. This inevitably leads to storing data locally in the browser, which means that we need to think about how to protect that data while it is stored offline.

This is where the Web Cryptography API comes in.

I’ll cover:

  • what this API is capable of, along with levels of browser support
  • why this API is a better approach than the various pure JavaScript encryption libraries available
  • how to work with it to secure your data
  • the thorny issue of key management

Session takeaways

  • An appreciation of the challenges around protecting data in PWA/SPA
  • An understanding of how to use the WebCryptoAPI
  • Some strategies for managing key information


Jon has been working in software development for over 20 years. In that time he has worked in a number of industries including insurance, retail, and not-for-profit. He has always been fascinated by computers and this interest developed from an early age, starting with learning Basic for the ZX Spectrum.

Jon is co-organiser of the Exeter .NET meetup.

Cariad Eccleston (She/Her)

Talk, 30 minutes / Track 3 / 12.00

Indie author

HEADCOUNT: ___ (M) ___ (F)

Strong, secure & human-free database credentials in Amazon Web Services

When you need to create a username and password for a new database, what do you do? Use the same credentials every time? Use a password manager?

What if you’re deploying infrastructure-as-code? Do you ask a trusted human to remember the credentials? Do you keep the details in a shared notebook, or in source control?

What’s the worst that could happen, right?

I’ll show you how to script the creation, encryption and storage of secrets in AWS. No human needs to see that password, know that password, or type in that password. Only the code that needs access will be granted access.

Session takeaways

  • Introduction to some AWS technologies, including Access and Identity Management, Key Management and Secrets Management.
  • Introduction to infrastructure-as-code via Golang, and infrastructure-as-a-service via lambda functions.
  • Ideas for securely deploying databases and managing database access in Amazon Web Services.


Cariad was a Software Team Lead for the best DevOps squad in Thomson Reuters, but the allure of independence was irresistible; now she’s a freelance writer, coder-for-hire, blogger at and and soon-to-be indie author.

She loves science fiction, infrastructure-as-code and wondering where her next paycheque will come from.

Adam Langley

Talk, 30 minutes / Track 3 / 12.30

Consultant / Web Developer & Ethical Hacker at Umbrella Systems / Hacker House Ltd

HEADCOUNT: ___ (M) ___ (F)

The dangers of user input

As soon as you start to receive user input your in danger of various attacks. Whether it’s cross site scripting, injection, server side request forgery, local file includes, cross site request forgery or another attack vector entirely. My talk will show what can go wrong and methods to protect yourself.

Session takeaways

  • An understanding of how a hacker can exploit a web application.
  • The ramifications of getting hacked.
  • How to try and protect yourself as a web developer.


I’m a web developer and also an Ethical Hacker specialising in Web App security. I run my own consulting company and also work for a security company called Hacker House which provides pen tests and cyber security training. I’ve recently been building CTF competitions and have plans to start a training course which teaches web developers about cybersecurity.

13.00 Lunch

Olly Stephens (He/Him)

Talk, 45 minutes / Track 3 / 14.00

DevSecOps Architect at Adarga

HEADCOUNT: ___ (M) ___ (F)

Policy as code - why you should, how you can

All organizations have policies. Policies are essential to the long-term success of organizations because they encode important knowledge about how to comply with legal or security requirements, work within technical constraints, avoid repeating mistakes, and so on.

And more and more these days, organizations are codifying all of their infrastructure. The mantra “everything as code”. So why would you leave your policies languishing on a wiki page or in a word document?

This talk will take a look at Open Policy Agent - a toolset for writing policies in code that’s being incubated by CNCF, and is already integrated into a number of different areas. It will focus on using OPA-based tooling to check conformity of configuration files. As we move to a world where all of our infrastructure is defined declaratively and applied automatically, whilst development, security and operational roles are merged, the ability to enforce policy becomes more important.

We’ll also look at some of the other benefits of this approach, such as the ability to write unit tests for your policies.

Session takeaways

  • An introduction to policy as code, OPA and the "Rego" language.
  • Practical examples of using these to ensure infrastructure configuration (specifically Terraform and Kubernetes manifests) conform to policies.


Olly started his career as an EDA software engineer, writing RTL and gate-level simulators, then joined ARM in 1999 to focus on engineering productivity. Whilst there he was responsible for the overall architecture of their engineering platform, as well as leading exploration into future innovations/evolutions such as cloud-based engineering, big data workflows, and infrastructure as code.

Olly joined Adarga in December 2018, to lead the devsecops practice and continue his work on robust cloud-native high performant architectures. He has particular interest in all forms of workflow orchestration, as well as a general interest in data-driven story telling.

Tom Mason (He/Him)

Talk, 45 minutes / Track 3 / 14.45

Director of Programming (CTO) at Nexus Mods

HEADCOUNT: ___ (M) ___ (F)

Securing docker containers

Containerisation, particularly docker has gained massive traction over the last few years - over 40% of large production deployments are using docker, and over half of those are using orchestration.

Containerisation in production offers many benefits - speedy deployments, easy rollbacks, great compatibility, maintainability and good integration with testing and deployment tools but security is often an afterthought.

In this talk we’ll go through some methods to reduce your exposure to security issues running containers in production.

15.30 Break

Matthew Huxtable (He/Him)

Talk, 45 minutes / Track 3 / 16.00

Site Reliability Engineer at Sparx

HEADCOUNT: ___ (M) ___ (F)

The forgotten musketeer - availability is a security concern too!

In today’s digital world, data is the new currency. We invest significant effort in safeguarding and protecting our customers’ data, yet all too often fail to fully consider the other fundamental pillar of information security: availability. The uptime of our systems is no longer the sole remit of engineers; organisations add value through the provision of always-on technology platforms, and rapidly fall into obsolescence when such systems are unavailable.

Risks to our system availability abound throughout the development lifecycle, and often originate from unexpected sources. We protect against malicious third-party actors despite the significant risk associated with increasingly sophisticated software systems to which our developers deploy changes multiple times per day.

Originally pioneered at Google, Site Reliability Engineering is the discipline which automates processes and builds systems to ensure a pragmatic approach to this risk in the development cycle. We know systems fail in spite of human effort, not because of it, so we continually optimise and refine the boring parts to promote a pragmatic approach to risk throughout the development cycle.

In this talk, I will share my experience implementing SRE in a small organisation to promote availability, discuss the theoretical properties of reliability engineering, and provide practical guidance on building systems which cope well with continual change.

Session takeaways

  • An understanding of the principles of Site Reliability Engineering, its suitability as a modern approach to operations (and not just by technology/development companies!), and practical steps for its implementation
  • I'll answer the question "Why is production more broken than we think?", briefly consider external cyber threats (although these are well-covered elsewhere), and address fundamental fallacies with many approaches to system/software quality assurance/testing
  • Provide practical steps for discussing and promoting availability as a first-class concern with technology leads, product owners, and other key decision makers to ensure it receives the visibility it requires to allow strategy to be set and risks understood.

17.00 Closing Ceremony / Prizegiving

17.30 Group Photo