We're looking for talks from any practitioner who is responsible for securing a cloud service.
The definition of "practitioner" here is deliberately vague. We're particularly interested in points of view that don't fit obviously into a larger conference.
Practitioner talks might include:
Builders presenting tools they built on behalf of an appsec, infrastructure security, or tools team; with insight into what it takes real-world dev teams to ship and maintain secure software.
Breakers with insight into new attacks against cloud infrastructure and techniques for finding vulnerabilities.
Operators battling attacks every day, who can help others get from "that's weird" to root cause and remediation; with insight on threat intelligence, detection systems, and incident response.
Policy stakeholders who can provide guidance on metrics, education, and compliance; such as how to explain their practices to their SOC auditor, PCI QSA, or regulatory overseers.
In particular, this year the following topics are expected to be particularly interesting:
Security across multiple cloud vendors
Automation and validation
Cloud networking & network monitoring
Security considerations with higher-level services beyond EC2 & Lambda
New attacks, vulnerabilities and threats (but see our responsible disclosure policy)
Data sets from monitoring, scanning or testing
Detection and response
Training traditional engineering and operations teams
What not to submit
All experience levels are welcome, but fwd:cloudsec attendees will typically have some hands-on experience with cloud engineering. Introductory-level talks on broadly-deployed technologies, vendor presentations, or purely theoretical architecture talks are not likely to be accepted.
As a smaller conference, we're particularly looking for talks that spark discussion, challenges and hallways exchanges — not just lectures expected to be taken as gospel.
How to submit
Most talks are expected to be 20-minute lightning talks on a single topic. There are a limited number of 40-minute slots available, so when proposing a 40-minute talk, please be sure to include an agenda that explains how you will use the additional time.
Submissions must include:
Speaker name(s) and contact information
Preferred talk length - 20-minute or 40-minute
Abstract (will be shown on the schedule)
Speaker bio(s), limited to 100 words
A detailed description of the talk: explain what you are presenting, and how you intend to cover the topic. Do you intend to include a demo or release code? Here is a good place to include that information.
Other venues this talk has been presented or submitted
Any special presentation facilities that may be required (aside from power, projector, sound and Internet connectivity)
Any objections to having your talk recorded for future open access
Submit proposals here You will have to register separately on the Conference Management site.
We especially encourage first-time speakers, women and members of other groups less represented at security conferences to present at fwd:cloudsec.
If the submission describes, or otherwise takes advantage of, newly identified vulnerabilities, the authors should disclose these vulnerabilities to the vendors/maintainers of affected software or hardware systems prior to the CFP deadline.
When disclosure is necessary, authors should include a statement within their submission and/or final paper about steps taken to fulfill the goal of disclosure. All major cloud providers have published disclosure addresses, including
AWS (link, email),
Azure (link, email),
Google GCP (link),
and Oracle OCI (link, email).