| Apr 2025 | BSidesSF 2025 | Secure Design, UX Dragons, Vuln Dungeon |
| Oct 2018 | DevSecCon London 2018 | Building Effective DevSecOps Teams Through Role-Playing Games (video) |
| Oct 2018 | (ISC)2 Security Congress | DevOps Is Automation, DevSecOps Is People |
| Oct 2018 | STAR West Software Testing Conference | Measuring and Maximizing Crowdsourced Vuln Discovery |
| Feb 2018 | DevSecCon Singapore | Measuring and Maximizing Vuln Discovery Efforts |
| Jan 2018 | OWASP AppSec Cali 2018 | DevOps Is Automation, DevSecOps Is People (video) |
| Oct 2017 | DevSecCon London | The Flaws in Hordes, the Security in Crowds |
| Sep 2017 | (ISC)2 Security Congress | Crowdsourced Security: The Good, the Bad, and the Ugly |
| Jun 2017 | RVASec 2017 | Managing Crowdsourced Security Testing (video) |
| May 2017 | AppSec EU 2017 | The Flaws in Hordes, the Security in Crowds (video) |
| Apr 2017 | SOURCE Boston 2017 | Crowdsourced Security -- The Good, the Bad, and the Ugly |
| Nov 2016 | ISACA Silicon Valley 2016 | Evolving a Bug Bounty Program |
| Oct 2016 | SOURCE Seattle 2016 | Evolving a Bug Bounty Program (preview on Brakeing Security podcast) |
| Oct 2015 | SOURCE Seattle 2015 | Battling the Geologic Timescale of SAST |
| Jul 2014 | RSA APJ 2014 | CDS-W07 - Building and Breaking Privacy Barriers |
| Feb 2014 | RSA USA 2014 | DSP-R04A - Is your browser a User Agent, or a Double Agent? |
| Oct 2013 | Hack in the Box Kuala Lumpur | CSRF Lab & Session Origin Security |
| Sep 2013 | Hacker Halted USA | Using HTML5 to Make JavaScript (Mostly) Harmless |
| Jul 2013 | BlackHat USA | Dissecting CSRF Attacks & Countermeasures (co-presented with Vaagn Tukharian) |
| May 2013 | RVAsec 2013 | JavaScript Security & HTML5 (video) |
| Feb 2013 | RSA USA 2013 | ASEC-F41 - Using HTML5 WebSockets Securely |
| Feb 2013 | B-Sides San Francisco 2013 | JavaScript Security & HTML5 |
| Dec 2012 | BayThreat 2012 | WebSockets Unplugged (video, co-presented with Sergey Shekyan and Vaagn Tukharian) |
| Oct 2012 | RSA Europe 2012 | ASEC-303 - Cases of JavaScript Misuse and How to Avoid Them |
| Aug 2012 | BlackHat USA 2012 | Hacking With WebSockets (co-presented with Sergey Shekyan and Vaagn Tukharian) |
| May 2012 | ITWeb Security Summit | HTML5 Unbound: A Security & Privacy Drama (check out the supplemental article, then parts two, three, and four) |
| May 2012 | OWASP/ISSA Bletchley Park | Graveyards & Zombies: How HTML5 Improves Security. Mostly. |
| Oct 2011 | RSA Europe 2011 | ASEC-201 - HTML5 Security Pitfalls |
| Feb 2010 | RSA USA 2010 | SPO1-203 - Does Web 2.0 Need Security 2.0? |
| Jan 2006 | IT Underground, Berlin 2006 | Automating SQL Injection Exploits (slides completed, but conference was canceled) |
