Stephan van Rooij
Microsoft MVP | Software developer | Professional burglar
's-Hertogenbosch, The Netherlands
Actions
Software developer by day, burglar by night, doing some security on the side.
I talk about security at events and in trainings. I help companies harden against social engineering and I test physical security. I'm one of the only software developers who actually likes doing the security stuff around it.
My fulltime job is developing software and my spare time is spend on building awesome open-source projects like sonos2mqtt and Wintuner.
Badges
Area of Expertise
Topics
Take your home automation to the (dot)next level
Home automation in 2026 is mostly done in home assistant, which is written in python. For basic automations you can use the drag-and-drop interface it provides, but what if you want to make really complex automations? Did you know you can utilize dotnet to properly program those next level automations. Using the condition of multiple sensors or saving state of some device at the start of the automation is very hard to do with the built-in automation system.
With over 300 devices around my house this session is all about automating them, with dotnet. We will cover factory produced sensors and custom built wifi controllable devices using ESP32's.
- Using an automation to turn on the central ventilation when certain lights in the house turn on?
- Using an automation to take good care of our dog?
- Combining the outdoor weather station with the weather forecast and an electric water faucet to water the garden?
My complex automations run in a docker container which is deployed using a GitHub Action.
Warning: Literally everything is automated in my house and this session might trigger you to spend hours and hours tweaking your own home automation.
Think like a hacker in five steps
Everybody knows that you should not plug in a random USB stick, right? With some simple tricks your users might be convinced otherwise. Hacks, data breaches, ransomware. Protecting your company can be hard if you don’t know what you’re looking for. Security starts with just that and what better way to figure out than by attempting to hack yourself or your co-workers.
You might have guessed it already; this talk is about hacking in any way possible. We will explore how hackers operate and I’ll show you some of the tools. Is your application really safe, and what to look for in those applications.
Finally, we will touch upon the most painful “people” hacks, what happens when you’re a good talker? Can you convince users to do exactly those things they are instructed to never do. Can your helpdesk employees be persuaded to reset your password over the phone? Let someone enter your building because they “forgot” their badge.
Now that we are talking about badges, what about physical security. Have you ever seen someone clone a hotel keycard? One randomly selected audience member will get the chance to try just that with some cheap electronics
Workcation unlocked using access packages
In this session we will explorer 5 very useful ways you can put access packages to work for your security governance.
This will be an introduction to access packages for any organization. We will show you how you can go for maximum security, but still allow for (if approved) workcations. With access packages you can manage the entire approval flow for employees that want something different, without compromising security.
Using access packages to secure access to the management portal of you web app? No problem, this security solution will integrate nicely with the rest of your application landscape.
Opt-in to stronger security combined with access to certain privileged roles? It's all possible with this Entra solution that only requires Entra P2 for the most part
Mind Games & Malware: Understanding Social Engineering
Your app is secure, your office network is implementing zero-trust and the building is locked. Your technical perimeter is a fortress. But what happens when an attacker doesn't try to hack their way in, but simply asks for the keys? Or pretends to be a contractor?
Despite having the best technical controls possible, the human element remains the most unpredictable and vulnerable variable in cybersecurity. Social engineers exploit trust, urgency, and cognitive biases. These are vulnerabilities that no software patch can fix. If your users are manipulated into bypassing your guardrails, even the best security stack can’t keep the intruders out.
In this highly interactive and humor filled session, we will dive deep into the psychology of modern social engineering and tools used by attackers. Through real examples being shown and played out, you will see how easily technical defenses can be ignored all together by a clever conversation or a convincing pretext.
Who Should Attend:
This session is designed for developers, software engineers, architects, and technical team leads who build secure systems but want to understand how the human element can bypass their code. It is also highly relevant for anyone curious about the intersection of human psychology and technical security.
Uncovering the Magic of Managed Identity: A Deep Dive into Security
Join me for a look under the hood of Entra ID Managed Identities! In this deep dive session, we'll explore what happens behind the scenes. And how you can use it to make your applications more secure.
We'll cover a range of topics, including:
- How Managed Identities works and what happens behind the scenes
- The risks of using Managed Identities and how to secure your environment
- Using Managed Identity outside of Azure and in your local development environment
- The relationship between Managed Identities and Federated Credentials
- How GitHub Actions use a similar pattern to authenticate to Azure
Bring your questions, and let's get rid of all those no longer needed application secrets. See you there!
Become a Maester in Microsoft 365 Security
Is your Microsoft tenant secured correctly? Do you know all the right switches to turn and what checkboxes to tic?
What if there was a free tool you can setup to automatically scan your Microsoft tenant configuration and provide you with a beautiful actionable reports on a daily bases?
We will show you how to get started with Maester, and as the actual reports start rolling in, we will fix some of the (intentional) misconfigurations.
Measter is an open-source powershell module you can run on (free) Github Actions, and if you're not using it just yet, this will be the perfect session to get you started.
Protect your API with Entra - from zero security to security hero
Security should be top priority in any application these days. In this interactive demonstration I'll show you how to go from an API without security to an API that is secured with Microsoft Entra ID.
Join this sessions so you never have to worry about the security of your API ever again.
- Protecting the API
- What are JWTs (Json Web Tokens)?
- Scopes vs Roles?
- Getting a token as application
- Getting a token as user
These principals are not Microsoft Entra specific and can be applied to other Identity Providers as well, the exact implementation might be slightly different.
You're using Azure Key Vault incorrect
We all seen the samples where you put your secret keys in Azure Key Vault and think you're now completely secure. I'll show you how to exfiltrate those certificates and what you should do about it.
- Exfiltrate certificates
- Protect multi tenant application
- Managed identity misuse
Dutch Microsoft Security Meetup User group Sessionize Event Upcoming
Scottish Summit 2026 Sessionize Event Upcoming
Experts Live Netherlands 2024 Sessionize Event
WorkplaceDudes NL User group Sessionize Event
Microsoft Security User Group 2024 User group Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top