Security conferences

30Apr09

Having dragged James into the debate about Pamela’s post, and having spent most of the week at a security conference I thought I’d throw some of my own thoughts into the ring.

Let’s start with attendees, or ‘plankton‘ as Pamela calls them, and the idea that attendees learn something by going to conferences. I think this is partially true – for people that are new to the field or a given role; but doesn’t actually apply to many attendees, where you quickly get the usual suspects showing up year after year. Some events have clearly now got to the stage where their only value to many attendees is meeting with the other usual suspects, and as Pamela points out you can do most of that without buying a ticket. I’m also less than convinced that there’s really much educational value in vendor presentation. Mileage varies (according to the quality of the event) between outright product pitches and ‘here’s one of our smartest people letting you know why we think this is a problem (that needs our solution)’, but it’s still SUV mpg that you get for your money. If you outsource your thinking to vendors then don’t be surprised to get a bunch of dumb stuff for your money. This is why I’ve been leaning towards more academic conferences over the last few years. They have their own rough edges, but there’s no vendor spin, and you get a lot of new information for your money.

James asked me to report back on whether the shift from network security to application security was in evidence. I can’t give a completely straight answer to that, as I’ve spent all of my time this week meeting people and introducing them to my successor. I’m kind of glad that I wasn’t spending time looking for cool new stuff, there doesn’t seem to be any. As for whether people are getting the need to move from the network to the application that seems to depend who you talk to. If this was politics then I’d say it was split along party lines; but it’s technology so it’s split along vendor lines. If measured by floor space then I’d say that we’re mid transition, as it was the host security guys that seemed to be trying the hardest (to differentiate commodity products by having larger and louder stands than the next guy).



4 Responses to “Security conferences”

  1. Hi Chris

    In my experience, security conferences vary wildly in their educational value. For applied learning, I favour eusecwest and then Black Hat (I hadn’t been in a long time and was pleasantly surprised by some of the talks just given at BH EU).

    There may be other solid conferences that I haven’t been to, but those keep on givin’.

    The more vendors present, the less likely the people I want to listen to will attend. I’m not anti-vendor (can be a lazy generalisation) but the larger the number, the lower the signal to noise ratio.

    Are you moving on or just changing roles?

    Enjoying your blog,

    Craig

  2. If you want to learn about security, I highly recommend attending local OWASP user groups. They are free, local and have a low signal to noise ratio…

  3. 3 Steve

    Interesting question whether the focus is shifting from network to application security. My very biased slant on the answer is that it’s neither – the shift is that identity is becoming the fulcrum for enforcement decisions. Incorporating identity as a parameter allows for enforcement decisions to made on the transactional context – which encompasses both application and network tiers. But when you consider the shift in criminal intent, from malice and disruption, to outright thievery, it would seem that application security should take higher priority. Cisco made an announcement about how they are using cloud computing’s economies of scale to improve the accuracy of IPS. I am not sure that really resolves the problem.

    As an analyst, I find the conversations and personal interactions useful at a general event like RSA. The sessions don’t provide much in the way of content.

  4. 4 Ed

    Certainly I find that thanks to the internet and search a lot of what I tend to read comes from academic sources and I’m not the only one looking there either:
    http://zerodaydefense.blogspot.com/2009/04/why-hackers-love-academic-research.html


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: