Over the course of my career I haven’t had the opportunity to attend many security conferences, for two reasons:
- the organizations I worked for didn’t really support sending staff
- I tend to be socially awkward, and have difficulty talking to people
When I started at Mozilla I was super excited about both attending and participating at conferences since not only could I actually attend them, but pretty much everything important that we do at Mozilla is done in the open! Since presenting and participating in security conferences would help me work on the social anxiety bit, and I would learn stuff, it was a huge win!
The conferences I attended several years ago left me inspired, excited, with a pile of ideas for problems to tackle, and tools to develop. The conferences I have attended in the last year have left me thinking “That was a really great rehash of stuff that has already been done to death, with a minor twist at the end.”
To a certain extent this is likely the result of the degree of advances in the field. Ground-breaking, revolutionary new attacks are going to become increasingly rare; you can read more about why here, but basically, IT Security and InfoSec is starting to mature as a research field. Another reason why is the increasing desire to extract direct value from security research; if it can’t be used for marketing, or sold explicitly in a vulnerability market, the it is a trade secret that can be rehashed as special consulting secret sauce. Coupled with the proliferation of security conferences of varying degree of quality, and the glut of “me too” presentations, I think this is going to get worse before it gets better (at least for offensively focused conferences)
Despite my concerns on this, I have continued to attend because I still want to build a better network; first, because sharing ideas and info is fun and cool, and second, because we have a bunch of neat open jobs, and talking to smart people about Mozillas mission and work is a great way to try to recruit people! Unfortunately this also makes me sad. At virtually every conference I have been to, it is virtually impossible for me to ‘meet people’ and ‘network’. I blame myself for this because of the reason listed above, but it is also the result of the cliquey nature of communities.
There are some exceptions to my conference malaise, and those were the BSidesSF events; even though the talks were less engaging[1] this year than they were in 2011. The BSides events were very interesting because although there were still cliques, they were easy to mix into. The groups were small, and the attitudes of people generally more positive, and everyone I spoke to was interested in chatting and getting to know people.
Rather than just complaining about it, I am going to try to do something about it. A few years ago I had the opportunity to present at a cool conference, but my employer at the time interfered. Now that Mozilla is actively promoting our mission, and supports pushing the security component, I am going to push hard to complete two distinct research projects over the next year, and aim to present the results and tools. Although either of the topics would likely be suitable for a major “mainstream” security conference such as BlackHat, RSA, (Can|Pac|Eu)Sec, I will aim to present at smaller regional conferences, or conferences that are focused on open communities such as MozCamp, OWASP, or BSides events.
My Projects
The first one builds on the Garmr tool that Mozilla released earlier this year, and will help security teams to perform low to moderate risk assessments at scale. I aim to present these application security tools at a conference in Q3 of 2012, with a tool release in late Q2 or early Q3. The focus of this tool will be implementing some the concepts and ideas I wrote about when I joined Mozilla, with the aim to enable teams to perform security work at scale.
The second one will be an attempt to combine some of the AppSensor / Attack Aware Application work that OWASP published with some really cool new technologies to take security event monitoring in a different direction. This is a joint project with another person and will not be ready until sometime in 2013.
I hope to see people at future conferences, and will continue to chip away at building a better network and meeting people, but I really hope that shifting focus can help me to recapture some of the inspiration I used to get from the security community!
[1] YMMV! Several of the talks touched on areas I have done work in the past, so there was not much new ground covered for me.