Final score: OSCON 4/234, Black Hat 5/92, DefCon 1/118. AppSecurity: 10/444 == ~Statistically insignificant

A little while ago, I wrote a dejected post saying that OSCON, Black Hat, and Defcon all missed the greatest opportunity to speak to the right folks about securing their apps. Well, with the final schedules of Black Hat and Defcon up, we have:

  • Fear – Pretty much every talk
  • Uncertainty – you betchya
  • Doubt – doesn’t the security industry work on creating doubt? Yep.
  • Solutions – 10 out 444 talks == 2% of all talks

    We have to move past this. I am not asking for solutions to be even 50% of the talks, but dammit, it should be over 10% and it should be over 25%.

    The CIOs and CTOs and mid-level junketeers in our industry (who go to these events to pick up chicks of negotiable affection*) and go: “WHOA! I’m so screwed! What do I need to do to protect my assets from all this badness?” And the snake oil sales puke from the large security ISV will go: “let me show you this bridge I have for sale over here…”

    At Black Hat 3 of 5 potential security solution talks are the 20 minute turbo talks. How much can you learn in 20 minutes? Enough to be scared, or enough to learn a URL? In Defcon, there’s just one talk on using a tool as a shield around your crap. Of course that’ll work. Like anti-virus or IDS “works”. Not.

    The CIOs and CTOs and high level business folks don’t want horror stories. They get that enough of that from the snake oils sales pukes. They want solutions that work. They want to know what to do right. These solutions should not cost the earth and should be effective. None of which they’ll learn about at these conferences. Will this stop them going to conferences? Of course not! It’s Vegas, baby!

    The conferences will have to start being relevant or they’ll end up like being CES. CES started out small, grew immensely, changed to be vendor friendly, and no one came. They cancelled it. Now everyone goes to E3. They’ve changed the rules to be more industry friendly… and it’s only a matter of time before it, too, dies. “Our” industry conferences on the outside seem more popular than ever, but they are dead. I will not be submitting any more talks to them as they are irrelevant. They do not support solutions, only fear.

    * And occasionally, chicks with dicks of negotiable affection. But what happens in Vegas, stays in Vegas, eh baby!

Comments

3 responses to “Final score: OSCON 4/234, Black Hat 5/92, DefCon 1/118. AppSecurity: 10/444 == ~Statistically insignificant”

  1. kuza55 Avatar

    By oscon, do you mean the O’Reilly Open Source Convention: http://conferences.oreillynet.com/os2007/ ? Because I can’t find another oscon. And if you do mean that oscon, there are only 7 security talks: http://conferences.oreillynet.com/cs/os2007/view/e_trak/405 And there doesn’t seem to be too much FUD there. If I mixed something up, please point me in the right direction.

    As for DEF CON, well as far as I can tell, it was never really meant to be an “industry” conference, it was intended as a meeting place for hackers, who generally are interested in the latest greatest way people have come up with to break things, rather than fix them (because solutions _generally_ aren’t that difficult to come up with once the problem is known). So including the stats from DEF CON is a bit deceptive.

    I do see your point in regards to Blackhat being full of FUD, but its goal has never been to explain to people how to fix things, its always existed to show people the attacks and issues they face.

    So; what’s my point? You’re looking in the wrong places for solutions, and so is everyone else, if they expect to get them from DEF CON or Blackhat. So while they might be irrelevant to someone who wants solutions, it will remain relevant to everyone simply interested in the current research.

  2. vanderaj Avatar

    OSCON == Unconverted masses. There’s hundreds of talks on new language features, Ajax, performance, scalability, architecture, but basically two offerings from Chris (one a tutorial, the other a simple hour) on web application security. The other five security talks in the security track do not speak to PHP or open source security solutions, such as how to avoid buffer overflows, or similar. I like speaking to developers because they are fresh and can learn how to do it better.

    Talking to security bods at security conferences… Well, they already get it. They know OWASP exists (for the most part), they know where to go if they actually cared. But for Black Hat to basically ignore this entire area just so they can have two extraordinarily theoretical talks on stuff no one gives a crap about except for the associated fan bois and their groupies? I’m sure BH could have squeezed in a single talk somewhere on solutions.

    BlackHat started out being the more corporate version of DEFCON and during the days of network security, sploits were good to know about so we could grill our firewall vendor or try them out ourselves. But application security, that’s something we’re all responsible for and CAN fix.

    Defcon, you’re right. It’s the other side of the coin and for that reason I find the hall way track far more rewarding than any of the official programs. I went to like two sessions last year and learnt more sitting next to Jeremiah Grossman than I did from the talk. This year, there’s remarkably few *application* level talks. Most are still attacking the plumbing, not going after the water. The value is the water, not the pipes.

    There’s just no point in changing these folks – they are dead and irrelevant. Time to move on, time to choose or make better conferences where solutions can be found. Build it, and they will come.

  3. […] discussion over the past year. I’ve been exposed to them mainly in web app sec circles (see Andrew van der Stock rant), but it’s a recurring theme — patching is not as sexy as buffer overflows, code […]

Leave a Reply

Your email address will not be published. Required fields are marked *