Monday, February 8, 2010

A Quick Word on Security Conferences

Since I started speaking at conferences again just over a year ago I have started to notice a few things:

  • I am seeing the same people over and over
  • These same folks are the ones who already "get it"
  • Attendees vary by region (rarely do people get to travel too far)
  • Those that I can't say get it are -really- clueless
  • Some very basic concepts are still eluding many security conference attendees
  • Attendee counts have dropped drastically
Now, as a quick commentary on what this really means - I thought I would start by saying that I think it's good that we're getting attendees that continue to come out and support the cause.  Even though, predictably, the crowds are smaller it seems like the folks who are coming out are still fighting the good fight in their respective corners of industry.  My one concern is that the newcomers to some of these security conferences are really green.  I'm not talking about being environmentally conscious, I mean clue challenged.

I recently spoke at SANS, and while it was a small niche conference on the left coast I think we had a pretty good turnout.  My topic was pretty high level, speaking of the Web 2.0 dangers ("When Web 2.0 Attacks") and I could tell that some of the folks clearly got it - but what concerned me was that I could tell not everyone did.  Specifically speaking my talk wasn't rocket science and I wasn't releasing any ninja code-fu 0-day, nor was I explaining how to write shellcode for embedded systems ... this was conceptual "Web 2.0" stuff... hrmm.

I also saw some of the same things I'm used to seeing- people falling asleep (seriously, why show up?), people yacking on their cell phones or thundering away on their iPhone or BlackBerry keyboards answering emails (again, why come?), and then there were the glazed-over faces which can only mean one thing: clue challengedness.  I would break down the room like this: 30% got it (or they already knew it), 40% were being successfully woken up to the harsh realities, and the remaining 30% was absolutely lost.  I welcome you to read through the slides, then answer this one question: "Was this something the average person should comprehend?"

If your answer is yes - then you're in my camp.  You're wondering why people aren't getting int.  If you're answer is no - leave me a comment and I want to know where I failed.

Oddly enough, earlier tonight I had a great conversation with Jeremiah Grossman, and he reminded me of something someone had mentioned a while ago... There are no easy entries into web application security.  Think about it.  As Jeremiah put it- "If someone asked you right now what they should do to get into web application security, what would you answer?"  I've been asked that question many, many, many times and I always have a really crappy answer... because I fear there are no good resources for beginners.  I think that's a failure of those of us that get it.  I think we're completely failing to educate others and thus we're causing a serious lack of talent, and thus driving down the overall security posture all around.

Now, I get that some people simply can't travel due to insane budgetary cuts all around every industry but that's really no excuse to be clueless.  We shouldn't be (as Jeremiah put it) "eating our young"... but I'll let him expand on a post of his own.

I encourage those of you who are out there, and "in the know" to reach out and teach.  Help increase collective IQ of the security fold... the more smart people we have the better we all are.


dre said...

Go to an OWASP local chapter meeting. Read the OWASP wiki. Contribute to a project

nickhacks said...

The link to your slides is broken.

I agree with dre, and that's usually where I point people - OWASP. It's where I started by going thru the testing guide and manually performing the tests in there and then I just kept on going from there.

Unfortunately (and I'll be a bit cynical here), I get the feeling that most people who ask how to get into Web App Sec aren't actually interested in getting into Web App Sec. I've tried to 'coach' people and show them lots of resources and offer to answer questions they have, but when it comes down to it, they don't actually put forth an effort (nobody follows up) and so it winds up going nowhere. Maybe it's all too overwhelming? Maybe I come off too technical to really help them 'get' it? But what I really think is that it's laziness - not that these people are 'lazy' but it is easier for them to go along with the status quo and maintain their current direction rather than putting forth (a significant) extra effort to learn how Web App Sec works.

This also frustrates me because I'm passionate about Info/App Sec and I know we desperately need other people to start 'getting it'. I won't go into specific examples here, but I could tell you more about my experiences with this at Thotcon or something.

Mark said...

Link to slides?

Rafal Los said...

@Mark - I fixed the link, sorry... not sure WTF I pasted there!

@Dre/Nick - I don't agree, at least not entirely on OWASP. OWASP can be "too overwhelming" for people who are just getting their feet wet. While I know OWASP is a great resource for those of us who are in this business - someone who just wants to learn what web hacking is all about gets buried and overwhelmed (deer in headlights) on Furthermore, there are lots of technical books, but I haven't found any that are "a beginner's guide to Web App Sec" ... maybe I'm just over-stating?

Unknown said...

Been following your blog for a while, thought I would post my 2c.

As an InfoSec pro wannabe, I was/am constantly overwhelmed as to where to start. I have taken a couple SANS classes (GSEC, working on my GCIH Gold right now), reading lots of books (Bejtchlich, etc), and trying to get practical exp.

I think the hardest thing for me is to know where to go next, and what to learn.