Security BSides, RSA: Things That Get Lost in the Shuffle

Sunday, February 20, 2011

Rafal Los


This was my first RSA Conference, and my first Security BSides San Francisco.

While the big buzz and hoopla is going on just below our feet at Moscone Center at the flashy, expensive conference where all the hype meets the media, the Security BSides folks quietly bring in a different sort of crowd. 

It's almost as if between the hype, the media, and the extravagant parties, RSA has forgotten its purpose... or maybe it seems that way because RSA has acquired a new direction.  Either way, the behemoth and the BSides event right next to it offer very different views into what security means to a large variety of different people.

My current world is Software Security Assurance, Application Security - or whatever you feel comfortable calling it these days... and as such I look at things like this as though through a straw. 

Micro-focusing on the events and technology drivers that impact the state of software security is tough - especially when the hot topic of the day is cloud, cloud, cloud, "data exfiltration" (which we all know is code for WikiLeaks), and... oh, right 'Cyber War'. 

So how does software or applications get affected by, or affect back to, these topics? Well, that all depends on who's speaking and who's listening.  Let me explain.

The BSides Version

Let's be serious, half the things we're hearing today in the media are hype, and the other half are echo of hype.  Sure real threats exist, and obviously we have data exfiltration issues... but how is today different than 5 years ago when these issues existed as well?  Oh, that's right - there was a major incident, and now there are products to 'solve' these issues for you as an enterprise. 

So the BSides take on this is quite pragmatic, and stripping much of the hype away.  The talks here were for the most part more raw, and without the feeling like someone was secretly trying to sell you something, save one very bad panel...

Billy Rios had another great (seriously, Billy needs to do stand up comedy) talk about the various infection vectors stemming from XSS, PDF and content-types in web applications.  You could tell that Billy didn't have an agenda or a product to sell you - and I am willing to bet people walked away from that at least remembering some things and will tinker for themselves.

Careful now, tinkering for yourself is dangerous if you're not doing it on your own code, apps and servers... but that's what these BSides events are all about.  The curious, the eccentric, and more importantly the doers show up and talk shop.  It's quite an experience if you've never attended a BSides conference.

So what does Cloud Computing, Cyber War and 'data exfiltration' mean to the BSides audience?  Not a darn thing unless there are real issues behind the buzz ...and in many cases there but they're more fundamental like data openness, application attack vectors and so on.  Make sense?

The RSA View

Not that there's anything wrong with it, but I'm seeing the RSA crowd as more executive, more management, more 3-star General... if you get my drift.  It's wining and dining, glitz and glamor, and flashy booths with give-aways and do-dads to attract you to a booth so someone can follow up with you later on a product they want to sell you. 

Then there's the keynotes which never fail to amuse.  This year I'm particularly interested in my own VP of software, Bill Veghte who will be keynoteing... a first for us so I can't wait to see the result.  RSA attendees are trying to find products and solutions to much bigger problems and issues. 

Nebulous terms like 'Cloud Security' get tossed around - and are often met with many, many products, services, and hype.  All well and good - but you have to understand who you're selling to, and why.

I guess I consider myself a grass-roots type of guy, I think the best way to affect change is to go and do it.  Talking about it over and over again... that may get people to agree with you but unless you're giving them the tools and know-how to do it right now, they aren't taking much back with them except freebies. 

I think security conferences need to start going back to their roots more, and if you look at the tracks that HP/Fortify is presenting or sponsoring - you're already starting to see some of that I'm proud to say.

What IT Security Needs Now...

I think what we need now is more conferences like BSides... honestly.  While the big executive events are a powerful way to launch new products, services and companies - the BSides events are what really gets ideas to people who either can't afford to pay the expenses of a 'big conference', or just don't want to end up lost in the shuffle of hundreds of talks on various topics of non-interest. 

I think what we need now in the security industry is focus... the issues are so looming, so destructive and so pervasive that we can't just keep throwing parties and patting ourselves on the back - we need action, leadership and people who can teach and move us forward to a more secure tomorrow. 

I think we can accomplish that sort of thing at the big conferences, and the small ones... we just need to think about it a little more, and party a little less.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Security Training
RSA Cloud Security Information Security Infosec Security BSides Conferences
Post Rating I Like this!
shawn merdinger hrm...seems that RSA these days stands for "Reading Something Anonymous"
Rafal Los @Shawn- I think RSA is interesting if you're in the market to BUY something. Lots of vendors selling 'solutions' which come in a box and have lots of blinky lights and cost big dollar amounts. Lots of talk, lots of flashy sights ...little substance.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.