Comments on: Final score: OSCON 4/234, Black Hat 5/92, DefCon 1/118. AppSecurity: 10/444 == ~Statistically insignificant

By: onelittlewindow » Blog Archive » Shmoocon 2008 — the “not sexy” talks part I

Wed, 27 Feb 2008 04:01:09 +0000

[...] discussion over the past year. I’ve been exposed to them mainly in web app sec circles (see Andrew van der Stock rant), but it’s a recurring theme — patching is not as sexy as buffer overflows, code [...]

By: vanderaj

vanderaj — Tue, 24 Jul 2007 05:17:18 +0000

OSCON == Unconverted masses. There’s hundreds of talks on new language features, Ajax, performance, scalability, architecture, but basically two offerings from Chris (one a tutorial, the other a simple hour) on web application security. The other five security talks in the security track do not speak to PHP or open source security solutions, such as how to avoid buffer overflows, or similar. I like speaking to developers because they are fresh and can learn how to do it better.

Talking to security bods at security conferences… Well, they already get it. They know OWASP exists (for the most part), they know where to go if they actually cared. But for Black Hat to basically ignore this entire area just so they can have two extraordinarily theoretical talks on stuff no one gives a crap about except for the associated fan bois and their groupies? I’m sure BH could have squeezed in a single talk somewhere on solutions.

BlackHat started out being the more corporate version of DEFCON and during the days of network security, sploits were good to know about so we could grill our firewall vendor or try them out ourselves. But application security, that’s something we’re all responsible for and CAN fix.

Defcon, you’re right. It’s the other side of the coin and for that reason I find the hall way track far more rewarding than any of the official programs. I went to like two sessions last year and learnt more sitting next to Jeremiah Grossman than I did from the talk. This year, there’s remarkably few *application* level talks. Most are still attacking the plumbing, not going after the water. The value is the water, not the pipes.

There’s just no point in changing these folks - they are dead and irrelevant. Time to move on, time to choose or make better conferences where solutions can be found. Build it, and they will come.

By: kuza55

kuza55 — Mon, 23 Jul 2007 07:04:38 +0000

By oscon, do you mean the O’Reilly Open Source Convention: http://conferences.oreillynet.com/os2007/ ? Because I can’t find another oscon. And if you do mean that oscon, there are only 7 security talks: http://conferences.oreillynet.com/cs/os2007/view/e_trak/405 And there doesn’t seem to be too much FUD there. If I mixed something up, please point me in the right direction.

As for DEF CON, well as far as I can tell, it was never really meant to be an “industry” conference, it was intended as a meeting place for hackers, who generally are interested in the latest greatest way people have come up with to break things, rather than fix them (because solutions _generally_ aren’t that difficult to come up with once the problem is known). So including the stats from DEF CON is a bit deceptive.

I do see your point in regards to Blackhat being full of FUD, but its goal has never been to explain to people how to fix things, its always existed to show people the attacks and issues they face.

So; what’s my point? You’re looking in the wrong places for solutions, and so is everyone else, if they expect to get them from DEF CON or Blackhat. So while they might be irrelevant to someone who wants solutions, it will remain relevant to everyone simply interested in the current research.