quick question - SXSW

[jsteven at cigital.com (John Steven)]

All,

I just got back from SD West where I spoke twice in the security track. My third year working this show I was shocked 
to find larger audiences, avid participation, and (what excited me the most) very clueful development types.

Awareness will continue to be a big part of "getting the word out there". But what Gunnar attempted to do with his 
track at QCon was excellent and we should learn from it. He 1) organized a set of talks that followed each other 
clearly, building on previous content and 2) focused on more intermediate or advanced content.

Too often, the security talks at conferences overlap. Even this year's SD West had two threat modeling talks and a 
secure design talk. I'm also sick of their patronizing structure and titles: "Top 10 Web Vulnerabilities". Smart 
developers interested in learning this stuff can avail themselves of strong web tutorials from a variety of sources at 
this point. Overlapping talks comprised mostly of top ten lists leave developers with the empty "So what do I do about 
it?" feeling.

At SD West, I positioned my two talks as "advanced". I laughed looking at the conference board. I personally accounted 
for about half of the advanced talks for the conference.  My "Static Analysis Tool Customization" talk generated great 
discussion. I was pleased. Almost every audience member worked for an organization that was piloting or had already 
adopted a tool. They had really used it, and crashed against a rock. Because experience varied (Coverity, KLocwork, 
Fortify, and Ounce experience all represented) we got to talk about more than just one tool. Comparison was very 
demonstrative. People took copious notes, stayed after, discussion continued.

Yes, we still need more awareness but people want more advanced talks. They're ready.

At SD Best, I'm working to modernize the curriculum. I'm working with the development track leads to make sure that 
things cohere. Rather than mixing old-school buffer overflow information, with web security, with some process help, 
with some tool demos, I'm going to try to organize instruction around some of the newer stuff that developers are 
beginning to play with and be excited about. We'll focus on web services and web 2.0. In my mind, teaching people to 
"think destructively" is important, but brining it back around and showing what to do about vulnerabilities is hugely 
important at a dev. conference. Last year I pushed speakers in this track to give constructive advice. I'll do the same 
this year.

Whether we're speaking to security guys or developers, it's time to show people patterns and approaches that will help 
them solve the problems we've been talking about for years.

Sum: Modernize advice. Talk to people in the languages and frameworks that they're using now. Get practical and 
constructive. Teach people how to build it right. Move beyond awareness to intermediate and advanced topics. It's time 
to raise the bar.

----
John Steven
Technical Director; Principal, Software Security Group
Direct: (703) 404-5726 Cell: (703) 727-4034
Key fingerprint = 4772 F7F3 1019 4668 62AD  94B0 AE7F EEF4 62D5 F908

Blog: http://www.cigital.com/justiceleague
Papers: http://www.cigital.com/papers/jsteven

http://www.cigital.com
Software Confidence. Achieved.

________________________________________
From: sc-l-bounces at securecoding.org [sc-l-bounces at securecoding.org] On Behalf Of Gunnar Peterson [gunnar at 
arctecgroup.net]

I agree this is a big issue, there is no cotton picking way that the
security people are solving these problems, it has to come from the
developers. I put together a track for QCon which included Brian Chess
on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on
ESAPI and Web 2.0 security. The presentations were great, the audience
was engaged and enthusiastic but small; it turns that it is hard to
compete with the likes of Martin Fowler, Joshua Bloch, and Richard
Gabriel. Even when what they are talking about is some nth level
refinement and what we are talking about is all the gaping holes in the
previous a-m refinements and how to close some of them.

http://jaoo.dk/sanfrancisco/tracks/show_track.jsp?trackOID=73