All, I just got back from SD West where I spoke twice in the security track. My third year working this show I was shocked to find larger audiences, avid participation, and (what excited me the most) very clueful development types.
Awareness will continue to be a big part of "getting the word out there". But what Gunnar attempted to do with his track at QCon was excellent and we should learn from it. He 1) organized a set of talks that followed each other clearly, building on previous content and 2) focused on more intermediate or advanced content. Too often, the security talks at conferences overlap. Even this year's SD West had two threat modeling talks and a secure design talk. I'm also sick of their patronizing structure and titles: "Top 10 Web Vulnerabilities". Smart developers interested in learning this stuff can avail themselves of strong web tutorials from a variety of sources at this point. Overlapping talks comprised mostly of top ten lists leave developers with the empty "So what do I do about it?" feeling. At SD West, I positioned my two talks as "advanced". I laughed looking at the conference board. I personally accounted for about half of the advanced talks for the conference. My "Static Analysis Tool Customization" talk generated great discussion. I was pleased. Almost every audience member worked for an organization that was piloting or had already adopted a tool. They had really used it, and crashed against a rock. Because experience varied (Coverity, KLocwork, Fortify, and Ounce experience all represented) we got to talk about more than just one tool. Comparison was very demonstrative. People took copious notes, stayed after, discussion continued. Yes, we still need more awareness but people want more advanced talks. They're ready. At SD Best, I'm working to modernize the curriculum. I'm working with the development track leads to make sure that things cohere. Rather than mixing old-school buffer overflow information, with web security, with some process help, with some tool demos, I'm going to try to organize instruction around some of the newer stuff that developers are beginning to play with and be excited about. We'll focus on web services and web 2.0. In my mind, teaching people to "think destructively" is important, but brining it back around and showing what to do about vulnerabilities is hugely important at a dev. conference. Last year I pushed speakers in this track to give constructive advice. I'll do the same this year. Whether we're speaking to security guys or developers, it's time to show people patterns and approaches that will help them solve the problems we've been talking about for years. Sum: Modernize advice. Talk to people in the languages and frameworks that they're using now. Get practical and constructive. Teach people how to build it right. Move beyond awareness to intermediate and advanced topics. It's time to raise the bar. ---- John Steven Technical Director; Principal, Software Security Group Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved. ________________________________________ From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Gunnar Peterson [EMAIL PROTECTED] I agree this is a big issue, there is no cotton picking way that the security people are solving these problems, it has to come from the developers. I put together a track for QCon which included Brian Chess on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on ESAPI and Web 2.0 security. The presentations were great, the audience was engaged and enthusiastic but small; it turns that it is hard to compete with the likes of Martin Fowler, Joshua Bloch, and Richard Gabriel. Even when what they are talking about is some nth level refinement and what we are talking about is all the gaping holes in the previous a-m refinements and how to close some of them. http://jaoo.dk/sanfrancisco/tracks/show_track.jsp?trackOID=73 _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________