Many infosec veterans are becoming increasingly skeptical about the value of security conferences. The charge is that these conferences are all saying similar things and not providing much value. One friend of mine, Dave Shackelford, just put up a great post about the phenomenon.
I too have questioned the value of these events, and I’d like to share a solution to at least part of the problem.
Capturing new information
I think the center of the issue is that conference attendees are not good at capturing and integrating the information they take in. They go from talk to talk taking occasional notes, but are not able to fold what they’ve learned into their daily work.
This actually breaks into two different issues:
- Not having a current “best” way of doing a given thing
- Not capturing changes to that best way
So let us say that there is a security talk on Cross-site Scripting. Let’s say there’s some new technique that you learn about from the speaker. It’s new. It’s exciting. It’s not something you have seen before.
What most conference attendees do with this information is tell their friends in the hall afterwards that they just saw a sick new XSS technique.
And that’s about it.
Most attendees don’t have their current best approach to testing XSS captured anywhere. When they test XSS they do so somewhat haphazardly, relying on what they happen to remember at that moment. And when they try to recall that one technique they saw at at that one talk last year, they usually fail to do so.
Capture into the authoritative location
So you want to start with something authoritative to update, and you want to make changes to that artifact as directly as possible.
This is where
git comes in.
Git isn’t just for code. You should abstract it back to a center of truth for your most important collections of knowledge. I use it to track my philosophical and political views, my list of things to do before I die, my wardrobe, my technical testing methodologies, etc.
So let’s say it’s me in that XSS presentation. When I’m “taking notes”, I’m actually inside my authoritative methodology making changes. And because it’s git, when I make a change I add a comment, like:
New bypass technique from James Fitts at DerbyCon.
I can look at my commit history and see exactly where I folded in various elements of my current system. Now extrapolate that to everything else you care about.
You could learn some new thing about men’s fashion (say about brown shoes and black pants), and update your list of fundamental dress rules. Or you could learn some new thing in a Intelligence Squared debate that makes you think differently about some political issue, and update your core beliefs page.
It works for anything. All you need is to 1) have your current ideas/methodology/list somewhere to be updated, and 2) remember to make your updates there and not somewhere they’ll be lost.
And it’s fantastic for collaboration.
Coming back to infosec, you could for example have your entire mobile security team making changes to your mobile methodology while in various mobile talks. One methodology, lots of contributions, all with attribution, commenting, and versioning.
- Consider using git/Github to capture the most important methodologies, lists, and collections in your life, e.g., political beliefs, your bucket list, restaurants to eat at, vacations to take, testing methodologies, your oh-crap-bag packing list, etc.
- When you learn something new, don’t capture it into some arbitrary or ephemeral location. Capture nuggets of wisdom into the only place that matters—your authoritative center of truth for doing that particular activity.
This is how you can get value out of security conferences. Instead of some mushy feeling of vague usefulness, walk away with a tangible list of updates to the way you will solve problems going forward. And as a bonus, you’ll be able to tell how valuable a given talk or conference was by the number of these updates you were able to extract from it.