Why I _am_ Speaking At RSA 2014

Posted: 2014/02/22 in Conferences, DevOps, Rugged, The Cavalry

There’s been quite a bit of drama with regards to whether or not to boycott the RSA conference over a deal that the RSA security vendor had made with the NSA. I will not be rehashing it here.

What I will say is that I can respect individual decisions for principled reasons.

My own choice is also based on a calculus of my principles; I hope those who made a different choice can respect that.

I will be speaking at RSA – for a number of very nuanced reasons.

Of these, the clearest in my mind was simply this…

I research security to help people better defend themselves and things that matter.

Love or hate the RSA Conference, it is the annual heartbeat of the security industry and for many mainstream security professionals, this is their best chance to learn, challenge themselves and interact with the industry’s leading minds. I thought long and hard about all of the sides of this issue and decided that those most likely to be hurt by me boycotting were the very people I do this for.

Trust has been damaged on many fronts over the last year. I believe these issues cut to the core of the industry and our “community”. They will need hard discussion and debate – and I will be there to make sure that happens.

My Speaking Slots:

Both Sunday and Monday, February 23/24, 2:00 – 6:00 PM — BsidesSF at DNA Lounge 

“I am The Cavalry” @ #BSidesSF DNA Lounge is at 375 Eleventh Street San Francisco, CA 94103

Our dependence on technology is growing faster than our ability to defend it. The Cavalry isn’t coming. It falls to us… While its roots come from many places, a key moment for the @iamthecavalry movement was my #BSidesSF closing keynote last year. One year later, we have a large and growing movement of security professionals focussed on having impact on security of consequence. As our focus converges on technologies with the potential to impact human life and public safety, come hear what we’re doing regarding Auto, Medical, Home Electronics, and Public Infrastructure. The full agenda for our 2 days of working session is posted at the BSidesSF Website.

I am The Cavalry

Tuesday, February 25, 8:00 AM PM – RSA USA – South “Viewing Point” in Gateway Halls – Keynote Commentary

“Expert” Commentary for Day 1 Keynotes

RSA is always experimenting. This year in the “Viewing Point” in Moscone South, folks can watch the Tuesday  keynotes with some running commentary and play by play analysis. I’ll be joined by Hugh Thompson and Wendy Nather for what should be a bit of fun and analysis, but will hopefully help to frame the discussions and the rest of the week.

Tuesday, February 25, 3:00 – 3:30 PM – RSA USA – North Room 134 – Speaker

Call in the Cavalry – WHY We Need The Cavalry and Why It Falls to Us

Our dependence on IT has grown faster than our ability to protect it. What was once our hobby became our profession, and now permeates every aspect of our lives. In this swarming internet of things, vulnerable, connected technologies now permeate every aspect of our lives. While our best and brightest struggle to defend our enterprises, no one is even thinking about our growing dependence and exposure. The sad news is… the cavalry isn’t coming – it falls to us. We must be the adults in the room. We must ready ourselves to be ambassadors of technical literacy and the voice of reason. We have to be better… and we will be… starting now.

Much of RSA Conference is about protecting your enterprise. We are very pleased that RSA acknowledged the need also focus our best and brightest on security for the internet of things. My Tuesday “WHY the Cavalry” talk is the first of three 30 minute Cavalry talks at RSA. On Wednesday, Nicholas Percoco will explain WHAT the Cavalry must lead. On Thursday Katie Moussouris will outline HOW the Cavalry will affect change. All three #RSAC Cavalry talks are listed here.  Also, come talk about the mission at out booth in the Sandbox:

  • Tuesday 1:00-5:00pm
  • Wednesday 8:30am – 1:00pm
  • Thursday 8:30am – 1:00pm
Wednesday, February 26, 10:40 – 11:40 AM – RSA USA – West Room 2014 – Panelist

ASEC-W03 – DevOps/Security Myths Debunked

As DevOps has become more popular a lot of myths have arisen with regards to security and many opponents claiming that you can’t do security in a DevOps environment. This panel will address a number of those myths and demonstrate how you can embrace DevOps and maintain the appropriate security profile for your organization.

Dwayne Melancon will once again moderate myself and fellow Rugged DevOps trailblazers: Gene KimDavid Mortman, and Nick Galbreath. The great news is that the ranks of security DevOps boundary spanners is growing to include folks like Neil MacDonald, Rich Mogull, Dan Kaminsky and others. If this is a new or threatening subject, my 30m RSA Europe 2013 Keynote was a good introduction:

Thursday, February 27, 8:00 – 9:00 AM – RSA USA – West Room 2020 – Co-Presenter

STR-R01 – Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome

Nearly every aspect of our job as defenders has gotten more difficult and more complex—escalating threat, massive IT change, burdensome compliance reporting, all with stagnant security budgets and headcount. Rather than surrender, it’s now time to fight back. This session will provide new approaches to finding financial and operational support for information security across the organization.

I’ll ride once more with David Etue for Part 3 of our “Modern Security Strategy Trilogy” based on work we’ve together over several years.
NOTE: The slides and visuals came out WELL BEYOND my expectations. You do not want to miss this.
Friday, February 28, 9:00 – 10:00 AM – RSA USA – West Room 2014 – Co-Presenter

ASEC-F01 – Software Liability?: The Worst Possible Idea (Except for all Others)

Nearly While many had hoped that market competition would influence security improvements, customers are forced to accept software as is with no alternatives. Software is responsible for our critical infrastructure, cars, medical devices and is a part of our daily lives including our well-being. Will we be able to achieve better software security without vendors facing financial consequences?

I’ve not yet worked with Jake before but we have had spirited exchanges in the past. We have come into the topic of Software Liability from very different paths, but it has been a good complement and I really hope this advances what is often a thought terminating debate. Jake knows a ton about how the Insurance industry has been looking at the issues. He also has an interesting vantage point through his work with the Open Source Vulnerability Database (OSVDB).
I hope to meet new people and new teammates.
  1. […] the industry’s leading minds,” wrote computer security professional Joshua Corman in a blog post explaining why he chose to attend the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s