Security BSides Ottawa was held 12-13 November. It comprised 12 speakers over the two days at a venue that supported the collaborative atmosphere that is a must for BSides events. By all accounts, all the participants were very happy with the content, venue and coordination of the conference.
Security B-Sides is the first grass roots, DIY, open security conference in the world! Security B-Sides is a great combination of two event styles: structured anchor events and grass-roots geocentric events. There are three core events that are both geographically and chronologically separated. These events are corporate sponsored and centrally managed (though locally organized). Typically about 100+ people attend each event, which are FREE to all attendees. These events work by having speakers post presentation topics to the wiki, which are then voted upon by the community. This process makes these events almost entirely community created and driven.
Beyond the three core events, Security B-Sides takes it to the streets by offering others the opportunity to create their own local event and have lots of fun doing so. Security B-Sides offers you unconference-in-a-box by providing the framework of tools necessary to deliver a structured event.
The Ottawa unconference was no exception. Held at Tucson’s in Ottawa’s South end, the conference organizers, Justin Foster (@justin_foster), Andrew Hay (@andrewsmhay) and Peter Hillier (@DeathwishDuck), found the perfect venue for the 121 attendees. They were able to get the venue for free and negotiated an exceptional rate at the hotel directly across the street for the folks traveling from across Canada and the US to attend and speak. They were supported byf volunteers, who ensured the even registration and other details were facilitated. Kudos to Carl Anctil (@canctil), Keli Hay (@klhay), Norbert Griffin (@norbert_griffin), and Bryan Tice (@Blaidd) for their outstanding efforts.
The talks are the centre point of any great conference and BSides Ottawa was no different. With speakers like Rafael Los (@rafallos) of HP, Ben Tomhave (@falconsview) and many others, the crowd got their money’s worth!
One of the co-organizers, Andrew Hay kicked off Friday morning with “My Life on the Information Security D-List”. In his humourous talk, Andrew points out that your personal brand it key to your success as a security professional. Thanks to the blogosphere, Twitterverse,social networking and podcasting made easy, many security pros are taking on a much more public persona, becoming near-rock stars.
Pete Hillier later discussed the gaps in eHealth security assurance and drew attention to some of the current efficiencies that would make security and privacy easier for Doctors to enable in their practices.
HP’s Rafal Los left us with some particularly insightful thoughts based on his discussion “Into the Rabbithole Evolved Web Application Security Testing”. He presented the concepts behind more intelligent web application security testing. Combining automation + human testing is the only way forward and he and the audience were appreciative of the great discussion and questions as it progressed. From it we understand the inefficiencies of managing security “vulnerabilities”, which should really be considered security defects. In classifying them as such, it puts the real responsibility into the correct teams; Quality Assurance!
Ben Tomhave gave a poignant talk entitled “The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform”. In a very articulate and well-structured presentation, he taught us that:
• Narrow the Human Paradox Gap (HPG) – that is, connect peoples’ decisions and actions to the eventual impact.
• Model Success – we need to quit focusing on the negatives so much
• Culture Change – needs to start with introspection, needs to move away from an enablement culture to one of responsibility and accountability, but also one where failure (to a degree) is acceptable knowing that a) we cannot be 100% secure, and b) that creating conditions that allow people to succeed also means letting them fail. A big part of this is shifting the mindset toward a survivability mentality.
• Sensible & Automatic – if we’re asking people to make changes that won’t let them do their jobs, or that simply doesn’t make sense to them (partly due to HPG), then we won’t be successful. People generally want to do the right thing, but they need to grok it.
• More Carrots – we need to get away from such a heavy negative focus, such as brought on my assessments, scans, audits, etc. Failure is inevitable, and it’s not a bad thing… we learn some of our best lessons from failure… at the same time, if praise successes, then we’ll achieve better results.
• Build Security In – very few people have security in their job description, and yet we complain that they don’t care… security should be an emerging property that permeates the entirety of an
organization; not in a dominating manner, but akin to how we already take care of ourselves and our work (i.e like reminding people to wash their hands regularly, obey driving laws, etc).
• Sustainability – we need to advocate for changes and practices that are sustainable… if we’re adding onto what they’re doing, then we won’t achieve the desired outcome. Security should make things better, not worse.
Not to be outdone by Ben, Adrien De Beaupre then initiated an hour-long session on the marked need for “CERTs or CIRTs in Canada”. With several long in the tooth Incident Response folks in the room and participation by Public Safety Canada, this quickly became the most contentious issue for Saturday. As Adrien points out, he “firmly believes that the Canadian InfoSec community deserves, desires, and requires a true National C*RT to be formed”. However, the devil is in the details, as the audience participants firmly attested. It is clear that the Canadian InfoSec community would like to be both consulted and involved in its formation. I will go one step further to suggest that it not be coordinated by the Government of Canada.
Keeping BSides events free is a lot of work and it cannot be done without significant support of sponsors. BSides Ottawa was proud to be supported by 15 vendors, whose generosity was overwhelming. Tripwire, the BSides corporate advocate, ensured we had giveaways for everyone and even provided a Macbook Air as our key prize! Food and beverages were among the largest spends for the event and the majority of the sponsors supported this effort.
All in all, it was an outstanding show. The collaboration was palpable; people engaged more than any other conference I’ve attended and I guarantee there will be a repeat next year.
