Believe it or not the title of this blog is actually taken verbatim from a reviewer comment on one of the proposals submitted for DevSecCon Boston. Being lucky enough to be on the review board I’ve been able to sift through the plethora of proposals for the upcoming event and let me tell you, there were some great submissions to choose from. So what themes did I notice? What talks would I attend if I could make it? What makes us go all Meg Ryan in a busy cafe? Here’s my DevSecCon Boston checklist:
1. Get Social
Conferences are a great place to network, make connections and be challenged/inspired. Before you go, reach out to your network, whether via Twitter (which is full of us infosec people listing all the reasons we drink/ love our jobs) or LinkedIn – share that you’re attending and find out who else is.
2. Choose a Talk That You Know Little/ Nothing About
You’ve got 2 whole days! Pick at least one talk that is on a subject that will challenge you. At Boston there are a couple of great talks and workshops on containers; now I know what containers are but I haven’t really dug into the open source tools available to help secure them or gotten my hands dirty. Michael Ducy’s workshop on day one (Securing the container runtime environment) and Eric Ernst’s talk on day two (Kata Containers: A Painless way to secure your containers) are both sessions that would get me out of my comfort zone and into my learning space (I’m best when I’m a little stressed).
3. Defeat That Imposter Syndrome/ Share a Rage Quit Moment
Now you might already be super confident and a leader of some fancy next generation cyber world, but just in case you are (like me) occasionally stumped for longer than you’d like to admit because of a rogue tab in python, pick one talk that gets you nodding and saying ‘I totally get that/ been there’. At the end of day one, right before those much needed networking drinks Sarah Young is talking on ‘My rage quit journey: configuring Netflix tools’; go to this talk and during the drinks after look out for those early in their career and share a moment you’ve rage quit, moved on and did better next time. You’ll all be better for it and the beer will help.
4. Look for Actionable Intel
Do some research, look through the available talks/ workshops and pick a session that is applicable to a problem/topic you’re addressing right now. It might be that the speaker gives a fresh perspective, challenges an assumption you have or introduces an open source tool you weren’t familiar with, or it might be that they become a contact you didn’t have before. One of the things that makes me say yes when reviewing submissions for talks/workshops are those that I feel will give an attendee an immediate, actionable takeaway. There are a couple of sessions like this, but one of my standouts is ‘Building a practical DevSecOps pipeline for free’ from Jeff Williams on day two.
4. Threat Modeling
IMHO this is actionable intel but it also deserves its own point so I’ve compromised (with myself?) and it has it’s own section. I am biased, since I currently work in the threat modeling domain, but this is a topic you should definitely go and learn about. Whether you consider yourself an expert or it’s a new term, go listen to some case studies, a different point of view, and from someone that literally wrote the book on it. Adam Shostack has the keynote on day 2, ‘A seat at the table’ and I’m also pretty excited about ‘Busted computing: analyzing the console gaming threat model’ from Conor Walsh on day 1.
And there we have it! I’ve tried not to list every single talk and workshop on the lineup but it’s been so very hard. I shall leave you with one final tip.
5. Don’t Forget About Hall-con
Make time and space to network in between sessions, reach out to attendees that are working on something different to you and/or are at a different level. If you meet someone new take time to introduce them to one other person at the conference. Some of my favourite moments from conferences are the mini meet ups that happen in the breaks, where people share ideas and work – just make sure you invite someone new into the fold. Expand your horizons, you never know who you’re going to meet/ what you’re going to learn.
Have a great time at DevSecCon Boston and I’ll see you later in the year!
About Tash Norris
During the day Tash is Head of Product Security for Moonpig. Working on all things CloudSec and AppSec related, with a particular fondness for Threat Modelling.Outside of work Tash is one of the co-leads for OWASP Women in AppSec London, and an OWASP project contributor. Tash is also a frequent speaker on blue teaming and threat modelling, a quantum computing nerd and is currently working on a project utilising threat modelling to help target resources against poachers to protect game reserves.