I recently returned from the second iteration of the SOURCE Boston computer security conference, and I must say, it was both an intimate conference of less than 250 folks and a high-caliber gathering. As with other conferences that the Microsoft Security Response Center (MSRC) co-sponsors, we see these forums as opportunities that highlight relevant research and showcase how individual strategies can intersect to offer substantial benefits and positive-sum outcomes.
For those of you not familiar with SOURCE, the conference combines business technology and application security tracks over three jam-packed days of presentations from experts in the field. This was the first time that a Security Start-Up Showcase (for all of you VCs/Start up folks out there not taking this economy to heart ;), Discussion Groups, and a Product Education Track were added to the already buff line-up. The attendee make up was approximately 35 percent Security Professionals, 30 percent Executives (Chief Officers), 10 percent Independent Security Researchers, 10 percent Administrators, 10percent Press, and the remainders were Students/Other.
Although there were more talks that sparked my interest than I was able to attend, I did attend some very insightful tracks. One such talk that appealed to me was a panel called The Partial Disclosure Dilemma hosted by Ryan Naraine with SME’s like Dan Kaminsky, Ivan Arce, Katie Moussouris, Dino Dai Zovi, and Alexander Sotirov. For a deeper dive on this subject from the only vendor on the panel, check out Katie’s blog and hear her stress how, "We need more collaboration between those who say the sky is falling, and those upon whom the sky will fall." Throughout this two hour showdown it was apparent that sometimes finding a vulnerability and creating an update is only part of the picture. Often, there has to be a coordinated fix with other vendors and the solution has to then be deployed to protect critical infrastructure. While folks could agree to disagree on the bulk of disputed points, for the most part everyone believed that the industry has got to move forward trusting each other with a more productive and transparent process, whether it be through more peer review among researchers or other communicative and joint mediums. I got a moment of pleasure hearing David Mortman speak out from the audience to say, "I apply MS Patches right away because I know they are going to work and not break anything." W00t!
An earlier talk on How Microsoft Fixes Security Vulnerabilities: Everything you wanted to know about the MSRC Security Update Engineering Process painted a clear picture of the different ways we find variants and work on mitigations and workarounds as part of the Microsoft response process. This talk answered the fascinating question of, "How come some of your in-band updates take a long time, but sometimes you can produce an out-of-band update in a matter of days?" Dave Midturi, Jonathan Ness, and Mark Wodrich dove into some great case studies that showcased in-band updates versus out-of-band updates to answer that ever popular question. For those of you that missed it, I strongly suggest checking it out in the next couple weeks, once it is available on the con site, so you can see first-hand what goes into a Microsoft Security Update, and how out of some 200,000 non-spam e-mails that come in to email@example.com per year result in approximately 70 bulletins.
All in all, there was a broad range of topics covered that left me simultaneously scared, inspired and contemplative–and I think that sums up exactly what I’m looking for in a security con. And as an added bonus, the con was hosted harbor side in Beantown, not far from Mike’s Pastry cannoli and some good old fashion American history; tea anyone?
*Postings are provided "AS IS" with no warranties, and confers no rights.*