2015 BASC Homepage
This is the homepage for the 2015 Boston Application Security Conference (BASC). This free conference will take place on Saturday, October 3rd at Microsoft New England Research and Development Center (NERD). Note the location is different from last year.
The BASC will be a free, one day, informal conference, aimed at increasing awareness and knowledge of application security in the greater Boston area. While many of the presentations will cover state-of-the-art application security concepts, the BASC is intended to appeal to a wide-array of attendees. Application security professionals, professional software developers, software quality engineers, computer science students, and security software vendors should be able to come to the BASC, learn, and hopefully enjoy themselves at the same time.
"How I Teach Security"
Rob Cheyne, CEO, Big Brain Security, Executive Director, SOURCE Conference
Over the course of this work, I’ve noticed some interesting patterns across my body of students and clients.
In most organizations, I have seen have at least one critical area of the business where basic information security best practices were not implemented where they should be. In many cases, this is because people are either not factoring in an accurate representation of infosec risks into their planning & project life cycles, or they willfully ignore them.
The reason for this often boils down to one thing: the overall level of security awareness in most places is pretty low, even amongst developers, and even in organizations where you would think it should be a lot higher. Amongst business and management groups, it can be practically non-existent because security is still often assumed to be the purview of the security group, the infrastructure team, or the developers.
In such an environment, business requirements often take precedence over security requirements, even when the security requirements are truly protecting the best interests of the business.
I have seen that many people within a typical organization:
- have little to no understanding of the actual risks they face.
- have no idea how to balance rational security options against business requirements to mitigate those risks.
- think that security is somebody else’s job, and ignore it accordingly.
- believe that internal systems are somehow safe from attack
- think that the data breach will never happen to them
I have come to believe strongly that this is as much as much our failure to communicate and influence information security initiatives as it is the business' failure to understand. Given the shortage of infosec professionals in the marketplace, I believe the only way we can scale ourselves is to communicate what we know more effectively.
In short, we need to learn how to communicate what we know much, much better than we are doing today.
Security is arguably much more of a people problem than a technology problem, and the ability to communicate rational security wisdom to people outside of the “InfoSec echo chamber” is a highly underrated skill. There are many areas of security where we have solid best practices, but they aren’t followed because the people who need to hear the message the most simply never receive it.
Please join me in this frank & interactive discussion of what it means to communicate information security outside of our echo chamber, and discuss some specific strategies for doing so.
- Date: Saturday, October 3rd, 2015
- Location: NERD
- Directions: NERD's website or Google Maps
- InfoSec Communication Workshop
- LinkedIn Group
- Twitter: Follow @BASConf HashTag: #basc2015
- Sponsorship Kit
Admission to the BASC is free but registration is required for breakfast, lunch, and the evening social time. We will do everything possible to accommodate late registrants but the facility and food are limited. Online registration is now open and you are encouraged to register early.