7

Not sure if this question is too broad, if it is please let me know, we could probably turn it into a wiki. I'm posting this as a reference for other users.

What would you say are the best security conferences to attend, and for what reasons? I know defcon is considered the most popular US con, but that doesn't make it necessarily the most viable. I'm not only looking for lists of cons, I'm also looking for posts that reflect personal experiences. For example, I'm attending th0tcon this year, which is a relatively underground Chicago con that will most likely have a lot of cutting edge exploits from industry experts (probably due to its anonymous vibe, the location hasn't even been announced yet). To sum, what cons would you recommend for what specific security areas and why?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
mrnap
  • 1,308
  • 9
  • 15
  • 3
    From the FAW: To prevent your question from being flagged and possibly removed, avoid asking subjective questions where … every answer is equally valid: “What’s your favorite ______?” your answer is provided along with the question, and you expect more answers: “I use ______ for ______, what do you use?” –  Mar 03 '11 at 07:14
  • @Graham Lee I see what you're saying, but I think the line of "What cons would you recommend for what specific security areas and why?" gives posters a chance to provide evidence for their answers. Also, I left it open to many areas, and I was only giving one example of my own in one area for reference, it's not the same as "I use th0tcon for exploit con, what do you use for exploit con?". More like "I use th0tcon for exploits, what cons do you use for what other areas and why?". Subtle, but still a difference I think, thoughts? – mrnap Mar 04 '11 at 04:10
  • 4
    looking at the current answers, they're just lists of conferences that people like. Useful information, I'm sure we both agree on that, but it's not the sort of thing stackexchange was designed for. –  Mar 04 '11 at 12:49
  • This would probably be better if it was a community wiki – Josh Brower Mar 05 '11 at 18:05
  • Best, for what purposes? Depending upon who you are and what you want to get out of the conference, the answer is going to vary tremendously. I don't think this is a well-posed question. – D.W. Apr 05 '11 at 05:45

5 Answers5

5

In terms of academic conferences, the top conferences are:

  • IEEE Symposium on Security and Privacy
  • USENIX Security Symposium
  • ACM Conference on Computer and Communications Security (CCS)
  • Network & Distributed System Security Conference (NDSS)

For cryptography, there are other conferences (CRYPTO, EUROCRYPT, PKC, etc).

Microsoft Academic has a pretty good ranking based on citations and other metrics:

http://academic.research.microsoft.com/RankList?entitytype=3&domainID=2&last=0&start=1&end=100

(There are interesting changes to the ranking if you compare "All Years" to "Last 5 Years")

PulpSpy
  • 2,204
  • 15
  • 19
4

I think this one will end up being way too subjective - and quite possibly too location dependent, however I'll add a small amount of info as I think some broad categories can be useful:

Blackhat/RSA/Infosec and similar corporate conferences have their place. I wouldn't put them as top of the list for security practitioners to go to, but in terms of general industry trends, networking, seeing who is moving into what product space etc they can be very useful for security management to take board members along to. The messages will be in simple corporate speech.

Defcon/BSides/Brucon etc are much more for the practitioner, so a good learning experience for technical team members, but having the downside that often any messages imparted will require significant translation before being presented to boards etc for budget approval. This type of con is also very useful from the networking perspective at the practitioner level.

Which ones you will get most value from will depend on what you do in your organisation, your internal structure, your industry and who your clients are.

again - my answer is subjective - but has been developed from years of experience in what I have found valuable. ymmv.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
2

The USENIX Security Symposium is top-notch, and has been around since 1988. It is co-located with some more specialized workshops like

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
nealmcb
  • 20,544
  • 6
  • 69
  • 116
1
  • DEFCON -- amazing, fun, full of alcohol.
  • Chaos Computer Club in Berlin. A different crowd will bring different information.
  • Schmoocon -- Like DEFCON, but "minus 7,000 assholes." Harder to get into with limited ticket availability. More openly social.
  • Your local group. If you don't have one, start one. DEFCON has a very unofficial (shocking!) framework of local groups named after areacodes. DC 206 is a great group, and DC 207 started a few months ago. I've been to both, though they're on opposite coasts...

Also, I find twitter generally useless with few exceptions, and one of those exceptions is following a few security folks' streams. You'll get some good ideas of what they went to that was helpful or useless.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
0

I don't like security conferences. Try out a nearby OWASP local chapter meeting instead. Or get involved at a nearby Hackerspace.

atdre
  • 18,885
  • 6
  • 58
  • 107