Where the money is

Last week was BlackHat. It was great to catch up with old friends, to make new connections, to learn, to think. As usual, I found the experience valuable.

Nonetheless, I could not shake the feeling that I did not belong. That while I am welcome to ride along, I was not the target demographic. BlackHat, like all large infosec conferences targets the IT security crowd. And I caught myself lamenting the lack of a large conference dedicated to product security.

I saw dozens of product security engineers (that I personally knew) in attendance. Many (most?) of the talks focused on product security issues. And yet, conference messaging and marketing was targeted overwhelmingly at IT.

After reflecting on this for a bit, I concluded that the answer lies on the vendor floor. Vendors at security conference cater almost exclusively to IT security. And the reason for it is simple. IT spends. But there’s not much to sell to product security. We use some bug-hunting tools, but that’s about it.

The irony in all of this is that selling tools to deal with operating insecure products is much more lucrative than selling tools for making these products secure in the first place.

Don’t get me wrong, I like IT. Some of my best friends work in IT. But sometimes, I just want to belong.

PS The BSIMM conference is devoted to product security, but it is on a smaller scale.

PPS In the past, Microsoft organized a Secure Development Conference, but it only lasted a couple of years.