Greetings, I am finally back home after an exhausting trip which had me speaking at 2 conferences back-to-back in separate countries and on opposite side of the coast!  I did learn some valuable lessons from speaking at these two wildly different conferences thought, so I thought I would share them with you here for your benefit too.

First off, the Information Security conference I attended on Tuesday in Toronto called "SecTor" was brilliantly run and targeted towards Canadian-based information security professionals and wanna-be security professionals.  It's OK to say it, there are plenty of people that attend these conferences who are looking to break into the business and want to learn about information security enough to get a grounding of what the industry is about... so they attend these conferences.  My talk "When Web 2.0 Attacks" was well-attended and I even had some big names in my audience (thanks to RSnake, Hoff and a few others that wandered in and out) and I think the overall impression was that the stuff I presented was relevant to people's daily lives in Information Security.  That's kind of the problem though...

You see, while I ordinarily wouldn't think twice about educating those in my field ... someone that's been doing this for a while longer than I reminded me a while back that this is what we would call "preaching to the choir".  Sure, I tend to agree that even within Information Security not enough people understand Web App Sec well enough to build a program and actually reduce any real risks - but those folks have been hearing this talk for years upon years right?  At some point I'm bound to hit the law of diminishing returns; and furthermore, people who didn't agree with me 6 months ago aren't likely to agree with me today.  Great conference, great mind-share but it's definitely time to reach a broader audience.

That's where the next conference I spoke at comes in.  Wednesday morning, at 4:00am Central time (yea, AM) while some of my colleagues were stumbling into their hotel rooms in downtown Toronto I was hopping into a car and being driven to the airport to head out west.  My destination was Anaheim, CA where I would speak at StarWest later that day.  I'm still not sure how through the delayed flight, sickness, and almost-missed connection I made it out to the West Coast by 2pm, but I did... and Star West was awesome.

StarWest (run by the SQE folks (www.SQE.com) is nicely put together and serves an entirely new audience of people.  Here at StarWest (although I did find it strange that we were in the heart of DisneyLand!) the audience was almost entirely composed of software test engineers, managers and those related to the field.  This was a completely different set of ears than what I'm used to ... this was a good thing.

The first thing I heard when I put my welcome slide up was "Hey, isn't security supposed to be done by the security people?"  Love it.  This is exactly the mentality and walls I was there to break down.  I think as we went through the hour-long session on "Detective Work for Testers..." I managed to convince a few people in the audience that their jobs were closely tied to mine in Information Security.  Maybe, maybe not.  The bottom line is that there were many great folks who came up to me and talked afterwards and through the end of the conference about the absolutely missing component in their SDL that was security.  I had one lady in the audience (although she fled before I could get more out of her, and had to track her down myself later on the show floor) tell me that her security team is the developers and that because they tell the bosses that they don't have security issues no one ever tests the code.  I wish I could recall where she worked, hopefully no place important like a bank or anything ...

The point is - this was the right audience.  If you were there and came to my talk, awesome!  If you missed it, slides are posted and we can talk about it whenever you have some time.

Do you believe that Information Security and Software Quality testing is one and the same?  Do you believe that a quality defect may as well be a security defect?  Can you successfully explain the difference between a security and quality bug?

... I'm fairly sure I have my target audience for the next foreseeable future.  Listen up quality testers - I'm coming to a conference near you!