In this post I would like to take a small break from my usual .NET Core related posts and talk about security. That’s because this week was quite a security minded week for me. For example, on Tuesday I attended an internal security bootcamp at Info Support. Security is becoming increasingly important so its also important to increase the awareness of security with everyone involved in software development.
But the bootcamp wasn’t the only security related thing I did this week. I also attended a security conference in Utrecht, The Netherlands. The conference is called infosecurity and it was a free conference, so I didn’t expect much. But overall I was quite impressed with how well it was organized. While I usually attend developer conferences, this conference was obviously geared more towards decision makers (CIO’s, etc.). This was also the 20th time the conference was held, although to be honest I had never heard of it before. In fact, it was my girlfriend who suggested we’d go to this conference and I probably wouldn’t have gone if it wasn’t for her. That being said, it was definitely not a waste of time.
Sessions
As per usual the conference was made up of an area with stands from all kinds of companies, from big (like Dell EMC and Trend Micro) to much smaller local companies. Around that area there were a couple of small venues where the sessions were held. I mostly ignored the stands, because I was more interested in attending the sessions.
My first session turned out to be an inspirational session about how IoT can be used to improve sports such as cycling, running, horse riding and sailing. The company, Dimension Data, works together with large sports events such as the Tour de France and the Volvo Ocean Race. It was a very inspirational story about how a company that started out with a simple sensor and put that on a bike and turned out to be an IT company where the sensor is only a really small part of the whole solution. However the session wasn’t really about security, although it was briefly mentioned that security is especially important in these kinds of solutions since if you ever have a breach of security your reputation is gone.
Next up was a session by Trend Micro which talked about security in the context of DevOps. This is more or less my terrain, so I was interested to see what they had to say. It started out alright with a brief introduction to DevOps and where we came from. But then it turned into a mostly marketing talk about their own product. While I appreciate the fact that this was a free conference, so companies have to sell their products at this conference to make it worth their while, I would have rather heard about some of the challenges you can face when trying to integrate security into your DevOps process.
For my third session I attended a talk by Dell EMC and SPIE that was about Smart (or Digital) cities. Again, this was not so much about security, but rather an inspirational talk about digital transformation for cities. I quite enjoyed the talk though, since it went through all of the challenges cities face as more and more people are moving into cities and how digital technology can help solve some of these problems and make cities livable and sustainable. They also showed some examples of the things they are doing together in this space, such as project Trekschuit 2.0, which is an autonomous boat that will eventually go through the canals in Delft to deliver packages. A very interesting and inspirational story.
Lost jacket
After the third session I realized that I had left my jacket in the room of the first session, so I had to go back. Thankfully someone from staff had already picked it up and brought it to the lost & found. They even brought it back to me, which was great service, especially for a free conference. We also utilized this time to grab some lunch.
More sessions
For the fourth session I attended a talk by HPE in which they explained how they utilized artificial intelligence in order to improve their support processes. Again, not so much security related, but it was an interesting approach nonetheless. This setup allowed them to fix an issue introduced in a firmware patch for their storage devices that impacted one customer, before they impacted other customers since the AI could predict if that particular issue could also arise there.
The fifth session was about security by design and how security related activities have to shift left as organizations are increasingly adopting DevOps. The speaker talked about a company that previously did releases once a year, but switched to a model where they were shipping every two weeks. However, they didn’t include the security aspects into this process since the security officer said he couldn’t do everything he had to do within those two weeks. Obviously this means that we have to security related activities more often, but have to make them smaller. He also talked about how security by design also means that you have to think of security from a business perspective and that the user experience is an important piece of that as well.
Next up was a session about penetration testing, done by two speakers that do penetration testing for a living. This was a fun talk about some of the things they see in their roles and how they sometimes unintentionally break things or see things. They gave a lot of, obviously anonymous, examples, such as accidentally stumbling upon VoIP calls, or taking down the entire system at a hospital. Or backdoors that were installed by them as part of their penetration testing, which were then unknowingly copied to other environments. There were a lot of laughs during this session, but it was also kind of scary to see what can happen.
Finally I attended a session about choosing a cloud vendor. Interestingly this was a session from a company that was itself a cloud vendor, but unlike the other session I attended, this wasn’t so much a marketing story. Instead, the speaker talk about the trade-offs that have to be made and suggested to focus on the key characteristics of a cloud and how a potential vendor handles those things, rather than listening to trends.
Closing
Overall it was a nice conference and a lot bigger than I expected at first. Given the fact that it was a free conference, I was especially surprised by how well it was organized.
I ended the conference with a virtual reality flying simulator which was an interesting and exciting experience as well as an exhausting one. It had nothing to do with security of course, but it was fun nonetheless:
