OSCON 2006: Where’s the Security?


Energizing the IndustryOSCON 2006 was a lot of fun for a lot of reasons, and was overall a very positive experience.  There were a few things that bugged me, though.

I met a lot of cool people at OSCON.  There are too many folks to list here without either getting really boring or forgetting someone, but I was happy to put a lot of faces to names and exchange ideas with some Very Smart People.  The PHP Security Hoedown BOF that I moderated was especially good in that respect, I thought.  There were also a lot of good sessions, especially Theo Schlossnagle’s Big Bad PostgreSQL: A Case Study, Chris Shiflett’s PHP Security Testing, and the PHP Lightning Talks (“PHP-Nuke is a honeypot” - thank you for the best quote of the convention, Zak Greant).

On the other hand, I was very surprised that the Security track at OSCON was almost nonexistent.  There were four sessions and one tutorial, and for a 5-day event with lots of sessions going on at the same time, that seems like a really poor showing.  The only other tracks that has security-related sessions were:

  • Linux (including one shared with the Security track)
  • PHP

which leaves us with the following tracks with no security-oriented sessions:

  • Business
  • Databases
  • Desktop Apps
  • Emerging Topics
  • Java
  • JavaScript/Ajax
  • Perl
  • Products and Services
  • Programming
  • Python
  • Ruby
  • Web Apps
  • Windows

I can certainly think of a few pertinent security topics for each of these tracks.  I’m not affiliated with O’Reilly, and I have no idea whether the OSCON planners just didn’t get very many security-related proposals, or they felt that attendees wouldn’t be interested in them.  Either way, it’s worrisome.

Security is an essential part of any kind of development: as fundamental as interface design or performance.  Developers are stewards of the data of their users, and if we don’t take that responsibility seriously, all our sweet gradient backgrounds and performance optimizations are pointless.  So to see, for one reason or another, security relegated to steerage at OSCON was disappointing.  I hope O’Reilly works hard to correct this next year, and I’m going to encourage other CERIAS folk like Pascal Meunier and Keith Watson to send in proposals for 2007.


Posted by Andrew Plimmer
on Friday, January 4, 2008 at 07:12 PM

I can’t even imagine that a large and reputed convention like OSCON can ignore security tracks for several sessions while it constitutes an integral part of any kind of development: as fundamental as interface design or performance.

Leave a comment

Commenting is not available in this section entry.